🇫🇷France @raphaelbertrand

Add the composer.librairies.json generation options as "/admin/structure/webform/config/libraries" config page also suggest

I didn't see it before, /admin/structure/webform/config/libraries suggest

generate a custom file using: drush webform:libraries:composer > DRUPAL_ROOT/composer.libraries.json.

Maybe it can be good to edit https://www.drupal.org/node/3003140 → to suggest this option.

@julienjoye according to https://www.drupal.org/docs/develop/issues/fields-and-other-parts-of-an-... →
it seem you need to open a new issue to provide your fix as this one is in status "closed (fixed)"

Closed (fixed)
This status is used exclusively by the Project issue tracking system to close "Fixed" issues automatically after two weeks of inactivity. You should not need to set this status yourself. The issue is no longer current. Issues that have reached this status should typically not be reopened, but instead, a new issue should be opened, providing a link to the closed issue. Closed issues do not appear in the default view of the issue queue. This provides a cleaner queue, while still maintaining the issues for historical reasons.

@julienjoye you are right, the fix have left behind the preprocess of the beginning of the function.
Your code seem to be the good one, but i can't reopen this issue as i am not a maintainer

raphaelbertrand → changed the visibility of the branch 3457168-since-twigtwig-3.9 to hidden.

raphaelbertrand → changed the visibility of the branch 3457168-since-twigtwig-3.9 to active.

maybe reporting this to twig maintainers can help them to know that the sanbox can cause an infinite loop in certain case an write a new exception case to prevent this and throw debuging info to dev?

@mradcliffe
it seem to be related to this looking at the commit of twig/twig causing the error:
* Fix a security issue in the sandbox mode allowing an attacker to be able to call `toString()`
under some circumstances on an object even if the `__toString()` method is not allowed by the security policy

same problem on taxonomy and many other edit form.
In text format config, it occur on text format with ckeditor5 enabled or when trying to enable it.
Maybe it is related to ckeditor5 ?

i tried with differents settings (on differents servers), it doesn't seem to solve the problem.

Reverting change in src/Extension/SandboxExtension.php in this commit of twig/tiwg have same effect than downgrade to 3.14.0
Fix sandbox handling for __toString()
https://github.com/twigphp/Twig/commit/2bb8c2460a2c519c498df9b643d527711...

if (\is_array($obj)) {
            foreach ($obj as $v) {
                $this->ensureToStringAllowed($v, $lineno, $source);
            }

            return $obj;
        }

same problem, related error seem to be:
PHP Fatal error: Allowed memory size of *** bytes exhausted (tried to allocate 262144 bytes) in ***/vendor/twig/twig/src/Extension/SandboxExtension.php on line 130

i know and understand i can manage dependencies by myself (i think will do it to avoid unwanted dependencies like this one) , but the idea is to provide in webform codebase a clean updated list of dependent libraries in composer.libraries.json without deprecated which can be in case putted in another json like for example a new composer.deprecated-libraries.json.
Why continue to provide in main composer.libraries.json libraries with safety risk for deprecated submodules ?

Is it possible to move deprecated libraries in another composer.json in order to have a clean one (and an optional another for those who whant to keep these modules) ?

a new version with the patch for pollyfill bug has been published
https://github.com/Choices-js/Choices/releases

smustgrave want test coverage but still nobody to help to do it ?
i don't have time to do it actually and i am still with drupal 10.3.

raphaelbertrand → changed the visibility of the branch 3364884-javascript-operators-in to hidden.

raphaelbertrand → changed the visibility of the branch 3364884-javascript-operators-in to active.

ok no problem. can someone do it ?

raphaelbertrand → changed the visibility of the branch 3457168-since-twigtwig-3.9 to active.

@cilefen the change that broke this is internal at twig as the twig_escape_filter() is now declared as internal in twig, deprecated, and no more usable directly. As 10.3 use twig 3.9 or 3.10, it bring these changes into drupal.

mistake, as the return type is string|null:
i propose this correction :
return $env->getRuntime(EscaperRuntime::class)->escape($arg, $strategy, $charset, $autoescape);
instead of return $env->getRuntime(EscaperRuntime::class)->escape($env, $return, $strategy, $charset, $autoescape);
and insert use Twig\Runtime\EscaperRuntime; at the begining of file

for future, i think that as escape filter is overriden only for html strategy, it will be better to use setEscaper() method instead of overriding filter, but it need to use twig 3.10 minimum and it need more changes than this quick patch

raphaelbertrand → changed the visibility of the branch 3457168-since-twigtwig-3.9 to hidden.

I tried locally by replacing line 464 with :
return (string) $env->getRuntime(EscaperRuntime::class)->escape($arg, $strategy, $charset, $autoescape);
instead of return $env->getRuntime(EscaperRuntime::class)->escape($env, $return, $strategy, $charset, $autoescape);
and insert use Twig\Runtime\EscaperRuntime; at the begining of file

raphaelbertrand → created an issue.

Simplier solution might be to change this line (61) in big_pipe.module,
method big_pipe_page_attachments to set destination parametter to local uri instead of absolute
by the way it will not be detected as external. The right host be already set by the route of big_pipe.nojs .

'content' => '0; URL=' . Url::fromRoute('big_pipe.nojs', [], ['query' => \Drupal::service('redirect.destination')->getAsArray()])->toString(),

raphaelbertrand → created an issue.