ability to escape disallowed tags

CommentFileSizeAuthor
#3 drupal_70.patch3.84 KBdoq
escape disallowed tags 4.7.3.patch.txt4.85 KBdoq
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

drumm’s picture

drumm
he/him
Location NY, US
CreditAttribution: drumm commented
Status: Needs review » Needs work

Why is there an underscore at the end of $escape_?

Go ahead and fix the code style for $form['filter_html']["filter_html_$format"] (put each array element on its own line) instead of breaking up the option list by putting one on the next line.

Can the added if statement

+  if (variable_get("filter_html_$format", FILTER_HTML_STRIP) == FILTER_HTML_ESCAPE_DISALLOWED) {

be merged with the very similar one a bit further up?

In all new code, use 'filter_html_'. $format instead of "filter_html_$format".

Steven’s picture

Steven CreditAttribution: Steven commented
Version: x.y.z » 6.x-dev
Priority: Critical » Normal
doq’s picture

doq CreditAttribution: doq commented
Status: Needs work » Needs review
FileSize
drupal_70.patch3.84 KB

2 drumm:
Applied your suggestions.
In all new code, use 'filter_html_'. $format instead of "filter_html_$format". - but it is currently as "filter_html_$format" in code? I haven't changed that currently in patch.

Steven’s picture

Steven CreditAttribution: Steven commented

Actually, do we need a setting for this? Having the XSS filter just always escape invalid output would mean we can simplify some rules higher up too, I think. And in the end, the goal has never been to make invalid output look pretty—only to make it safe for viewing.

doq’s picture

doq CreditAttribution: doq commented

But if you want to submit xml code, or sometimes there are some words with > etc.
Admin will choose what type of escape to use, but I think this should be in core.

chx’s picture

chx CreditAttribution: chx commented
Status: Needs review » Needs work

I am neither for neither against this idea, filter_xss doxygen needs an update and we need a proper diff with -p option.

sun’s picture

sun
Primary language German
Location Karlsruhe
CreditAttribution: sun commented
Title: escape disallowed tags » Add disallowed tags setting to Escape all HTML filter
Version: 6.x-dev » 8.x-dev
jhedstrom’s picture

jhedstrom
Primary language English
Location Portland, OR
CreditAttribution: jhedstrom at Phase2 commented
Version: 8.0.x-dev » 8.1.x-dev
Issue summary: View changes
Status: Needs work » Postponed (maintainer needs more info)

Not sure if this is still relevant or not?

Version: 8.1.x-dev » 8.2.x-dev

Drupal 8.1.0-beta1 was released on March 2, 2016, which means new developments and disruptive changes should now be targeted against the 8.2.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.2.x-dev » 8.3.x-dev

Drupal 8.2.0-beta1 was released on August 3, 2016, which means new developments and disruptive changes should now be targeted against the 8.3.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.3.x-dev » 8.4.x-dev

Drupal 8.3.0-alpha1 will be released the week of January 30, 2017, which means new developments and disruptive changes should now be targeted against the 8.4.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.4.x-dev » 8.5.x-dev

Drupal 8.4.0-alpha1 will be released the week of July 31, 2017, which means new developments and disruptive changes should now be targeted against the 8.5.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.5.x-dev » 8.6.x-dev

Drupal 8.5.0-alpha1 will be released the week of January 17, 2018, which means new developments and disruptive changes should now be targeted against the 8.6.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.6.x-dev » 8.7.x-dev

Drupal 8.6.0-alpha1 will be released the week of July 16, 2018, which means new developments and disruptive changes should now be targeted against the 8.7.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.7.x-dev » 8.8.x-dev

Drupal 8.7.0-alpha1 will be released the week of March 11, 2019, which means new developments and disruptive changes should now be targeted against the 8.8.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.8.x-dev » 8.9.x-dev

Drupal 8.8.0-alpha1 will be released the week of October 14th, 2019, which means new developments and disruptive changes should now be targeted against the 8.9.x-dev branch. (Any changes to 8.9.x will also be committed to 9.0.x in preparation for Drupal 9’s release, but some changes like significant feature additions will be deferred to 9.1.x.). For more information see the Drupal 8 and 9 minor version schedule and the Allowed changes during the Drupal 8 and 9 release cycles.

Version: 8.9.x-dev » 9.1.x-dev

Drupal 8.9.0-beta1 was released on March 20, 2020. 8.9.x is the final, long-term support (LTS) minor release of Drupal 8, which means new developments and disruptive changes should now be targeted against the 9.1.x-dev branch. For more information see the Drupal 8 and 9 minor version schedule and the Allowed changes during the Drupal 8 and 9 release cycles.

Version: 9.1.x-dev » 9.2.x-dev

Drupal 9.1.0-alpha1 will be released the week of October 19, 2020, which means new developments and disruptive changes should now be targeted for the 9.2.x-dev branch. For more information see the Drupal 9 minor version schedule and the Allowed changes during the Drupal 9 release cycle.

Version: 9.2.x-dev » 9.3.x-dev

Drupal 9.2.0-alpha1 will be released the week of May 3, 2021, which means new developments and disruptive changes should now be targeted for the 9.3.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 9.3.x-dev » 9.4.x-dev

Drupal 9.3.0-rc1 was released on November 26, 2021, which means new developments and disruptive changes should now be targeted for the 9.4.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 9.4.x-dev » 9.5.x-dev

Drupal 9.4.0-alpha1 was released on May 6, 2022, which means new developments and disruptive changes should now be targeted for the 9.5.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

smustgrave’s picture

smustgrave CreditAttribution: smustgrave at Mobomo commented
Status: Postponed (maintainer needs more info) » Closed (outdated)

Closing as outdated since there hasn't been update since this issue moved to PNMI 7 years ago.

Also the filter module has gone through several changes (some pending) since this ticket was opened.

If still a valid issue please reopen with an updated issue summary