Problem/Motivation

In user_user_role_insert we create actions per user role being created. We do this like this:

    $action = entity_create('action', array(
      'id' => $add_id,
      'type' => 'user',
      'label' => t('Add the @label role to the selected users', array('@label' => $role->label())),
      'configuration' => array(
        'rid' => $role->id(),
      ),
      'plugin' => 'user_add_role_action',
    ));
    $action->trustData()->save();

At first sight the t() looks wrong because it means config will be saved with the translated text - but actually I think this is fine since the configuration entity will have the language that the user has when they create the role. But what is more problematic is saving the escaped role label. This causes two problems - double escaping on admin/people if the role label contains an & and also potentially getting out of sync with the role label if that changes.

Proposed resolution

no idea yet

Remaining tasks

Find a solution.

User interface changes

None

API changes

?

Data model changes

?

Why is this an RC target?

  • Escaping the role label during the creation of the action label leads to double escaping. This patch fixes 27 out of the 32 fails found by #2571065-14: Find escaping due to Twig autoescape. Without this patch going in we can't implement some sort of generic double escaping test for all of our WebTestBase tests.
  • Not keeping the action label in sync with the action label could result in a very confusing UI experience (image if role labels are swapped - yes that would be dumb but we all do dumb things sometimes)
  • The fix creates a generic solution for actions to add arguments for it's labels. Given how actions are created based on other config entities this is likely to be needed again
CommentFileSizeAuthor
#43 2597608-nr-bot.txt132 bytesneeds-review-queue-bot
#20 2597608-20.patch17.31 KBalexpott
#20 15-20-interdiff.txt1.29 KBalexpott
#15 2597608-15.patch17.24 KBalexpott
#15 14-15-interdiff.txt1.8 KBalexpott
#14 2597608-14.patch17.41 KBalexpott
#14 9-14-interdiff.txt2.86 KBalexpott
#9 2597608-9.patch16.7 KBalexpott
#9 2597608.test-only.patch5.02 KBalexpott
#9 7-9-interdiff.txt6.34 KBalexpott
#7 2597608-7.patch10.36 KBalexpott
#7 5-7-interdiff.txt3.6 KBalexpott
#5 2597608-5.patch7.43 KBalexpott
#5 2-5-interdiff.txt3.57 KBalexpott
#2 2597608-2.patch5.66 KBalexpott
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

alexpott created an issue. See original summary.

alexpott’s picture

alexpott
he/they
Primary language English
Location 🇪🇺🌍
CreditAttribution: alexpott at Chapter Three commented
Status: Active » Needs review
Issue tags: +Needs tests
FileSize
2597608-2.patch5.66 KB

Here's a stab at a solution that lets you keep the action label in sync with the role label.

There is one problem though if you install the Action module this lets you edit the label but because of the way ActionFormBase adds the label and then delegates to the plugin - the plugin can't affect the label form element - which we need to do otherwise the user will save the version with the label replaced.

alexpott’s picture

alexpott
he/they
Primary language English
Location 🇪🇺🌍
CreditAttribution: alexpott at Chapter Three commented
Related issues: +#2571065: Find escaping due to Twig autoescape

This will solve a number of the escaping issues discovered by #2571065: Find escaping due to Twig autoescape which is how I came across this issue.

Status: Needs review » Needs work

The last submitted patch, 2: 2597608-2.patch, failed testing.

alexpott’s picture

alexpott
he/they
Primary language English
Location 🇪🇺🌍
CreditAttribution: alexpott at Chapter Three commented
Status: Needs work » Needs review
FileSize
2-5-interdiff.txt3.57 KB
2597608-5.patch7.43 KB

So this makes the form work - but atm you actaully can't save such an action because of dots in the machine name!

Status: Needs review » Needs work

The last submitted patch, 5: 2597608-5.patch, failed testing.

alexpott’s picture

alexpott
he/they
Primary language English
Location 🇪🇺🌍
CreditAttribution: alexpott at Chapter Three commented
Status: Needs work » Needs review
FileSize
5-7-interdiff.txt3.6 KB
2597608-7.patch10.36 KB

Fixing the tests

Status: Needs review » Needs work

The last submitted patch, 7: 2597608-7.patch, failed testing.

alexpott’s picture

alexpott
he/they
Primary language English
Location 🇪🇺🌍
CreditAttribution: alexpott at Chapter Three commented
Status: Needs work » Needs review
FileSize
7-9-interdiff.txt6.34 KB
2597608.test-only.patch5.02 KB
2597608-9.patch16.7 KB

Fix the last test fail and adding tests.

joelpittet’s picture

joelpittet
Primary language English
Location Vancouver
CreditAttribution: joelpittet commented 
+++ b/core/modules/user/user.module
@@ -988,7 +988,7 @@ function user_user_role_insert(RoleInterface $role) {
-      'label' => t('Add the @label role to the selected users', array('@label' => $role->label())),
+      'label' => t('Add the @role_label role to the selected users'),

@@ -1001,7 +1001,7 @@ function user_user_role_insert(RoleInterface $role) {
-      'label' => t('Remove the @label role from the selected users', array('@label' => $role->label())),
+      'label' => t('Remove the @role_label role from the selected users'),

I may be missing something here but doesn't this need the placeholder args?

alexpott’s picture

alexpott
he/they
Primary language English
Location 🇪🇺🌍
CreditAttribution: alexpott at Chapter Three commented

@joelpittet you are missing something!

+++ b/core/modules/system/src/Entity/Action.php
@@ -155,4 +159,24 @@ public static function sort(ConfigEntityInterface $a, ConfigEntityInterface $b)
+  /**
+   * @inheritDoc
+   */
+  public function label() {
+    $plugin = $this->getPlugin();
+    $label = new FormattableMarkup(parent::label(), $plugin->getLabelArguments());
+    // Remove the safeness from the label as the label can contain user input.
+    return PlainTextOutput::renderFromHtml($label);
+  }

This does the replacement when the label is used - not when the configuration entity is saved - thereby allowing the role label to change and be reflected in the action label.

The last submitted patch, 9: 2597608.test-only.patch, failed testing.

joelpittet’s picture

joelpittet
Primary language English
Location Vancouver
CreditAttribution: joelpittet commented

Oh wow that makes things complicated, I would have tried to fix that... bizarre.

alexpott’s picture

alexpott
he/they
Primary language English
Location 🇪🇺🌍
CreditAttribution: alexpott at Chapter Three commented
FileSize
9-14-interdiff.txt2.86 KB
2597608-14.patch17.41 KB

Improved comments to explain the point @joelpittet raises in #10.

Also since calling parent::label() in a method other than label is super ugly - wrapped this in a protected method. The only reason do this is because the labelling system is super flexible... and alterable on the entity type... 

  public function label() {
    $label = NULL;
    $entity_type = $this->getEntityType();
    if (($label_callback = $entity_type->getLabelCallback()) && is_callable($label_callback)) {
      $label = call_user_func($label_callback, $this);
    }
    elseif (($label_key = $entity_type->getKey('label')) && isset($this->{$label_key})) {
      $label = $this->{$label_key};
    }
    return $label;
  }

... if we didn't do this we could just do $this->label and access the property - and maybe we should just do this - since EntityTypeInterface::getLabelCallback() is deprecated.

alexpott’s picture

alexpott
he/they
Primary language English
Location 🇪🇺🌍
CreditAttribution: alexpott at Chapter Three commented
FileSize
14-15-interdiff.txt1.8 KB
2597608-15.patch17.24 KB

The idea of using $this-label() in #14 is a good one.

dawehner’s picture

dawehner
Primary language German
CreditAttribution: dawehner as a volunteer and at Tag1 Consulting commented 
  1. +++ b/core/lib/Drupal/Core/Action/ActionInterface.php
@@ -63,4 +63,11 @@ public function executeMultiple(array $objects);
+   * Arguments for FormattableMarkup for a the label.

    that might be dawehner english but proper alexpott english, I'm not sure about that 

  2. +++ b/core/modules/action/src/ActionFormBase.php
@@ -91,7 +91,7 @@ public function form(array $form, FormStateInterface $form_state) {
     if ($this->plugin instanceof PluginFormInterface) {
-      $form += $this->plugin->buildConfigurationForm($form, $form_state);
+      $form = $this->plugin->buildConfigurationForm($form, $form_state);
     }

    This is technically an API change, right? 

  3. +++ b/core/modules/system/src/Entity/Action.php
@@ -155,4 +162,28 @@ public static function sort(ConfigEntityInterface $a, ConfigEntityInterface $b)
+      $label = new FormattableMarkup($label, $label_arguments);
+      // Remove the safeness from the label as the label can contain user input.
+      $label = PlainTextOutput::renderFromHtml($label);

    So yeah I'm wondering in which way we should separate the stored value from the resolved value ... maybe an getStoredValue() method, maybe don't change the label() behaviour but call out to a new method ... 

  4. +++ b/core/modules/user/src/Tests/UserAdminTest.php
@@ -95,6 +95,16 @@ function testUserAdmin() {
+    // Assert escaped correctly.

    Nitpick: its also xss filtered here

alexpott’s picture

alexpott
he/they
Primary language English
Location 🇪🇺🌍
CreditAttribution: alexpott at Chapter Three commented
Issue tags: +rc target triage
xjm’s picture

xjm
she/her
Primary language English
CreditAttribution: xjm at Acquia commented

So this is definitely a bug, but since it's confined to the creation and update of certain actions, I personally don't think it needs to be an RC target.

alexpott’s picture

alexpott
he/they
Primary language English
Location 🇪🇺🌍
CreditAttribution: alexpott at Chapter Three commented
Issue summary: View changes

Added information about why this should be an RC target.

alexpott’s picture

alexpott
he/they
Primary language English
Location 🇪🇺🌍
CreditAttribution: alexpott at Chapter Three commented
FileSize
15-20-interdiff.txt1.29 KB
2597608-20.patch17.31 KB

Re #16

  1. Fixed
  2. Technically - but it is also a bug fix. The current code means that an action can only add new form elements whereas the interface implies that it should be able to change the initial form. I discussed this with @timplunkett and he agreed that this was correct.
  3. TBH I'm not really sure what you are suggesting here, but, I think just directly accessing $this->label to get the stored version is totally fine.
  4. Fixed
dawehner’s picture

dawehner
Primary language German
CreditAttribution: dawehner as a volunteer and at Tag1 Consulting commented

ut, I think just directly accessing $this->label to get the stored version is totally fine.

Well, its protected ...

effulgentsia’s picture

effulgentsia CreditAttribution: effulgentsia at Acquia commented
Title: User role actions are created with a translated label » User role action labels get double-escaped and out of sync with the corresponding user role label
Issue tags: -rc target triage +rc target

This makes sense as an RC target to me, for the reasons mentioned in the issue summary. In a conversation today, @xjm agreed as well thanks to the clarifications since #18.

effulgentsia’s picture

effulgentsia CreditAttribution: effulgentsia at Acquia commented 
  1. +++ b/core/lib/Drupal/Core/Action/ActionInterface.php
@@ -63,4 +63,13 @@ public function executeMultiple(array $objects);
+  public function getLabelArguments();

    I don't think we should add this to ActionInterface. Instead, I think we should make a new interface, such as FormattableLabelInterface or LabelWithPlaceholdersInterface. Then action plugin implementations can opt-in to that interface or not. And it becomes a pattern we can use for other plugin types. 

  2. +++ b/core/modules/system/src/Entity/Action.php
@@ -155,4 +162,28 @@ public static function sort(ConfigEntityInterface $a, ConfigEntityInterface $b)
+    if (!empty($label_arguments)) {
+      $label = new FormattableMarkup($label, $label_arguments);
+      // Remove the safeness from the label as the label can contain user input.
+      $label = PlainTextOutput::renderFromHtml($label);
+    }

    I think we should always PlainTextOutput::renderFromHtml() action entity labels, not make it conditional on there being arguments. 

  3. +++ b/core/modules/system/src/Plugin/views/field/BulkForm.php
@@ -292,7 +292,9 @@ public function viewsForm(&$form, FormStateInterface $form_state) {
-        '#options' => $this->getBulkOptions(),
+        // This is a select list therefore apply the plain text formatter to the
+        // the options which are escaped for display in HTML.
+        '#options' =>  array_map('\Drupal\Component\Render\PlainTextOutput::renderFromHtml', $this->getBulkOptions()),

    Doing the point above would allow us to remove this. 

  4. +++ b/core/modules/user/src/Plugin/Action/ChangeUserRoleBase.php
@@ -63,6 +73,14 @@ public function defaultConfiguration() {
+    // The label supports replacing @label with the role's label.
+    $form['label'] = array(
+      '#type' => 'textfield',
+      '#title' => $this->t('Label'),
+      '#default_value' => $this->configuration['original_label'],
+      '#maxlength' => '255',
+      '#description' => $this->t('A unique label for this advanced action. This label will be displayed in the interface of modules that integrate with actions. @role_label is replaced with the role\'s label.'),
+    );

    I don't like the competition of responsibility of the 'label' element between this and ActionFormBase::form(). Instead, what if we added getLabelArgumentsDescription() to LabelWithPlaceholdersInterface which could return the last sentence of the above description, and then ActionFormBase::form() could be responsible for setting the appropriate description based on whether the plugin implements LabelWithPlaceholdersInterface or not. That would also allow us to completely remove 'original_label' from this patch, because ActionFormBase::form() could set the default value to $this->entity->get('label').

effulgentsia’s picture

effulgentsia CreditAttribution: effulgentsia at Acquia commented

I think we should always PlainTextOutput::renderFromHtml() action entity labels, not make it conditional on there being arguments.

Actually, maybe that's wrong. But I think we should do something differently from what the patch is doing, because the meaning of a user-entered "<" character within an action label should not depend on whether the action plugin supports label arguments or not.

effulgentsia’s picture

effulgentsia CreditAttribution: effulgentsia at Acquia commented

Something like:

PlainTextOutput::renderFromHtml(new FormattableMarkup(Html::escape($label), $label_arguments));

might be closer to what we want, in which case, that could be conditional on $label_arguments, because the above should be a no-op when $label_arguments is empty.

In which case, I'm also unclear on why #23.3 is needed at all.

effulgentsia’s picture

effulgentsia CreditAttribution: effulgentsia at Acquia commented

If we do #25 (meaning, if the 'label' config property is intended to be interpreted as containing plain-text, not HTML), then we should also change:

+++ b/core/modules/user/user.module
@@ -988,7 +988,9 @@ function user_user_role_insert(RoleInterface $role) {
+      'label' => t('Add the @role_label role to the selected users'),

to:

'label' => PlainTextOutput::renderFromHtml(t('Add the @role_label role to the selected users')),

Because even though in this case, it might be unlikely that translators will add HTML here, the output of t() should always be treated as HTML, for consistency.

xjm’s picture

xjm
she/her
Primary language English
CreditAttribution: xjm at Acquia commented
Issue tags: -rc target

Version: 8.0.x-dev » 8.1.x-dev

Drupal 8.0.6 was released on April 6 and is the final bugfix release for the Drupal 8.0.x series. Drupal 8.0.x will not receive any further development aside from security fixes. Drupal 8.1.0-rc1 is now available and sites should prepare to update to 8.1.0.

Bug reports should be targeted against the 8.1.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.2.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.1.x-dev » 8.2.x-dev

Drupal 8.1.9 was released on September 7 and is the final bugfix release for the Drupal 8.1.x series. Drupal 8.1.x will not receive any further development aside from security fixes. Drupal 8.2.0-rc1 is now available and sites should prepare to upgrade to 8.2.0.

Bug reports should be targeted against the 8.2.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.3.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Julfabre’s picture

Julfabre CreditAttribution: Julfabre commented

UP

How can we help with the integration of this fix?

cilefen’s picture

cilefen CreditAttribution: cilefen as a volunteer commented

Consider the last few review comments then write a patch.

Version: 8.2.x-dev » 8.3.x-dev

Drupal 8.2.6 was released on February 1, 2017 and is the final full bugfix release for the Drupal 8.2.x series. Drupal 8.2.x will not receive any further development aside from critical and security fixes. Sites should prepare to update to 8.3.0 on April 5, 2017. (Drupal 8.3.0-alpha1 is available for testing.)

Bug reports should be targeted against the 8.3.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.4.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.3.x-dev » 8.4.x-dev

Drupal 8.3.6 was released on August 2, 2017 and is the final full bugfix release for the Drupal 8.3.x series. Drupal 8.3.x will not receive any further development aside from critical and security fixes. Sites should prepare to update to 8.4.0 on October 4, 2017. (Drupal 8.4.0-alpha1 is available for testing.)

Bug reports should be targeted against the 8.4.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.5.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.4.x-dev » 8.5.x-dev

Drupal 8.4.4 was released on January 3, 2018 and is the final full bugfix release for the Drupal 8.4.x series. Drupal 8.4.x will not receive any further development aside from critical and security fixes. Sites should prepare to update to 8.5.0 on March 7, 2018. (Drupal 8.5.0-alpha1 is available for testing.)

Bug reports should be targeted against the 8.5.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.6.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.5.x-dev » 8.6.x-dev

Drupal 8.5.6 was released on August 1, 2018 and is the final bugfix release for the Drupal 8.5.x series. Drupal 8.5.x will not receive any further development aside from security fixes. Sites should prepare to update to 8.6.0 on September 5, 2018. (Drupal 8.6.0-rc1 is available for testing.)

Bug reports should be targeted against the 8.6.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.7.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.6.x-dev » 8.8.x-dev

Drupal 8.6.x will not receive any further development aside from security fixes. Bug reports should be targeted against the 8.8.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.9.x-dev branch. For more information see the Drupal 8 and 9 minor version schedule and the Allowed changes during the Drupal 8 and 9 release cycles.

Version: 8.8.x-dev » 8.9.x-dev

Drupal 8.8.7 was released on June 3, 2020 and is the final full bugfix release for the Drupal 8.8.x series. Drupal 8.8.x will not receive any further development aside from security fixes. Sites should prepare to update to Drupal 8.9.0 or Drupal 9.0.0 for ongoing support.

Bug reports should be targeted against the 8.9.x-dev branch from now on, and new development or disruptive changes should be targeted against the 9.1.x-dev branch. For more information see the Drupal 8 and 9 minor version schedule and the Allowed changes during the Drupal 8 and 9 release cycles.

Version: 8.9.x-dev » 9.2.x-dev

Drupal 8 is end-of-life as of November 17, 2021. There will not be further changes made to Drupal 8. Bugfixes are now made to the 9.3.x and higher branches only. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 9.2.x-dev » 9.3.x-dev
Lendude’s picture

Lendude
Primary language Dutch
Location Amsterdam
CreditAttribution: Lendude as a volunteer and at iO commented
Related issues: +#3150316: Configured actions created by User module cannot be edited

Manually tested this, and this is still an issue. I think you could easily work around this and manually set this straight in the config entity after it got created, if it wasn't for #3150316: Configured actions created by User module cannot be edited which makes this impossible through the UI currently.

Version: 9.3.x-dev » 9.4.x-dev

Drupal 9.3.15 was released on June 1st, 2022 and is the final full bugfix release for the Drupal 9.3.x series. Drupal 9.3.x will not receive any further development aside from security fixes. Drupal 9 bug reports should be targeted for the 9.4.x-dev branch from now on, and new development or disruptive changes should be targeted for the 9.5.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 9.4.x-dev » 9.5.x-dev

Drupal 9.4.9 was released on December 7, 2022 and is the final full bugfix release for the Drupal 9.4.x series. Drupal 9.4.x will not receive any further development aside from security fixes. Drupal 9 bug reports should be targeted for the 9.5.x-dev branch from now on, and new development or disruptive changes should be targeted for the 10.1.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

needs-review-queue-bot’s picture

needs-review-queue-bot CreditAttribution: needs-review-queue-bot as a volunteer commented
Status: Needs review » Needs work
FileSize
2597608-nr-bot.txt132 bytes

The Needs Review Queue Bot tested this issue. It either no longer applies to Drupal core, or fails the Drupal core commit checks. Therefore, this issue status is now "Needs work".

Apart from a re-roll or rebase, this issue may need more work to address feedback in the issue or MR comments. To progress an issue, incorporate this feedback as part of the process of updating the issue. This helps other contributors to know what is outstanding.

Consult the Drupal Contributor Guide to find step-by-step guides for working with issues.

Version: 9.5.x-dev » 11.x-dev

Drupal core is moving towards using a “main” branch. As an interim step, a new 11.x branch has been opened, as Drupal.org infrastructure cannot currently fully support a branch named main. New developments and disruptive changes should now be targeted for the 11.x branch. For more information, see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.