Problem/Motivation

The requirements that check for directory permissions in simpletest includes <code> tags which appear to be double escaped. You can get this message by setting the permissions of sites/simpletest to 444.

Proposed resolution

Move the HTML out of the arguments for t() and into the string.

Remaining tasks

User interface changes

API changes

I think this will cause translations to be out of date for these two strings. I'm not sure if that qualifies as API change or if a tag should be added to get this in front of the right people.

CommentFileSizeAuthor
#19 simpletest-double_escaped_requirements-2410031-19.patch1.61 KBrocketeerbkw
#12 double_escaped_requirements-2410031-10-after.jpg109.94 KBbiigniick
#11 double_escaped_requirements-2410031-10-before.jpg108.51 KBbiigniick
#10 simpletest-double_escaped_requirements-2410031-10.patch1.67 KBrocketeerbkw
#8 simpletest-double_escaped_requirements-2410031-8.patch1.37 KBrocketeerbkw
#8 Status_report___d8dev_dev.png39.28 KBrocketeerbkw
#4 simpletest-double_escaped_requirements-2410031-4.patch1.62 KBrocketeerbkw
#4 Screenshot 1:19:15, 5:49 PM.png37.1 KBrocketeerbkw
#1 simpletest-double_escaped_requirements-2410031-1.patch1.61 KBrocketeerbkw
#1 Screenshot 1:19:15, 12:19 AM.png37.13 KBrocketeerbkw
Screenshot 1:19:15, 12:14 AM.png37.32 KBrocketeerbkw

Comments

rocketeerbkw’s picture

rocketeerbkw commented
Assigned: rocketeerbkw » Unassigned
Issue summary: View changes
Status: Active » Needs review
StatusFileSize
new Screenshot 1:19:15, 12:19 AM.png37.13 KB
new simpletest-double_escaped_requirements-2410031-1.patch1.61 KB

There are two messages in simpletest.install but I was only able to trigger the first. I'm not sure the second one will ever fire and could be removed but that's probably another issues.

I expect this to break tests, but right now it takes more than an hour to run locally so I'll wait for testbot.

idebr’s picture

idebr commented
Parent issue: » #2297711: Fix HTML escaping due to Twig autoescape
idebr’s picture

idebr commented
Status: Needs review » Needs work

The error text has been changed from ./sites/simpletest to sites/simpletest. While this may be a change for the better, let's keep it out of scope of this issue and fix the double escaping first.

rocketeerbkw’s picture

rocketeerbkw commented
Issue summary: View changes
Status: Needs work » Needs review
StatusFileSize
new Screenshot 1:19:15, 5:49 PM.png37.1 KB
new simpletest-double_escaped_requirements-2410031-4.patch1.62 KB

Thanks! I added the prefix back. I've also updated the after screenshot.

idebr’s picture

idebr commented

I have been looking through the User interface standards but I could not find a reference on how to display paths/files. The meta issue suggests using a Twig inline template if you want to maintain markup, as documented here: https://www.drupal.org/node/2311123

I'm fine with dropping the <code> tag in favor of the <em> tag, but I'm not sure how it affects the scope of this issue. I'll leave this for someone else to review.

rocketeerbkw’s picture

rocketeerbkw commented
Status: Needs review » Needs work

I tried an inline template but it didn't fix the problem. I don't think this use case works like that. The problem that I found is that any time you use ! as a parameter in t() the string system expects you to mark it as safe somehow. So String::checkPlain() will mark strings safe if you're using it with t(), but since it concatenates <code> outside the call, the entire string isn't considered safe and it gets escaped.

So option one would be to do String::checkPlain('<code>./' . $site_directory . '< /code>') and this should fix the problem and it won't change any string translations.

But this technically violates the best practices for t(). I think according to https://www.drupal.org/node/322774 the <code> tags should be in the string itself. So something like <code>@sites-simpletest< /code> and then just '@sites-simpletest' => $site_directory;

To keep the scope as small as possible, it sounds like the first option is best? It fixes the escaped HTML and doesn't change strings for translation. Then another issue for fixing the "correctness?"

subhojit777’s picture

subhojit777
he/him
Primary language Bengali
commented

I was not able to replicate the problem. Everytime I am doing chmod 444 -R sites/simpletest, after I open a new page the permission gets back to 777

rocketeerbkw’s picture

rocketeerbkw commented
Issue summary: View changes
Status: Needs work » Needs review
StatusFileSize
new Status_report___d8dev_dev.png39.28 KB
new simpletest-double_escaped_requirements-2410031-8.patch1.37 KB

Option one from #6 doesn't work (obviously in hindsight) because String::checkPlain() escapes the HTML, but that's the problem in the first place. So I went with option two, moving the HTML into the string instead of the argument.

For replicating the problem, if apache is set as the owner of the directory, it can change permissions back to the correct values. On my local install, the files are owned by my user account, and the apache user isn't in the group I have set either.

idebr’s picture

idebr commented

@rocketeerbkw It appears there is an issue with the line endings in your patch. Can you check if your git configuration matches the recommended git settings: https://www.drupal.org/documentation/git/configure

rocketeerbkw’s picture

rocketeerbkw commented
Issue summary: View changes
StatusFileSize
new simpletest-double_escaped_requirements-2410031-10.patch1.67 KB

Thanks, not sure why that got messed up.

biigniick’s picture

biigniick commented
Status: Needs review » Reviewed & tested by the community
StatusFileSize
new double_escaped_requirements-2410031-10-before.jpg108.51 KB

double post on accident...

biigniick’s picture

biigniick commented
StatusFileSize
new double_escaped_requirements-2410031-10-after.jpg109.94 KB

seems to be working for me.

- nick

Before
After

alexpott’s picture

alexpott
he/they
Primary language English
Location 🇪🇺🌍
commented
Status: Reviewed & tested by the community » Needs work 
+++ b/core/modules/simpletest/simpletest.install
@@ -71,8 +71,8 @@ function simpletest_requirements($phase) {
-      'description' => t('The testing framework requires the !sites-simpletest directory to exist and be writable in order to run tests.', array(
-        '!sites-simpletest' => './&#039; . String::checkPlain($site_directory) . &#039;',
+      'description' => t('The testing framework requires the ./!sites-simpletest directory to exist and be writable in order to run tests.', array(
+        '!sites-simpletest' => String::checkPlain($site_directory),

@@ -81,8 +81,8 @@ function simpletest_requirements($phase) {
-      'description' => t('The file !file does not exist and could not be created automatically, which poses a security risk. Ensure that the directory is writable.', array(
-        '!file' => './&#039; . String::checkPlain($site_directory) . &#039;/.htaccess',
+      'description' => t('The file ./!file/.htaccess does not exist and could not be created automatically, which poses a security risk. Ensure that the directory is writable.', array(
+        '!file' => String::checkPlain($site_directory),

Convert to an @ and remove the String::checkPlain() would work best. This is fine because nothing inside the code tags is translated.

Something like:

      'description' => t('The file @file does not exist and could not be created automatically, which poses a security risk. Ensure that the directory is writable.', array(
        '@file' => './&#039; . $site_directory . &#039;/.htaccess',
alexpott’s picture

alexpott
he/they
Primary language English
Location 🇪🇺🌍
commented

Actually the file name is not code so it should not be wrapped in code tags anyway. It should be wrapped in placeholders.

This would then match system_requirements()

      $conf_errors[] = t("The directory %file is not protected from modifications and poses a security risk. You must change the directory's permissions to be non-writable.", array('%file' => $conf_path));

Plus adding the ./ is weird and unnecessary.

rocketeerbkw’s picture

rocketeerbkw commented
Status: Needs work » Needs review

@alexpott my patch from #1 addressed your comments in #14 but it was "out of scope" according to #3.

So either #1 or #10 are ready. My vote was always #1.

biigniick’s picture

biigniick commented
Status: Needs review » Reviewed & tested by the community

Both #1 or #10 work for me

alexpott’s picture

alexpott
he/they
Primary language English
Location 🇪🇺🌍
commented
Status: Reviewed & tested by the community » Needs work

Can someone re-upload the patch in 1 so that the correct rtbc patch is the latest in the issue?

alexpott’s picture

alexpott
he/they
Primary language English
Location 🇪🇺🌍
commented

This is because testbot retests the rtbc queue - only the latest patches.

rocketeerbkw’s picture

rocketeerbkw commented
Status: Needs work » Needs review
StatusFileSize
new simpletest-double_escaped_requirements-2410031-19.patch1.61 KB

This is the same patch from #1.

rocketeerbkw’s picture

rocketeerbkw commented
Status: Needs review » Reviewed & tested by the community

RTBC based on #16

alexpott’s picture

alexpott
he/they
Primary language English
Location 🇪🇺🌍
commented
Status: Reviewed & tested by the community » Fixed

Committed 397f4a6 and pushed to 8.0.x. Thanks!

  • alexpott committed 397f4a6 on 8.0.x 
    Issue #2410031 by rocketeerbkw, BiigNiick: Simpletest install...

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.