Lille
Account created on 11 April 2019, about 6 years ago
#

Merge Requests

More

Recent comments

🇫🇷France prudloff Lille

The MR suits our need but I guess it could be a breaking change so we might want to add a setting for this.

🇫🇷France prudloff Lille

I guess using ~ would be an acceptable compromise.

🇫🇷France prudloff Lille

Wouldn't it make sense to use a Composer constraint like ^1.20.1?
This way we don't have to update the module every time a new release of tarteaucitron is published.

🇫🇷France prudloff Lille

We are using the patch on several projects and it seems to work correctly.

🇫🇷France prudloff Lille

@smustgrave I can't see your comment on the MR?

🇫🇷France prudloff Lille

The tests have to change (well at least the expected values) because attribute values that were not sanitized before now have their protocol removed.
However, I adjusted the MR a bit to limit the changes in tests.

🇫🇷France prudloff Lille

Is this still useful? Do we still use libraries that support these headers?

🇫🇷France prudloff Lille

Do we have a standardized way to add JS checks to /admin/reports/status?
I think this page only contains server-side checks.

🇫🇷France prudloff Lille

I'm not sure this can be fixed in CommentDefaultFormatter.

If Add an entity query access API and deprecate hook_query_ENTITY_TYPE_access_alter() Needs work adds a generic system to alter access in entity queries, then custom code could alter access in comment queries and it would hopefully apply everywhere including in CommentStorage::loadThread().

🇫🇷France prudloff Lille

prudloff made their first commit to this issue’s fork.

🇫🇷France prudloff Lille

We could parse the string as HTML and use textContent property from DOMNode and hope it does things correctly with html5.

I did a quick test like this:

$dom = \Drupal\Component\Utility\Html::load('<p>Giraffes.</p><p>Wombats.</p>'); echo $dom->textContent;

But it seems it never adds any space.

A more robust solution would be to use the html2text library but it would be a bit overkill to add a new dependency just for this.

🇫🇷France prudloff Lille

Fixed a typo

🇫🇷France prudloff Lille

No answer from maintainer so moving to project ownership queue.

🇫🇷France prudloff Lille

I think the bot tested the patch instead of the MR.
The MR does not have conflicts.

🇫🇷France prudloff Lille

We don't need to duplicate the drupal/core requirement in composer.json, drupal.org generates it based on core_version_requirement when creating the Composer package.

🇫🇷France prudloff Lille

Sorry, I always forget that createFromRenderArray() only takes the root #cache and does not bubble lower cache metadata.

We can probably use ViewExecutable::getCacheTags() for cache tags but we could also need to get cache contexts and max age from the rendered view.
The views_ajax_get module uses createFromRenderArray($view->element), I wonder if that's enough.

@berdir you are right, we should also add cache contexts for query parameters that are explicitly used in the controller.

🇫🇷France prudloff Lille

The bot says the patch does not apply but I don't see any conflict on the MR.
I rebased to see if it works better.

🇫🇷France prudloff Lille

I rebased the MR.

🇫🇷France prudloff Lille

I think the MIT license is compatible with GPL 2: https://www.drupal.org/node/1475972#gplv2-compatible-licenses

However, it is a bad practice to duplicate library code so we should still try to remove it.

🇫🇷France prudloff Lille

I added logging if setExpires() fails.

And I stopped using the page cache max age setting as @berdir suggested.

🇫🇷France prudloff Lille

I fixed the conflict (it was caused by 🐛 Pagination not working correctly in AJAX view with exposed filters Needs review ).

I also noticed we were mixing two ways to remove parameters from the query (a regex and parsing it as an array). I moved everything to the new way.

🇫🇷France prudloff Lille

I tried reverting the camel case changes locally but it makes yarn run lint:core-js-passing complain:

/media/pierre/Projets/workspace/drupal-core/core/modules/views/js/ajax_view.js
  176:20  error  Identifier '$exposed_form' is not in camel case  camelcase
  182:5   error  Insert `··`                                      prettier/prettier
  182:5   error  Identifier '$exposed_form' is not in camel case  camelcase
🇫🇷France prudloff Lille

I merged this in Enable bookmarking of AJAX views Needs work and I believe the failing PaginationAJAXTest shows the new regex might cut query parameters that contain "page".
For example '?items_per_page=gezgez&foo=bar'.replace(/q=[^&]+&?|page=[^&]+&?|&?render=[^&]+/, '') will return "?items_per_foo=bar".
Should I open a followup?

🇫🇷France prudloff Lille

I updated the summary but now the MR has a conflict.

🇫🇷France prudloff Lille

prudloff created an issue.

🇫🇷France prudloff Lille

I answered the questions.
If this needs fixing, we should probably fix it in JsonApiResource as well?

🇫🇷France prudloff Lille

Would that be a better title?

See the comments in the MR

I don't see any comment on the MR.

🇫🇷France prudloff Lille

I don't think it is possible.
What would be your use case here?

🇫🇷France prudloff Lille

I created a followup issue for the phpstan error (because it requires refactoring the code): 📌 \Drupal calls should be avoided in classes Active

🇫🇷France prudloff Lille

prudloff made their first commit to this issue’s fork.

🇫🇷France prudloff Lille

I just noticed Drupal does not require the intl extension.
NoSuspiciousCharacters will throw an exception if this extension is not available.

We could either:

  • Require the intl extension
  • Skip this constraint if the extension is not available
🇫🇷France prudloff Lille

I agree we should try to avoid _access: 'TRUE' but this route does not return anything sensitive so I am not sure why and how we should protect it.

🇫🇷France prudloff Lille

Marking as postponed until Register symfony's mime guessers if they are supported Needs work is fixed.
Then we can see if the solution implemented by the other issue is enough or if it is still needs hardening.

🇫🇷France prudloff Lille

Not sure about the automatic extension change tho.

I agree, we could simply refuse the file if the detected content type does not match an allowed extension.

🇫🇷France prudloff Lille

I did a quick manual test and I think this is still a concern.

I rebased the patch.
I'm not sure the failing AssetAggregationAcrossPagesTest is related?

🇫🇷France prudloff Lille

prudloff made their first commit to this issue’s fork.

🇫🇷France prudloff Lille

Is this still a concern?
I think the issue summary would need to be updated to explain why this should be removed.
Also I guess the first step would be to simply deprecate it?

🇫🇷France prudloff Lille

Added a basic implementation.
The main caveat is that it heavily depends on the languages activated on the website (because that's the way NoSuspiciousCharacters and Spoofchecker work).
If we find this too restrictive, we could also use NoSuspiciousCharacters without restricting the allowed locales, it would still be useful to detect mixed character sets and invisible characters.

I'm not sure the failing AssetAggregationAcrossPagesTest is related?

🇫🇷France prudloff Lille

I suppose we should merge 📌 SessionCacheContext class should implement CacheContextInterface Needs work first then this issue can focus on adding the 0 max age fix when there is no session.

🇫🇷France prudloff Lille

prudloff changed the visibility of the branch 3442009-oop-hooks-using to hidden.

🇫🇷France prudloff Lille

prudloff changed the visibility of the branch drupal-3442009 to hidden.

🇫🇷France prudloff Lille

prudloff made their first commit to this issue’s fork.

🇫🇷France prudloff Lille

The PHP intl extension provides a Spoofchecker::areConfusable() method that could be used for this but comparing the news username to every existing user would probably be expensive.

Symfony also provides a NoSuspiciousCharacters characters constraint (which uses Spoofchecker::isSuspicious() internally): https://symfony.com/doc/current/reference/constraints/NoSuspiciousCharac...
This is probably a good solution but it requires setting the expected locales (having Cyrillic letters in usernames on a Russian websites would not be suspicious for example). I supposed we could configure it using the enabled locale on the website.

🇫🇷France prudloff Lille

prudloff made their first commit to this issue’s fork.

🇫🇷France prudloff Lille

I agree this is important and would help prevent some XSS vulnerabilities.
I rebased the latest patch and adjusted some things to make tests pass.

However, I see two potential problems with the solution:

  • It would require maintaining a long list of attributes in which protocols should not be filtered (see 🐛 XSS attribute filtering is inconsistent and strips valid attributes Needs work ).
    This is an existing problem with the XSS filter, but filtering attributes everywhere makes it more visible.
  • Using MarkupInterface to explicitly bypass the filter seems a bit weird semantically, because an attribute value is not really markup.
    (When this was proposed the interface was still called SafeStringInterface.)

Also filtering the style attribute would break too many places in core where it is used (because every CSS rule contains the : character) and I don't think it is the job stripDangerousProtocols() to remove dangerous URLs in CSS.
Removing dangerous CSS could be implemented later in Allow inline style to certain html elements despite of "Limit allowed HTML tags and correct faulty HTML" filter turned on Active .

🇫🇷France prudloff Lille

prudloff made their first commit to this issue’s fork.

🇫🇷France prudloff Lille

prudloff made their first commit to this issue’s fork.

Production build 0.71.5 2024