Closed (fixed)
Project:
Diff
Version:
7.x-3.x-dev
Component:
Code
Priority:
Critical
Category:
Bug report
Assigned:
Unassigned
Issue tags:
Reporter:
Created:
15 Sep 2012 at 21:53 UTC
Updated:
21 Oct 2013 at 23:10 UTC
Jump to comment: Most recent file
Comments
Comment #1
hass commentedI made a full module review. Patch attached.
Comment #2
jwilson3Part of the nicety of "Show diff" was how short it was. "Show difference" makes the button a lot wider, with the possibility that it would either wrap to two lines, or simply make the table column wider than it needs to be (since it just houses two radio buttons).
"Compare" is a better word for this button for both the UI advantage (no wrapping, narrow column) and for UX / translatability.
Comment #3
hass commentedJust made a patch with a compare button. The Compare button is the only change to the previous patch.
Comment #4
alan d. commentedThis should be
Bumped to 3.x as this is the latest version and for i18n users.
Comment #5
istryker commentedLine 320.
I'm not an i18n expert, but isn't the previous version better? Or change it to
+ '#options' => array(0 => '- ' . t('No highlighting') . ' -'),Comment #6
jwilson3I agree with #5, not sure about how to confirm for #4, if $node->title has already been passed through xss_filter / check_plain.
Comment #7
hass commentedNo, we do it everywhere with the
- [Foo] -context. Therefore we know it's an option in a selectbox. This is all ok. I will re-role later with PASS_THROUGH.Comment #8
jwilson3@hass is right. I just did a search through a Drupal 7 project, and it turned up lots of uses of '- None -', '- Select a value -', '- Please choose -' etc.
The only thing to confirm now is if #4 would open up a security hole or not.
Comment #9
istryker commentedYou can use
PASSTHROUGHbecause t() has already sanitized it.FYI - There is a syntax error that was fix in #4 (%@title -> %title) too.
Comment #10
hass commentedNew patch with #4 fixed. Also replaced "Differences" with "Compare revisions" for optimized usability as discussed in #1404642: Better diff integration.
Comment #11
hass commentedHere is the patch for 7.x-3.x. I guess the include folder needs a strong follow up security review. I see tooo many placeholders with
!that are not protecting against XSS. No idea if all this non-checkplain placeholders are required, but we should always use@and!only in *rare* exceptions. Here it looks more like a rule not to run check_plain, and this is a high security risk.Comment #12
jwilson3re #9, Thanks for that reassurance. I knew "%values", were wrapped in <em>, but didn't realize they were also sent through check_plain() until I clicked all the way through to drupal_placeholder().
Comment #13
alan d. commentedI think that #1785742: Diff module string review should be restricted to 3.x branch as it is a string change. This would be problematic on existing 2.x i18n sites during what should be a minor upgrade.
PS: The only thing holding back a beta, release or even full release of 3.x is to find some time to simplify the configuration settings.
Comment #14
hass commentedWe have localize.drupal.org and no longer static PO files that cannot changed. There is no problem in holding string changes back that are also in sync with 3.x. Very many strings are not yet translated and/or have major usability issues/failures. If we wouldn't have so many usability issues in the installed 2.0 I wouldn't have created the patch for this branch.
Comment #15
jwilson3#14++ ! Well said.
Comment #16
rocketeerbkw commentedI felt like there was inconsistency between where 'difference' and 'differences' were used. I also updated the Help text to something better (IMHO).
This is just an updated version of #11.
Comment #17
jwilson3#16 changed "difference between" to "differences between", in the patch... however, there are other places in the code that were neglected that still say "difference between". Two examples:
I'd propose that entire line be cleaned up, something like:
Comment #18
mitchell commentedI'm primarily doing issue queue maintenance now, so my main contribution is:
Categorizing as task to indicate that this is on the development roadmap.
Raising priority to tell reviewers this needs a consensus soon.
---
Other than that, AFAICT, #11 is the latest/best patch, and interdiffs would be very helpful.
---
In case upstream standards are needed, see #1643354: [Policy, No patch] Overhaul the entity revision terminology in UI text.
Comment #19
hass commentedThis strings are broken and this means bugs, it's not a task only.
Comment #20
twardnw commentedToo many things brought up in here for me to have a clear understanding of this issue. Are we simply dealing with checking all the translatable strings for consistency? Are we also dealing with the @ vs. ! placeholders?
Comment #21
twardnw commentedWell, here's a modification of the patch in #11 that adds the comments from #17. I also looked through all the t( strings I could find. There are a few places that still refer to 'diff', but I feel like those are references to the module and not referring to 'differences' (comparison)
Comment #22
hass commentedNormally we should always use @ placeholders. Only exceptions for ! placeholders are theme functions that return raw html. % should be used if something should be exposed.
Comment #23
twardnw commentedShould we not move that to a separate issue for clarity?
Comment #24
hass commentedThis is part of the string review. This are all bugs. Nobody like to translate twice.
Comment #25
twardnw commentedOk, I'll take a look at it with that in mind now.
Comment #26
adamdicarlo commentedI'm re-rolling @twardnw's version in #21 with some additional wording cleanup/clarification, a spelling fix ("compatable").
One thing though:
Why the word "difference" rather than "change"? It's really a set of differences, not that we want to complicate it by calling it that. But it seems we could do better than "difference" here.
It's still "difference" in this patch.
Comment #27
adamdicarlo commented@hass #22, I went through all of the files in the module looking for illegitimate uses of !placeholder and couldn't find any.
Some of the files in the includes directory (e.g. includes/image.inc) look very suspicious, but as I understand it, the array they're generating gets passed to the DiffEngine which returns HTML encoded results (the actual diffs).
I went through the code paths to make almost all of the !placeholders come up with "<script>alert('foobar');</script>" in field/title/etc. content and all were fine.
Comment #28
adamdicarlo commentedStable Diff is needed for Drupal.org D7 upgrade, and a stable Diff depends on this issue. Elevating to critical as the deadline is the end of this month.
Comment #29
alan d. commentedThe Diff engine expects raw HTML, so don't get to worried about that. The only reason this came up was the fact that the page title in the original patch had an issue. See #4.
And for other reviewers, many of these changes reflect that core now inserts the translated string directly rather than passing it in as a translated sub-string.
- %view_revisions
+ View revisions
i.e. searching the code with
\'%[a-z]*\' \=\> t\(\'results in no results outside of tests. (All of these changes seemed redundant so I followed this up to discover this fact.)Comment #30
alan d. commentedcross post, retagging
Comment #31
adamdicarlo commentedRe-prioritizing as I don't think Alan D. meant to change priority (or did you?).
Comment #32
alan d. commentedSorry, no ;)
I will try to make time this weekend to help (In Oz, so Friday/Saturday in the US), as I am flooded at work and a personal project that has a Friday deadline here.
As per version / revision discussion, revision appears to be preferred term and I think we should not get side-tracked with this. Version is a concrete instance that may or may not be a revision; revision is an altered form of the original version.
We could use both like wikipedia, but the UI is inconsistent. This is the likely reason that the big players, (Google, Microsoft, etc) tend to only use one or the other. People from the VCS / MS camp probably would prefer version, and the others would lean towards revision. I think that it is an impossible debate to win.
Comment #33
adamdicarlo commentedVersions? Oh, are you referring to this?
This string comes from core (Node module). I don't see anywhere else in Diff that "version" is used user-facing. Also, I don't think we should change "version" to "revision" here, because it would sound like a circular definition.
Comment #34
alan d. commentedNo, only a passing reference to the use of these terms overall. Sorry to cause confusion.
Comment #35
hass commented#26:
<p>tags are not allowed inside translatable strings. Also use single quotes whenever possible.Comment #36
alan d. commented@hass
Are you referring to the strings like this?
I've removed the p tags from the #description mentioned. It would be nice to roll this soon.
Comment #37
alan d. commentedMissed on P tag
Comment #38
hass commentedYepp. Looks good. How about committing it now as is and may do another review later?
Comment #39
alan d. commentedThanks everyone, committed 126f317. I learned a bit about best practices here for my other projects.
Please create new issues about other string changes. Only reopen this thread if there are issues directly related to the changes committed here.
Comment #40
hass commentedFollow up #1831534: String review leftovers
Comment #42
alan d. commentedAnother change, pinging this thread as someone may still be listening to it...
#2117133: Change "This is the published revision"
Currently this is unconditionally 'This is the published revision.'
Suggested is 'This is the current revision.',
We can probably conditionally show two messages here if we have context to $node. Suggesting either of these:
This is the current revision.
This is the published revision.
Or
This is the current revision.
This is the current revision (unpublished).