Render (and sanitize) raw revision notes

Created on 19 October 2024, 6 months ago

Problem/Motivation

Revision notes can contain formatting such as italics, bold, especially common revisions generated by bulk edits modules. However on the diff page, this formatting is escaped and the markup is shown instead.

Steps to reproduce

1. Make a change and include formatting in your revision notes
2. View the diff comparison, see that the markup is exposed instead of rendering the italics

Proposed resolution

Add a step between "getRevisionLogMessage" and the use of the {{ notes }} twig token, so that its output is safe to use in raw form (probably with Xss::filterAdmin() ). {{ notes|raw }} can then be used in the template without losing formatting or risking security.

I'm using {{ notes|raw }} already instead of just {{ notes }} in my site, but I know this is not a safe long-term solution. I just couldn't work out how to filter the notes before they are rendered.

Remaining tasks

- Determine where the extra step should be: a new function in /src/Controllers or the .module file
- Write the extra step
- Review
- Merge

User interface changes

N/A

API changes

N/A

Data model changes

N/A

🐛 Bug report
Status

Active

Version

1.1

Component

Code

Created by

🇬🇧United Kingdom jacobupal Leeds

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

Production build 0.71.5 2024