Scald's documentation (https://drupal.org/node/1801156) says that if a text field contains SAS, the SAS is rendered back to markup first, and "After that, the field value is sent to the Drupal filter system."

However Drupal's input filters are processing the text field before Scald receives it. This can cause a problem where the filtered SAS cannot be recognised and converted to html by scald (see issue https://drupal.org/node/2211781)

I cannot find any documentation explaining the interaction between drupal's field attach API and formatters, but using debug statements I see that when a node with a text field is displayed, the order of execution is:
- text_field_load()
- hook_field_display_alter() - called several times
- text_field_formatter_view()
- hook_field_attach_view_alter() - Scald uses mee_field_attach_view_alter() to render SAS ->HTML

text_field_formatter_view() calls _text_sanitize(), which runs the filters on the text.

Can Scald be changed use a different hook to render the SAS before the filters change it?

I'm struggling to understand what hook should be used when for what, but I see that hook_field_display_alter() fires earlier, and looking at its arguments the text is still the raw value, before any filters have processed it.

Alternatively could the SAS -> HTML conversion be handled by an input filter, so we can use the admin UI to set it to run before the other input filters?

Comments

DeFr’s picture

DeFr CreditAttribution: DeFr commented
Category: Bug report » Support request

The documentation is incorrect, and the code is right: there's a whole lot of users out there that are using Scald explicitely to allow users to embed various things that use really unsafe HTML markup (pretty much all the video providers moved on to

embedding to have a compatibility layer for mobile and tablet browsers) without allowing users to embed just any , which would be a big security hole.
jcisio’s picture

jcisio CreditAttribution: jcisio commented
Component: Media Editorial Element » Documentation
Category: Support request » Task

So we need to change the documentation.

A few solutions that I can think of:

- An option to disable SAS to HTML conversion, and a filter to do that (the filter should always the last to run, for the above stated security reason). That won't change much however, because other filters are executed before Scald filter.
- Don't use "Convert URLs into links" or any sensitive filter. In the HTML format with a rich text editor, you really don't need it BTW (links are converted on paste). Or use a filter that don't convert text arounded by "..." into link.

davidhk’s picture

davidhk CreditAttribution: davidhk commented

Thanks for the replies.

See if I understand the problem - if I have a Scald "SAS to HTML" filter run first, then the "Convert URLs into links" after it as the last filter to run, is the problem that it could mess up the HTML markup that the Scald filter just inserted? Or is there something more serious that I'm missing? (I'm still finding my way around, so apologies for dumb questions).

A possible benefit of a Scald filter would be to make it easier for new users (new to Scald, but already familiar with Drupal) to find their way around. When I first installed and started testing, I typed in some simple SAS to a text field and expected it to show the atom when I saved the node. When it didn't I thought "I'll need to turn on the input filter" and went looking for it. It was some time later I found instead that I needed to enable the mee module, and enable dnd on the text field to have the SAS display as an atom. That still doesn't seem an intuitive setup. I imagined that when I installed the core Scald module, there would be a new input filter available that handled the SAS to HTML conversion.

Regards, David

jcisio’s picture

jcisio CreditAttribution: jcisio commented
Status: Active » Fixed

I've just corrected the documentation, feel free to modify if again if something is not clear. This is a documentation issue, so I'm closing it. For the filter, there is #2007740: Create a scald filter so that it works with things other than text fields (I agree that it could be an option).

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.