- πΊπΈUnited States smustgrave
If still a valid feature request please reopen updating issue summary per #28.
Also could be unrelated but π Html::escapeCdataElement() not adding CDATA correctly Fixed was committed so wonder if that solved anything.
Thanks!
- Status changed to Active
over 1 year ago 9:55pm 11 July 2023 - π«π·France fgm Paris, France
Technically, as I understand the RSS 2.0 standard, HTML in the items should (must ?) be escaped, and should still be in a CDATA section: I had to look this up when upgrading the G2 module for Drupal 10/9.
This being said, comment #28 mentions Google Reader, which is no longer a thing, but all current RSS readers I've used (only a few, admittedly) handle this "incorrect" escaped HTML correctly these days.
I've reset the issue to active because it still feels like we should have a clearly defined, standards-backed answer, instead of just some "it works" anecdotal info.
- π³πΏNew Zealand luke.stewart
Assuming this validator is valid...
https://validator.w3.org/feed/check.cgi?url=drupal.org%2Fnode%2Ffeed
As of now reports that this is a valid feed.
It recommends the following:
description should not contain iframe tag
description should not contain relative URL references:
Missing atom:link with rel="self"Does this mean that this issue can be closed? (Again?)
- π¬π§United Kingdom james.williams
@luke.stewart If youβre seeing βdescription should not contain iframe tagβ, then no, this is still a problem to fix. Drupal is outputting HTML in the description elements which needs escaping via CDATA tags.
- First commit to issue fork.
- πΊπΈUnited States nicxvan
I've been following this for a while. I found this: https://www.drupal.org/project/views_rss/issues/3409451 π RSS output is no longer valid XML Fixed and the related with more discussion: https://www.drupal.org/project/views_rss/issues/3079683 π¬ Add CDATA tags at description field on D8 Active
I am going to create an issue fork and just wrap the description in CDATA and see if any tests complain to see if we can move this forward.
- πΊπΈUnited States nicxvan
Aside from being curious if this will have any failures I do have two implementation questions.
1. Do we need to detect if there is html in the description before adding the CDATA wrapper, my understanding is it is not harmful to add the CDATA wrapper everywhere.
2. Do we need to wrap the main description in views-view-rss.html.twig? It was done in the issue I linked above, but I don't think that is actually necessary. - πΊπΈUnited States nicxvan
Looks like there was at least one failure in:
Testing Drupal\Tests\node\Functional\NodeRSSContentTest .E 2 / 2 (100%) Time: 00:14.744, Memory: 4.00 MB There was 1 error: 1) Drupal\Tests\node\Functional\NodeRSSContentTest::testUrlHandling Behat\Mink\Exception\ExpectationException: The string "http://localhost/subdirectory/sites/simpletest/14042105/files/root-relative" was not found anywhere in the HTML response of the current page. /builds/issue/drupal-3433/vendor/behat/mink/src/WebAssert.php:888 /builds/issue/drupal-3433/vendor/behat/mink/src/WebAssert.php:363 /builds/issue/drupal-3433/core/tests/Drupal/Tests/WebAssert.php:547 /builds/issue/drupal-3433/core/modules/node/tests/src/Functional/NodeRSSContentTest.php:120 /builds/issue/drupal-3433/vendor/phpunit/phpunit/src/Framework/TestResult.php:728
I can look at this later if someone else doesn't get to it before me.
There was another failure in AJAX but I think it was unrelated because rerunning it succeeded. - π«π·France duaelfr Montpellier, France
I did the exact same change in my own
views-view-row-rss.html.twig
for both the title and the description.
While there is no issue with the title, the description gets filtered somehow.I tried to duplicate the description field with another name:
<item> <title><![CDATA[{{ title }}]]></title> <link>{{ link }}</link> <description><![CDATA[{{ description }}]]></description> <anything_else_but_description><![CDATA[{{ description }}]]></anything_else_but_description> {% for item in item_elements -%} <{{ item.key }}{{ item.attributes -}} {% if item.value -%} >{{ item.value }}</{{ item.key }}> {% else -%} {{ ' />' }} {% endif %} {%- endfor %} </item>
The "anything_else_but_description" field does not get filtered out.
Does anyone know where it could happen? - πΊπΈUnited States nicxvan
I'm not sure why that is happening, but you shouldn't need to add cdata to the title as I don't think that can be html.
- πΊπΈUnited States nicxvan
I did some investigation, there is some process that is converting root relative and protocol relative urls to absolute in the twig file when the cdata is not wrapping it.
Here are the assertions with comments alluding to this:
// Verify that root-relative URL is transformed to absolute.
$this->assertSession()->responseContains($file_url_generator->generateAbsoluteString('public://root-relative'));
// Verify that protocol-relative URL is left untouched.
$this->assertSession()->responseContains($protocol_relative_url);
// Verify that absolute URL is left untouched.
$this->assertSession()->responseContains($absolute_url);I downloaded the artifacts and here are the urls after decoding:
Protocol-relative URL β
Root-relative URL βI compared with a passing test to confirm those do get http://localhost. Does anyone know what mechanism is converting those to absolute urls?
I pushed up a description filtered with RAW to test how that gets output. For some reason these tests are not working locally.
- πΊπΈUnited States nicxvan
That actually worked!
I'm not sure it actually solves the issue, I don't see the CDATA section properly.
Other modules that use xml with CDATA add it like this:
public function addCdata($cdata_text): void {
$node = dom_import_simplexml($this);
$no = $node->ownerDocument;
$node->appendChild($no->createCDATASection($cdata_text));
}And builds it from a \SimpleXMLElement object first.
I'm not sure we need to do all of that. It's possible I'm looking at the wrong thing.
- πΊπΈUnited States nicxvan
There is something weird going on.
With this in the template:<description><![CDATA[{{ description|raw }}]]></description>
The output looks like this and is encoded:<description> <span>test</span> <span><span>admin</span></span> <span><time datetime="2023-11-19T02:52:51+00:00" title="Sunday, November 19, 2023 - 02:52">Sun, 11/19/2023 - 02:52</time> </span> </description>
I then changed the twig template to this to confirm that I was editing the right template:
<description>Before CDATA<![CDATA[{{ description|raw }}]]>After CDATA</description>
Now the output looks like this
The description content shows up twice for some reason, the before callout shows up once and the after callout shows up twice.<description>Before CDATA <span>adsf</span> <span><span>admin</span></span> <span><time datetime="2023-11-19T02:52:58+00:00" title="Sunday, November 19, 2023 - 02:52">Sun, 11/19/2023 - 02:52</time> </span> After CDATA<![CDATA[ <span>adsf</span> <span><span>admin</span></span> <span><time datetime="2023-11-19T02:52:58+00:00" title="Sunday, November 19, 2023 - 02:52">Sun, 11/19/2023 - 02:52</time> </span> ]]>After CDATA</description>
- π«π·France fgm Paris, France
FWIW I temporarily had this problem of escaped content after the D9->D10 migration on https://osinet.fr/rss.xml, and is disappeared a few days ago when I upgraded to 10.2.4. Not sure what changed in core that could cause these differences.
- Status changed to Needs review
9 months ago 4:06pm 10 April 2024 - π«π·France duaelfr Montpellier, France
I traced down the CDATA removal to
\Drupal\Core\EventSubscriber\RssResponseRelativeUrlFilter::transformRootRelativeUrlsToAbsolute()
I updated MR !7201 with a fix.
- Status changed to Needs work
9 months ago 5:36pm 10 April 2024 - πΊπΈUnited States nicxvan
Functional test is failing, I can't take a look at the moment.
- πΊπΈUnited States nicxvan
Ah it's the new test: Drupal\Tests\Core\EventSubscriber\RssResponseRelativeUrlFilter
- πΊπΈUnited States nicxvan
I'm rerunning again, I'm slightly suspicious since the failing test is the one that was just updated, but running that test locally passes, trying to run all tests locally and see if I get failures.
- Assigned to nicxvan
- πΊπΈUnited States nicxvan
Ok I can replicate this locally now, I think I can fix this.
- Issue was unassigned.
- πΊπΈUnited States nicxvan
Ok this test should run, it seems to put the closing CDATA tag on a new line.
I patched a site and ran the rss validator and it looks valid as far as the CDATA is concerned.
It shows this error: Missing atom:link with rel="self" which is unrelated to the issue being solved here.I'll move to needs review once I confirm tests are passing.
- Status changed to Needs review
9 months ago 7:23pm 10 April 2024 - πΊπΈUnited States nicxvan
I am using this site: https://validator.w3.org/feed/#validate_by_input
Here is the test rss:<?xml version="1.0" encoding="utf-8"?> <rss xmlns:dc="http://purl.org/dc/elements/1.1/" version="2.0" xml:base="https://mercury.ddev.site/"> <channel> <title>Drush Site-Install</title> <link>https://mercury.ddev.site/</link> <description/> <language>en</language> <item> <title>test</title> <link>https://mercury.ddev.site/node/3</link> <description><![CDATA[ <span data-entity-title-editable-id="node/3">test</span> <span><a title="View user profile." href="https://mercury.ddev.site/user/1">admin</a></span> <span><time datetime="2024-04-10T19:11:26+00:00" title="Wednesday, April 10, 2024 - 19:11">Wed, 04/10/2024 - 19:11</time> </span> <div class="text-content clearfix field field--name-body field--type-text-with-summary field--label-hidden field__item"><p>asdf</p></div> ]]></description> <pubDate>Wed, 10 Apr 2024 19:11:26 +0000</pubDate> <dc:creator>admin</dc:creator> <guid isPermaLink="false">3 at https://mercury.ddev.site</guid> </item> </channel> </rss>
If I remove the cdata tag and use this instead
<?xml version="1.0" encoding="utf-8"?> <rss xmlns:dc="http://purl.org/dc/elements/1.1/" version="2.0" xml:base="https://mercury.ddev.site/"> <channel> <title>Drush Site-Install</title> <link>https://mercury.ddev.site/</link> <description/> <language>en</language> <item> <title>test</title> <link>https://mercury.ddev.site/node/3</link> <description> <span data-entity-title-editable-id="node/3">test</span> <span><a title="View user profile." href="https://mercury.ddev.site/user/1">admin</a></span> <span><time datetime="2024-04-10T19:11:26+00:00" title="Wednesday, April 10, 2024 - 19:11">Wed, 04/10/2024 - 19:11</time> </span> <div class="text-content clearfix field field--name-body field--type-text-with-summary field--label-hidden field__item"><p>asdf</p></div> </description> <pubDate>Wed, 10 Apr 2024 19:11:26 +0000</pubDate> <dc:creator>admin</dc:creator> <guid isPermaLink="false">3 at https://mercury.ddev.site</guid> </item> </channel> </rss>
The validator complains about the div and html as expected.
- Status changed to Needs work
8 months ago 2:00pm 12 April 2024 - πΊπΈUnited States smustgrave
So as a template change will need to update the other views-view-row-rss.html.twig in core.
But also do a CR to announce to other themes to update their templates.
- πΊπΈUnited States nicxvan
Got some new failures, I'm taking a look at them.
- πΊπΈUnited States nicxvan
Here is the failing test:
[31mDrupal\Tests\views\Functional\Plugin\DisplayFeedTest 0 passes 1 exceptions [0mFATAL Drupal\Tests\views\Functional\Plugin\DisplayFeedTest: test runner returned a non-zero error code (2). [31mDrupal\Tests\views\Functional\Plugin\DisplayFeedTest 0 passes 1 fails
I am unable to replicate this failure locally at the moment.
- πΊπΈUnited States nicxvan
I was able to replicate I am pushing up a fix:
I'm not sure if the updated test needs more work.
We also updated stable, let me know if that needs a follow up issue instead.
- Status changed to Needs review
8 months ago 4:45pm 12 April 2024 - Status changed to RTBC
8 months ago 7:14pm 18 April 2024 - πΊπΈUnited States smustgrave
I reviewed this the other day and forgot to hit save :(
But tweaked the CR slightly to include an examples.
https://git.drupalcode.org/issue/drupal-3433/-/jobs/1313487 shows the test coverage
All core templates appear to be updated.
Believe this is good.
- Status changed to Needs work
8 months ago 2:37am 19 April 2024 - πΊπΈUnited States nicxvan
Temporarily moving this back to needs work while I double check something, I think I can simplify this a bit.
- Status changed to Needs review
8 months ago 2:50am 19 April 2024 - πΊπΈUnited States nicxvan
Moving back to needs review since I changed the approach.
I think the raw filter was not appropriate and I realized we could always wrap the description in CDATA so I moved it to the url transform.
I then used XSS::filterAdmin to make sure no dangerous scripts get through.
I'll bump it back to needs work if the tests don't pass.
- Status changed to Needs work
8 months ago 2:56am 19 April 2024 - Status changed to Needs review
8 months ago 3:08am 19 April 2024 - πΊπΈUnited States nicxvan
I cleaned up the tests further since we are wrapping the description in CDATA we don't need an extra test case, we just need to update the feed test to account for CDATA and ensure the feed is outputting CDATA (which we already put in place).
- πΊπΈUnited States nicxvan
I also simplified the Change Record since we are no longer updating the templates.
- Status changed to RTBC
8 months ago 12:45pm 19 April 2024 - πΊπΈUnited States smustgrave
Even better! Whenever we don't have to update all the twig templates its definitely the route. Helps contrib themes.
Believe the CR is still needed and what you have is good.
- Status changed to Needs work
8 months ago 4:10pm 20 April 2024 - π¬π§United Kingdom alexpott πͺπΊπ
Is the HTML admin created or user created. If it is user created we should be using
Xss::filter()
because the admin filter is still very liberal. - πΊπΈUnited States nicxvan
I used filterAdmin because that is what views usually uses as a final pass for rewrites and I wanted to preserve the most HTML that might have been configured as allowed on filter formats and added to the view.
You're probably right though, cause if someone entered HTML in a plain text field then it passed through this filter it would convert it to HTML.
I think converting this to filter could strip out some HTML that was enabled by an admin on a text format once it passes through the CDATA conversion, but that is probably better than outputting more HTML than expected.
I'll make the change.
- Status changed to Needs review
8 months ago 3:10am 21 April 2024 - πΊπΈUnited States nicxvan
Ok I used the example in locale for which html tags to allow since the default blank filter even removes paragraph tags:
['a', 'abbr', 'acronym', 'address', 'b', 'bdo', 'big', 'blockquote', 'br', 'caption', 'cite', 'code', 'col', 'colgroup', 'dd', 'del', 'dfn', 'dl', 'dt', 'em', 'h1', 'h2', 'h3', 'h4', 'h5', 'h6', 'hr', 'i', 'ins', 'kbd', 'li', 'ol', 'p', 'pre', 'q', 'samp', 'small', 'span', 'strong', 'sub', 'sup', 'table', 'tbody', 'td', 'tfoot', 'th', 'thead', 'tr', 'tt', 'ul', 'var']
- Status changed to RTBC
8 months ago 2:53pm 28 April 2024 - πΊπΈUnited States smustgrave
Coverage still appears to be there https://git.drupalcode.org/issue/drupal-3433/-/jobs/1385050
Believe the feedback/change request has been addressed.
CR probably is still useful, 50/50 since it doesn't require a twig change now.
- First commit to issue fork.
- π¦πΊAustralia larowlan π¦πΊπ.au GMT+10
I think this is a bug, not a feature request. Which means its still eligible for 11.x/10.3.x
- Status changed to Needs work
7 months ago 10:21pm 19 May 2024 - π¦πΊAustralia larowlan π¦πΊπ.au GMT+10
Left some minor nits on the MR, feel free to self RTBC after addressing.
- Status changed to RTBC
7 months ago 12:48am 20 May 2024 - πΊπΈUnited States nicxvan
Thanks, I updated the comments for both instances!
- Status changed to Needs work
7 months ago 12:57am 20 May 2024 - πΊπΈUnited States nicxvan
ah my local is out of date, one moment while I rebase.
- Status changed to RTBC
7 months ago 12:59am 20 May 2024 - πΊπΈUnited States nicxvan
Ok, that is resolved now, I'll keep an eye on tests, but changing comments shouldn't affect them.
- Status changed to Needs work
7 months ago 1:20am 20 May 2024 - πΊπΈUnited States nicxvan
I'm doing a full rebase, there are a bunch of unrelated failures.
- Status changed to RTBC
7 months ago 1:25am 20 May 2024 - πΊπΈUnited States nicxvan
Ok, I rebased on 11.x I'll keep an eye on tests.
- πΊπΈUnited States nicxvan
Tests are happy on 11.x.
10.2 branch is failing for an unrelated test.
- π³πΏNew Zealand quietone
Added useful links to the issue summary and updated credit.
- Status changed to Needs review
7 months ago 10:14pm 7 June 2024 - π¬π§United Kingdom longwave UK
Is piggybacking on RssResponseRelativeUrlFilter really the right thing to do? That event subscriber is only supposed to be fixing up relative URIs, and now we're extending it to convert the description to CDATA - this feels like the wrong place to be doing this. Should we be doing this when the RSS feed is generated? Or maybe we need a separate event subscriber?
- πΊπΈUnited States nicxvan
Good point, I'll take a look later this week unless someone else gets to it first.
- Assigned to nicxvan
- Issue was unassigned.
- πΊπΈUnited States nicxvan
Got some failures, my local tests are not working at the moment so I'm working on figuring that out now.
- πΊπΈUnited States nicxvan
I did not update the 10.2 branch this time since I didn't create it and I'm not sure this is eligible for backport anyway.
- πΊπΈUnited States nicxvan
I ran test only and it's failing as expected.
- Status changed to RTBC
7 months ago 6:00pm 10 June 2024 - πΊπΈUnited States smustgrave
Removing Needs markup review as this isn't changing the twig template (assuming that's what the tag is for).
Per the slack thread, issue summary and change record have both been updated with new approach.
Small feedback to the MR has also been addressed.
Test-only feature did fail before last push so coverage is there.
LGTM
- π³πΏNew Zealand quietone
I made changes to comments, mostly about capitalization. And small changes to the change record to put the change first. I did not do a code review.
After that I then saw that there are two new functions that do not have return types. I need a break so I am setting to NW for that. See https://www.drupal.org/docs/develop/standards/php/php-coding-standards#s... β .
- Status changed to Needs work
6 months ago 3:01am 26 June 2024 - Status changed to Needs review
6 months ago 3:12am 26 June 2024 - πΊπΈUnited States nicxvan
I set string|false since https://www.php.net/manual/en/domdocument.savexml.php shows that, let me know if that should be handled differently.
- Status changed to Needs work
6 months ago 1:15pm 1 July 2024 - Status changed to Needs review
6 months ago 2:07pm 1 July 2024 - πΊπΈUnited States nicxvan
Committed the suggestion and answered your question.
- Status changed to RTBC
6 months ago 3:03pm 1 July 2024 - Status changed to Needs work
5 months ago 10:16am 22 July 2024 - π¬π§United Kingdom longwave UK
I think this solution is really clean, just one nit about an unused argument.
- Status changed to RTBC
5 months ago 10:19am 22 July 2024 - π¬π§United Kingdom longwave UK
In the interests of not holding up a 20+ year old issue any longer, I fixed the nit and set it back to RTBC and will commit later if the tests pass.
-
longwave β
committed ebc8e063 on 10.4.x
Issue #3433 by nicxvan, quietone, longwave, DuaelFr, smustgrave,...
-
longwave β
committed ebc8e063 on 10.4.x
-
longwave β
committed eba56b0f on 11.x
Issue #3433 by nicxvan, quietone, longwave, DuaelFr, smustgrave,...
-
longwave β
committed eba56b0f on 11.x
- Status changed to Fixed
5 months ago 10:48am 22 July 2024 - π¬π§United Kingdom longwave UK
Decided to commit this to 11.1.x and 10.4.x only as there is a chance of it being vaguely disruptive to existing sites that are using RSS and not necessarily expecting CDATA in their output here, given we wrote a change record it makes sense to put it in a minor release only.
Still, great to see a 20+ year old bug finally fixed, and in such a clean way given we can just add the event subscriber to modify RSS responses.
Committed and pushed eba56b0fd7 to 11.x and ebc8e0639e to 10.4.x. Thanks!
Automatically closed - issue fixed for 2 weeks with no activity.