Early Bird Registration for DrupalCon Portland 2024 is open! Register by 23:59 PST on 31 March 2024, to get $100 off your ticket.
Descriptions shown in the data selector help fieldset display HTML entities due to two calls to check_plain() -- one in theme_rules_data_selector_help() and the other from a t() call by the entity API module in entity_metadata_field_default_property_callback() which sets the "description" property. For example:
Field <em class="placeholder">field_myfieldname</em>
Change this to display like:
Field field_myfieldname
Comment | File | Size | Author |
---|---|---|---|
#23 | rules-autocomplete-escaped-html-1276740-23.patch | 1.38 KB | fearlsgroove |
#1 | 1276740-data-selector-description.patch | 1.03 KB | solotandem |
Comments
Comment #1
solotandem CreditAttribution: solotandem commentedAttached 1-line patch replaces check_plain() with filter_xss_admin().
Comment #1.0
solotandem CreditAttribution: solotandem commentedTweak the format.
Comment #2
solotandem CreditAttribution: solotandem commentedRevised patch fixes another occurrence of same issue.
Comment #3
klausiGreat, works for me.
Comment #4
fagoThe question is where should the check_plain() happen? I don't think we should rely on the hook to provide just sanitized strings - for that any caller would have provide it that way. Instead, we should check-plain on output and ensure nothing can go through.
Thus
- we should fix entity-api to not sanitize the strings going in the hook
- we should ensure it's checked everywhere it's output in rules
Comment #5
fagoComment #6
solotandem CreditAttribution: solotandem commentedI also considered the question you pose in #4. However, it seems that filter_xss_admin() provides the security needed and allows for acceptable HTML entities (e.g. the "emphasis" tag around the field name). How would you duplicate the current functionality without declaring the "description" item in Rules? Or, is that not a concern?
Comment #7
fagoWe can easily fix it to not contain escaped html in the entity API, see attached patch. But I agree that using filter_xss() for the description, and 'check_plain' for the label in Rules does it too. Not sure whether HTML in descriptions really is something we should enforce, but at least it's working then even if people do not upgrade to the latest entity api.
Though, let's use filter_xss() not filter_xss_admin() as its more restrictive.
Comment #8
fagook, I've committed that patch to the entity api + fixed the data selection autocompletion widget to not escape twice. Given that changes it works for me in all situations. Update to the latest entity api dev version to test.
>But I agree that using filter_xss() for the description, and 'check_plain' for the label in Rules does it too.
I've not done so for now, as usually there shouldn't be HTML in there anyway.
Comment #10
marcoscanoHi, not sure if it's the good place for this, but:
With entity_api 7.x-1.0-rc1 and rules 7.x-2.0, I have a text-based email being sent with a value taken from the the token from a date field. The result, in the body of the email, is:
<span class="date-display-single" property="dc:date" datatype="xsd:dateTime" content="2011-11-22T20:00:00+01:00">22/Nov/11 - 20:00</span>
instead of
22/Nov/11 - 20:00
Is this the same issue?
Comment #11
fagono
Comment #11.0
fagoTweak
Comment #12
dagomar CreditAttribution: dagomar commentedI have exactly this issue, even though it was closed a year ago. I'm on rules dev and entity api dev. I have no clue why this is happening. See attachment.
Comment #13
wbmstrss CreditAttribution: wbmstrss commentedI'm experiencing the same issue - seeing HTML in the select choices.
Core/Modules
Drupal 7.24
Rules 7.x-2.6
Entity API 7.x-1.2
Token 7.x-1.5+0-dev (2013-Oct-18)
Comment #14
wbmstrss CreditAttribution: wbmstrss commentedUpdate: found a thread discussing JQuery Update Module issues and changed the configuration on my site to use JQuery 1.5 versus 1.7. After doing so, the rules display is behaving normally and I actually can see the the selectable list of data selectors now.
That selectable list data selectors was not visible to me using JQuery 1.7, but I'm not familiar enough with D7 to jump to the conclusion that what I'm seeing is something is wrong versus something I don't understand how to configure.
Comment #15
myselfhimself CreditAttribution: myselfhimself commentedHello,
Thanks for the Rules module :-D !!!!!!!!
With jQuery 1.10 I misfortunately do see the HTML markup within the auto-complete suggestions...
Comment #16
brad.curnow CreditAttribution: brad.curnow commentedIf you're using the jQuery update module, go to the settings (D7: admin/config/development/jquery_update) and under "Alternate jQuery version for administrative pages" choose version 1.5 and it should work just fine.
BC
Comment #17
mvonfrie CreditAttribution: mvonfrie commentedI have exactly the same issue as @wbmstrss with JQuery 1.7 or never. When I change it to 1.5 the data selection doesn't work at all anymore, even the arrow at the right of the textbox disappears.
Core/Modules
Drupal 7.27
Rules 7.x-2.6
Entity API 7.x-1.5
Token 7.x-1.5
Comment #18
VladimirAus@mvonfrie click save and after it would give you errors, the arraw will reappear.
Comment #19
kopeboy CreditAttribution: kopeboy commentedCan we make it work with jQuery 1.7?
It's very annoying..
Comment #20
kopeboy CreditAttribution: kopeboy commented@VladimirAus
clicking Save doesn't work on some conditions!
For example, if you try to create a condition of "Entity is of bundle", clicking save will just reload page with error and still no data selectors.
I'm using jQuery 1.5 on admin pages (was using 1.7 before and selector would appear but with raw html)
Comment #21
kristiaanvandeneyndeHave the same issue with jQuery 1.5, .17, 1.8 and 1.10
Comment #22
Funksmaname CreditAttribution: Funksmaname commentedI dunno why, but it seems that just now setting the main drupal jquery to 1.5 as well as admin to 1.5 and THEN changing the main version back to 1.10 makes the drop down not show html.
though it worked previously on another site, trying to change ONLY the alternate version to 1.5 didn't seem to work on this site, but doing as above did...
hope this helps?
---
I was wrong - the thing hand't refreshed - when I set main to 1.10 and admin to 1.5 i get no drop down on rules fields (the down arrow is gone)
sorry - it only works if both main and admin are set to 1.5
Comment #23
fearlsgroove CreditAttribution: fearlsgroove commentedThe root of this issue is newer versions of jquery UI use "ui-autocomplete" instead of "autocomplete" for namespacing things like classes and local data, so the _renderItem (and close()) hacks rules is using don't work.
Here's some code that makes rules autocomplete hacks even uglier, but it works in every current version of jquery update.
Comment #24
kristiaanvandeneyndeIt's impractical to try and keep your JavaScript compatible with all versions of jQuery, so ugly is allowed here I suppose :) Will try to test this patch after the weekend.
Comment #25
kristiaanvandeneyndeTested and seems to work to me.
Comment #26
designerbrent CreditAttribution: designerbrent commentedThis seems to do the trick for me.
Comment #27
akosipax CreditAttribution: akosipax commentedSeems to be a duplicate of https://www.drupal.org/node/1810656
It has the same patch done.
Comment #28
das-peter CreditAttribution: das-peter commentedWorks for me as well. Would like to see this in since more and more extensions are relying on newer jquery versions.
Comment #29
DrCord CreditAttribution: DrCord commentedThe fix in #23 worked for me as well.
Comment #30
fagoThis is a duplicate of https://www.drupal.org/node/1810656