Problem/Motivation

drupal_set_message(t('whatever') is a common pattern in contrib. We are currently double-escaping this strings if they contain links, even if we use the recommended way ([#322774])

We need to allow this or document the proper way of getting the same message.

Proposed resolution

TBD

Remaining tasks

TBD

CommentFileSizeAuthor
#8 Translations for Content view Site-Install.png31.41 KBpenyaskito
#3 Screen Shot 2014-08-23 at 12.59.14 PM.png85.5 KBwebchick
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

xjm’s picture

xjm
she/her
Primary language English
CreditAttribution: xjm commented
Category: Task » Bug report

Hm, this shouldn't be happening. Anything that goes through t() should be in the safe list.

penyaskito’s picture

penyaskito
he/him
Primary language Spanish
Location 🧑🏽‍🌾Seville 💃, Andalusia 🇪🇸, UTC+2 🇪🇺
CreditAttribution: penyaskito commented

Did a quick check, and cannot reproduce. I will check the original code that made this happen last time and see if I can reproduce it there.

webchick’s picture

webchick
she/they
Primary language English
Location Vancouver 🇨🇦
CreditAttribution: webchick commented
FileSize
Screen Shot 2014-08-23 at 12.59.14 PM.png85.5 KB

I see it during install if there's an error:

Escaped HTML in error message.

iMiksu’s picture

iMiksu
Location Finland
CreditAttribution: iMiksu commented

I also get during installation when it reports that settings.php is not writeable.

sun’s picture

sun
Primary language German
Location Karlsruhe
CreditAttribution: sun commented
Priority: Major » Critical

Clearly a release blocker.

Damien Tournoud’s picture

Damien Tournoud CreditAttribution: Damien Tournoud commented
Status: Active » Closed (duplicate)

See #2317281: Double escaping of install errors for the installation process.

drupal_set_message(t()) is not a problem by design.

jibran’s picture

jibran
he/him
Primary language Urdu
Location Sydney, Australia
CreditAttribution: jibran commented
Issue tags: +SafeMarkup
penyaskito’s picture

penyaskito
he/him
Primary language Spanish
Location 🧑🏽‍🌾Seville 💃, Andalusia 🇪🇸, UTC+2 🇪🇺
CreditAttribution: penyaskito at Cocomore AG commented
Issue summary: View changes
Status: Closed (duplicate) » Active
FileSize
Translations for Content view Site-Install.png31.41 KB

Sorry, but I'm reopening this one again.

      drupal_set_message($this->t('In order to translate configuration, the website must have at least two <a href="!url">languages</a>.', array('!url' => $this->url('entity.configurable_language.collection'))));

This code double-escapes the message, as seen on #2139185: Notify users when landing on config translation page with only one language listed:

Edited: wrong embedded image

penyaskito’s picture

penyaskito
he/him
Primary language Spanish
Location 🧑🏽‍🌾Seville 💃, Andalusia 🇪🇸, UTC+2 🇪🇺
CreditAttribution: penyaskito at Cocomore AG commented
Status: Active » Closed (duplicate)

Interesting,

       drupal_set_message($this->t('In order to translate configuration, the website must have at least two <a href="@url">languages</a>.', array('@url' => $this->url('entity.configurable_language.collection'))));

Using @uri instead of !uri works. I expected it to escape the uri, not the full string.
https://www.drupal.org/node/2445441 documents this properly.