I noticed that the latest update added check_plain to the Bean subject titles.
The Bean subject is the default implementation of a block title, and some people may want there to be some HTML in this title (such as a link).
Having the check_plain on the subject limits what a Drupal admin/developer can do with it.
Because the subject is hard-coded, there isn't any reason to check_plain it. Even if it weren't hard-coded, there's no way a non-privileged user can edit the title, so it's still secure to allow HTML.
Here's an example of why one might want HTML in the subject:
Our company has a couple custom Beans that provide default implementations of the block title (which is the Bean subject). We chose to make the Bean subject dynamically link to a taxonomy term associated with a given page that a user is on.
Comment | File | Size | Author |
---|---|---|---|
#1 | bean-remove-check-plain-on-subjects-1891532.patch | 476 bytes | stevenlafl |
Comments
Comment #1
stevenlafl CreditAttribution: stevenlafl commentedHere's the patch that removes check_plain.
Edit: can't set status after posting comment, meant to select 'needs review'
Comment #2
indytechcook CreditAttribution: indytechcook commentedThanks for your patch.
This was added as part of #1885238: xss bean type label not escaped sufficiently. The label is entered by users via the UI and therefor needs to be escaped. A better workaround would to use a field with a formatter and render the title as part of the bean content. Also Related to #1858416: Rendered bean does not display the title when display settings indicate it should.
Comment #3
davidwbarratt CreditAttribution: davidwbarratt commentedstevenlafl,
two things..
1) All bugs reported need to be on the lasted dev release. (include the patch being created).
2) If you need to change the status (or do something you can't do by editing the comment), it's acceptible to just create a new (empty) comment with that change.
:)
thanks!
Comment #4
davidwbarratt CreditAttribution: davidwbarratt commentedindytechcook,
What if you want to alter the title in a bean plugin?
Can the check_plain() be called before it's handed off to the plugin?
It seems like adding a field is a poor work around for plugin makers who just want to alter the title before display (on the plugin level).
thanks!
Comment #5
indytechcook CreditAttribution: indytechcook commented@davidwbarratt
I see what you are saying, the problem is that that title of the block/page is not accessible via the plugins. I can see the merit of a feature request allowing bean atributes to be accesible via a plugin but that's not something that really fits in with the current architecture of bean.
I did move the check_plain into the entity class so if you do a hook_entity_alter and change the class used to handle the entity you can override the behavior.
http://drupal.org/commitlog/commit/22232/0fdeca3fc6078df625784e5db881018...
Comment #6
davidwbarratt CreditAttribution: davidwbarratt commentedI see,
well, the title was available to plugins in something like this:
This worked before the update, will this work now with the commit you just pushed?
I'm assuming it will since the check_plain() is happening when the entity is being loaded, rather than on display, but I just want to make sure before breaking anything.
Also, thanks for all of your help and support, it really means a lot to have incredible project maintainers like yourself in the Drupal community.
thanks!
Comment #7
indytechcook CreditAttribution: indytechcook commentedYeah, I do agree on this. I removed that code. The original security issue was for the bean_type pages.
http://drupal.org/commitlog/commit/22232/643f17c54aead9966ef2ce6535d917d...
Comment #8.0
(not verified) CreditAttribution: commentedRemoved the part about patch being included, didn't know the issue # so couldn't provide the patch as specified in the 'submitting patches' article for drupal modules.