- Issue created by @andypost
- Status changed to Needs review
about 2 years ago 8:35pm 7 April 2023 - π«π·France andypost
I'm sure this clean-up could be backported to 9.5
- π«π·France andypost
For role names escaping was added in #2560863: #options for radios and checkboxes uses SafeMarkup::checkPlain() to escape - use Html::escape() instead β other places in #2545972: Remove all code usages SafeMarkup::checkPlain() and rely more on Twig autoescaping β
The last submitted patch, 2: 3352972-2.patch, failed testing. View results β
- Status changed to Needs work
about 2 years ago 10:32pm 7 April 2023 - π«π·France andypost
Able to reproduce failures
- admin/structure/views/nojs/display/frontpage/page_1/display_title (set name to
<em>Page</em>and save frontpage view
- admin/structure/views/nojs/display/frontpage/feed_1/displays should display escapedHere's how it looks
- Status changed to Needs review
about 2 years ago 10:33pm 7 April 2023 - Assigned to Lendude
- π«π·France andypost
@Lendude I'm sure it needs your approval and roles like displays can have names with markup
- last update
about 2 years ago 29,401 pass - Status changed to Needs work
about 2 years ago 11:00pm 30 May 2023 - πΊπΈUnited States smustgrave
Tried testing on 11.x
Able to replicate the issue following #6
But after applying the patch issue still shows. - First commit to issue fork.
- π«π·France prudloff Lille
I rebased the latest patch and tests are green.
But I did some manual testing and I think escaping the options is still needed.For example if I create a role named
<b>foo</b>then browse to /admin/config/content/formats/manage/basic_html.
Without the patch:
With the patch:
I think we automatically sanitize #options by calling Xss::filter() on it (which removes dangerous markup) so not escaping the options would not be dangerous but role names are not really supposed to contain HTML so interpreting it here could be confusing for admins.
So I think this could be closed as wontfix.
@smustgrave I think #6 is about explaining a test failure, not steps to reproduce this issue.
The test failed because the previous patch removed escaping in Attachment.php and Feed.php which causes a breaking change.
(I did not keep changes to these files in the MR.)
