Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Problem/Motivation
When viewing the forum list, if there are replies that have not been viewed, the markup for the list of links to the new replies is escaped. See attached screenshot.
Proposed resolution
Convert the 'data' value from a string to an array that uses '#markup' on line 509 of forum.module
Remaining tasks
Comment | File | Size | Author |
---|---|---|---|
#35 | forum_new_replies-2488886-35.patch | 1.12 KB | joelpittet |
#32 | 2488886-30-tests-only.patch | 527 bytes | mikeker |
#26 | 2488886-26-_forum-list-escaping.patch | 1.12 KB | mikeker |
#14 | forum-2488886-14.patch | 3.58 KB | colinafoley |
#14 | forum-2488886-test-only-14.patch | 3.06 KB | colinafoley |
Comments
Comment #1
colinafoley CreditAttribution: colinafoley commentedI have solved the issue and written test coverage.
Comment #2
colinafoley CreditAttribution: colinafoley commentedComment #3
colinafoley CreditAttribution: colinafoley commentedHere's the patch.
Comment #4
colinafoley CreditAttribution: colinafoley commentedComment #8
colinafoley CreditAttribution: colinafoley commentedRewrote assert to rely on xpath instead of strings.
Comment #9
star-szr:)
Comment #10
Wim LeersLooks great, pretty much only nitpicks :) Hopefully it comes back green!
Nit: Missing trailing periods.
More important: they have different sets of permissions, but have the same description.
Now 2 test users are being created.
Missing trailing period.
Just saying "Create comment." once should be sufficient.
Extraneous newline addition.
Comment #12
colinafoley CreditAttribution: colinafoley at Lehigh University commentedFixed the style changes
Comment #13
Wim LeersComment #14
colinafoley CreditAttribution: colinafoley at Lehigh University commentedAdding test only patch.
Comment #16
Wim LeersExcellent, thanks!
Comment #17
Wim LeersThis blocks #2082317: Forum history markers ("new" and "updated" markers, "x new posts" links) forces render caching to be per user, which in turn blocks #2429617: Make D8 2x as fast: Dynamic Page Cache: context-dependent page caching (for *all* users!).
Comment #18
Wim LeersComment #19
colinafoley CreditAttribution: colinafoley at Lehigh University commentedComment #20
anavarreCould be fixed on commit but I think s/Login/Log in would be more accurate (verb instead of noun).
Comment #21
Fabianx CreditAttribution: Fabianx for Acquia commentedRTBC + 1
Comment #22
larowlannit:Needs a doc block
Comment #23
xjm(Embedding the screenshot, fixing the patch files order, adding reviewer credit.)
Comment #24
xjmThanks for the patch and screenshots. I verified in context that the text within this markup is composed of strings properly sanitized earlier in the code flow:
I'm slightly concerned in general that using
#markup
is proliferating a bit and could be used as a pattern that people apply to keep their stuff from being escaped without thinking about sanitization, especially here where the content is being composed with concatenations stretched out across numerous lines, but that's probably too wide a scope to address here, especially given that this is blocking other work.However, I found a couple more minor issues with the patch, which I think with #20 and #22 are enough that we should probably clean them up before committing:
So, this is very minor, but the assertions aren't actually verifying a message not escaped. They're verifying the correct markup for the message is present, or that said markup is not escaped. (I misunderstood at first and thought that we were deliberately not escaping the text itself, which seemed wrong.)
Why is this method called
testHistory()
? It has nothing to do with the history as far as I can see.So let's clean those things up here. Thanks!
Comment #25
Fabianx CreditAttribution: Fabianx for Acquia commentedI agree with xjm here,
Lets use:
Using #markup would soon be unsupported anyway ...
In my RTBC + 1 I mainly looked at the tests ... Should've caught that ...
Ever since effulgentsia fixed SafeMarkup::format() to work like an auto-escape filter, it is a wonderful way to use to fix double-escaping issues in a secure way.
Comment #26
mikeker CreditAttribution: mikeker as a volunteer commentedMarked #2636074: forum-list.html.twig replies are double escaped as a dup of this issue. Removed the blocker tag since we managed to release 8.0.0 without this fix... :)
I've also opened #2642450: template_preprocess_forums generates too much HTML to address further cleanup of the forum preprocess functions -- there's a lot of HTML generated in the preprocess functions which makes it harder for custom themes to override.
This patch is from #2636074-4: forum-list.html.twig replies are double escaped and moves the verification into an existing tests which seems cleaner to me. Otherwise, the fix is nearly identical (this patch uses
#prefix
while #14 concatenates the two strings, see #2636074-7: forum-list.html.twig replies are double escaped for details).(FYI: credit to @joelpittet for this patch, not me...)
Comment #27
mikeker CreditAttribution: mikeker as a volunteer commentedPushing to major as #2636074: forum-list.html.twig replies are double escaped was major.
Comment #28
joelpittetThanks @mikeker:)
Comment #29
lauriiiWould it be possible to get test only patch for #26? Otherwise this looks RTBC for me!
Comment #30
mikeker CreditAttribution: mikeker as a volunteer commentedTests-only patch from #2636074-4: forum-list.html.twig replies are double escaped.
Comment #31
mikeker CreditAttribution: mikeker as a volunteer commentedTests-only patch from #2636074-4: forum-list.html.twig replies are double escaped.
Comment #32
mikeker CreditAttribution: mikeker as a volunteer commentedWow, double-posted and still managed to forget the file attachment somehow... :)
Comment #34
mikeker CreditAttribution: mikeker as a volunteer commentedBack to NR as this was from the tests-only patch...
Comment #35
joelpittetThanks @mikeker. Here's the patch again.
Comment #36
lauriiiThanks Joel!
Comment #37
alexpottI'm not sure that this fix is the best way to fix this BUT fixing forum markup is a much bigger and more complicated issue therefore I'm going to commit this bug fix as an interim fix. Ideally all the markup added in template_preprocess_forums() would be in twig templates.
Committed b422873 and pushed to 8.0.x and 8.1.x. Thanks!
Comment #40
joelpittetThank you @alexpott here's a follow-up #2650966: Forum - move markup from template_preprocess_forums() in twig templates
Comment #41
star-szrThanks @joelpittet closing that in favour of the one @mikeker opened in #26, #2642450: template_preprocess_forums generates too much HTML.
Comment #42
joelpittetAh I missed that in my quick up-skim. Good catch.