Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Problem/Motivation
(name of function/class::method that calls it) calls SafeMarkup::set() which is meant to be for internal use only.
Proposed resolution
- Remove the call by refactoring the code.
- If refactoring is not possible, thoroughly document where the string is coming from and why it is safe, and why SafeMarkup::set() is required.
Remaining tasks
- Evaluate whether the string can be refactored to one of the formats outlined in this change record: https://www.drupal.org/node/2311123
- Identify whether there is existing automated test coverage for the sanitization of the string. If there is, list the test in the issue summary. If there isn't, add an automated test for it.
- If the string cannot be refactored, the SafeMarkup::set() usage needs to be thoroughly audited and documented.
Manual testing steps (for XSS and double escaping)
Do these steps both with HEAD and with the patch applied:
- Clean install of Drupal 8.
- Compare the output above in HEAD and with the patch applied. Confirm that there is no double-escaping.
- If there is any user or calling code input in the string, submit
alert('XSS');and ensure that it is sanitized.
User interface changes
N/A
API changes
N/A
Comment | File | Size | Author |
---|---|---|---|
#9 | remove_safemarkup_set-2501819-9.patch | 787 bytes | leslieg |
#6 | remove_safemarkup_set-2501819-6.patch | 850 bytes | leslieg |
#2 | search_embedded_form-2501819-2.patch | 986 bytes | leslieg |
Comments
Comment #1
leslieg CreditAttribution: leslieg as a volunteer commentedWorking on removing SafeMarkup::set in search_embedded_form_preprocess_search_result() as part of NHDevDays2
Comment #2
leslieg CreditAttribution: leslieg as a volunteer commentedchanged safemarkup::set to safemarkup::format
Comment #4
star-szrIt looks like this got mixed up with another patch, author_attributes shouldn't be here.
Comment #5
star-szrComment #6
leslieg CreditAttribution: leslieg as a volunteer commentedFixed issue with inadvertent mix of commits
Comment #8
star-szr$drupal_render -> drupal_render (better yet, use the render service directly).
Comment #9
leslieg CreditAttribution: leslieg as a volunteer commentedUpdated patch with suggestions from @joelpittet
Comment #10
joelpittetSweet just need to double check that worked out for real. Nice to see that come back green thanks @leslieg
Comment #11
edysmpThe preprocess is not used, not able to reproduce against HEAD, new patch remove the preprocess attach
Comment #12
joelpittet@edysmp It's used for a test but this will be interesting to see what testbot says about that...
Comment #14
joelpittetNow realizing this is just in a test, doesn't need manual testing. RTBC #9
Comment #15
xjmThanks @joelpittet -- this is indeed only a test module used to support
Drupal\search\Tests\SearchEmbedFormTest
, which is kind of a weird and oddly specific test to begin with.Whenever we change test code it's good to look at what the intent of the test is and ensure that any changes are in line with that. In this case, the test dates back to the D7 cycle in #497206: Avoid search conflicts with other forms, use menu API instead of search_get_keys(). Looking at that issue and the assertions in the test, it's clear that the intent is just to make sure the form submission works, so it's not worth the effort to improve the themeable output of the test module to best practices!
Given that, the minimal fix from #9 is fine (I especially like that we got rid of that dangling
drupal_render()
!). And the fact that the test passes is indeed the confirmation we need in this case rather than manual testing.This issue only changes test code and it is a required part of a critical issue, so per https://www.drupal.org/core/beta-changes, this can be completed any time during the Drupal 8 beta phase. Committed and pushed to 8.0.x.