Problem/Motivation
Recently i found closely related problems with the IEF-ID, which is used internally and as HTML id.
1) It is not css-sanitized
2) It can clash easily.
As of 1):
Found this with the commerce_checkout_order_fields module, that does sth like this:
$form['plugin_id:derivative'] = $ief;
The form seemed to work, but ajax was broken. I did not debug it to the ground, but following a gut feeling and css-sanitizing the IEF ID fixed the issue.
Note that the HTML spec allows ';' in an ID, but obviously it breaks some part of Drupal's ajax machinery.
Also, while mostly harmless 'some_machine_names' are used, nothing prevents form array keys to contain arbitrary chars.
Prevent such chars from getting through.
As of 2):
(Maybe that only happened after fixing 1), but i can NOT reproduce this currently.)
Found this in a real project with sth like:
// IEF concatenates array keys without separator, so this breaks.
$form['foo']['barbaz'] = $ief1;
$form['foobar']['baz'] = $ief1;
Proposed resolution
- Add separator to IEF-ID calculation
- CSS-sanitize IEF-ID calculation
- Finetune to make it as robust as possible
- Make IEF-ID calculation method a public @api
- Consider making a service
- Leverage that api in own tests if needed
- Publish a ChangeRecord about that
Remaining tasks
- Roll a MR and review.
API changes
- IEF api changes.
- API function for it added, for future changes.