Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
This was not taken care of in #1174756: Convert <head> markup to HTML5 to limit the scope of work, but the attribute is not needed and should be removed. See http://dev.w3.org/html5/spec/Overview.html#attr-script-type and http://www.whatwg.org/specs/web-apps/current-work/multipage/scripting-1....
Comment | File | Size | Author |
---|---|---|---|
#28 | no-mail-test-1362974-28.patch | 10.44 KB | dcam |
#24 | remove-text-js-reroll-1362974-24.patch | 12.25 KB | dcam |
#24 | no-xss-test-1362974-24.patch | 11.28 KB | dcam |
#14 | remove_text_js_reroll-1362974-14.patch | 8.75 KB | tkrajcar |
#8 | remove_text_js.patch | 9.38 KB | droplet |
Comments
Comment #1
JacineHere's a first pass at a patch. Hopefully it passes. :P
Comment #2
JacineBTW, I'm not sure whether or not we need this line. It's there because I remember hearing something about it needing an empty array.... Need to come back to this and make sure.
Comment #3
rupl@Jacine, yes it needs to be there. Relevant comment from other issue: http://drupal.org/node/1174756#comment-4759566
Comment #4
JacineHa, thanks for tracking that down @rupl! I knew I read it somewhere ;)
Comment #5
droplet CreditAttribution: droplet commentedIt looks good. but what happen if we remove it:
testBot!! Please tell me :)
-3 days to next Drupal core point release.
Comment #6
droplet CreditAttribution: droplet commentedComment #8
droplet CreditAttribution: droplet commentedComment #9
cosmicdreams CreditAttribution: cosmicdreams commentedlooks like a nice patch. Does it need manual testing? I'll see if a reroll is necessary but this looks like it should be on a fast track to RTBC
Comment #10
droplet CreditAttribution: droplet commentedI think no manual testing needed.
Comment #11
Jacine@droplet Did you mean to set this to NW?
Comment #12
droplet CreditAttribution: droplet commentedoh, no. dedtior script changed :(
Comment #13
Niklas Fiekas CreditAttribution: Niklas Fiekas commentedThis patch needs a reroll. Tagging novice to do a simple rebase:
Other than that, having:
Not sure if removing type="text/javascript" from the XSS tests is applicable - but that shouldn't make a difference anyway. Should we have the html corrector remove type="text/javascript" as a follow-up?
Comment #14
tkrajcar CreditAttribution: tkrajcar commentedRerolled.
Comment #15
Niklas Fiekas CreditAttribution: Niklas Fiekas commentedThank you @tkrajcar. I'd totally RTBC this after this is clear: Do we now need
#attributes => array()
for anything, or not?Comment #16
tkrajcar CreditAttribution: tkrajcar commented@Niklas Fiekas, see #3 for the link to the convo where it is needed. I'm not savvy enough about the theme layer to know whether that's accurate or not, but that's what was referenced earlier. :-)
Comment #17
Niklas Fiekas CreditAttribution: Niklas Fiekas commentedYeah ... me neither. The patch is green - so I wonder whether this is not true for our case.
Comment #18
droplet CreditAttribution: droplet commented@#13,
keep the XSS is not a bad idea. but I think somewhere we already have tests covered those attributes.
Comment #19
Niklas Fiekas CreditAttribution: Niklas Fiekas commentedYeah. RTBC seconded.
Comment #20
nod_@Niklas Fiekas We might be needing #attributes later on, just not at this level.
agree with rtbc.
Comment #21
catchYeah I don't think this is the place to do that, XSS attacks might include type="text/javascript" so if anything I'd add to the existing tests rather than changing them. Either way can we split that to a new issue?
Comment #22
droplet CreditAttribution: droplet commentedXSS tests in CORE are so weak. only tested "SCRIPT" tag in title & path.
It used check_plain to compare the result, remove the type attribute is no harms. and a separated issue to enhance XSS test cases is required.
back to RTBC. ( welcome switch back to needs work, and I will reroll it again )
Comment #23
catchYeah sorry I'd really prefer to do that in another issue, even if it's harmless it is going to make for weird commit history.
Comment #24
dcam CreditAttribution: dcam commentedIf I'm understanding the discussion correctly, the changes to testTitleXSS() needed to be removed and handled in a separate issue.
The first patch is a reroll of #14 since the test files were moved. Plus, I removed type='text/javascript' from a few more lines that had been added to JavaScriptTest.php.
The second patch is the same as the first, but with the changes to the XSS tests in PageTitleFilteringTest.php removed.
Comment #25
dcam CreditAttribution: dcam commented#24: no-xss-test-1362974-24.patch queued for re-testing.
Comment #26
droplet CreditAttribution: droplet commentedno-xss-test-1362974-24.patch reviewed.
Comment #27
catchSorry same for this test, no need to remove the text/javascript there either:
Comment #28
dcam CreditAttribution: dcam commentedRemoved the Mail module test.
Comment #29
dcam CreditAttribution: dcam commented#28: no-mail-test-1362974-28.patch queued for re-testing.
Comment #30
droplet CreditAttribution: droplet commentedConfirm that removed.
Comment #31
catchLess bytes, wooo!
Committed/pushed to 8.x.