Only first element tag in configuration form is rendered in title on Drupal 10.2

Created on 8 January 2024, 12 months ago
Updated 4 February 2024, 11 months ago

Problem/Motivation

Having upgraded our site to Drupal 10.2, we noticed that only the first element in the configuration is added to the allowed tags. Have also verified this using simplytest with a clean install.

Steps to reproduce

Clean install of Drupal 10.2
Enable html_title
Add following to the configuration form: <sup> <sub> <span>
Create a new basic page and add the following to the title: Test title HO
Publish page
See that the sup element is rendered correctly, but the sub element is not.

Proposed resolution

Remaining tasks

User interface changes

API changes

Data model changes

🐛 Bug report
Status

Fixed

Version

1.4

Component

Code

Created by

🇬🇧United Kingdom jonnyhocks

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Merge Requests

Comments & Activities

  • Issue created by @jonnyhocks
  • 🇮🇳India sidharth_soman Bangalore

    I was able to reproduce the error following the steps. I did some debugging and found that the return array ($tags) in HtmlTitleFilter::getAllowedTags() only contains the 'sup' element. It should contain all three tags in the config.

    I need to look through it more to understand why this happens. I suspect there's something buggy with the fetching of the body child nodes right above.

    You can add something hacky like this to work around the issue for now, but I'll try to provide a better solution if I do find it:

    ...
    $tags[] = 'sub';
    $tags[] = 'span';
    return $tags;
    }
    
  • Status changed to Needs review 12 months ago
  • Status changed to Active 12 months ago
  • 🇬🇧United Kingdom jonnyhocks

    I did think about something along the lines of #3 but then thought that isn't an ideal scenario as this module filters markup to prevent XSS vulnerabilities as stated in the project description.

    The change in patch #3 looks like it removes that safety net.

    One other thing I noticed in my debugging was that it looks like this line doesn't include the correct amount of nodes in the DOMNodeList object after upgrading to 10.2:

    $body_child_nodes = Html::load($html)->getElementsByTagName('body')->item(0)->childNodes;

    If I change it to the following (using a wildcard rather than 'body') then it returns the tags specified in the configuration form, but because it's loading all nodes you also get 'html', 'body' etc:

    $body_child_nodes = Html::load($html)->getElementsByTagName('*')->item(0)->childNodes;

    Could be a starting point? I'm not really sure what's changing under the hood at that point at the moment.

  • 🇺🇸United States timhsieh

    as another workaround, in your settings, close the HTML tags that need closing. E.g., "
    ".

  • 🇺🇸United States generalredneck

    This error seems to be caught by the automated tests as well see the latest build https://git.drupalcode.org/project/html_title/-/jobs/669321. I am also hesitant about #3. Upgrading the priority of this one and will tackle it next time I get a chance.

  • Open on Drupal.org →
    Core: 7.x + Environment: PHP 5.3 & MySQL 5.5
    last update 11 months ago
    Waiting for branch to pass
  • Open on Drupal.org →
    Core: 7.x + Environment: PHP 5.3 & MySQL 5.5
    last update 11 months ago
    Waiting for branch to pass
  • Status changed to RTBC 11 months ago
  • 🇺🇸United States generalredneck

    Alright, a few things:

    1) #3 is a perfectly valid solution. it's a quick Regex way to stip off the outsides of the tag. It just made me jumpy since this was in the Filter service, but it's simply grabbing the tag names from the configuration. Something changed in the HTML parsing class that made this quit working. I don't know that this method is any less secure honestly.

    2) All the tests pass with this fix (including the unit test around the getAllowedHtmlTags(). You can see this on https://git.drupalcode.org/project/html_title/-/jobs/669556.

    I'm going to call this one good.

  • Pipeline finished with Skipped
    11 months ago
    #80487
  • Status changed to Fixed 11 months ago
  • 🇺🇸United States generalredneck

    Pushing out in a new release.

  • Automatically closed - issue fixed for 2 weeks with no activity.

Production build 0.71.5 2024