-
Notifications
You must be signed in to change notification settings - Fork 46
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Prevent escaping of other patterns included in share #846
Prevent escaping of other patterns included in share #846
Conversation
⚡ PR built on Travis and deployed a now preview here:
|
⚡ Sauce Labs Test for chrome Passed!Test Details
|
⚡ Sauce Labs Test for internet explorer Passed!Test Details
|
⚡ Sauce Labs Test for chrome Passed!Test Details
|
⚡ Sauce Labs Test for internet explorer Passed!Test Details
|
@remydenton out of curiosity, would we be seeing this exact same issue in Pattern Lab / on the docs site if we enabled autoescaping in our Twig environment? Just wondering if enabling that would help prevent issues like these from popping up. The other thing I’m wondering: is this problem you’re outlining here happening in any other Bolt components as far as we know? |
@sghoweri, both good questions.
|
On further thought, maybe Pattern Lab doesn't necessarily need to match Drupal autoescaping since they are both just consumers of Bolt. On the other hand, Drupal Lab, if we ever have the bandwidth to get it up and running, would be a better place to test for this kind of thing. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@remydenton marking this as approved per the chat we just had on this -- you can go ahead and merge this in, however we'll still need to work on a broader solution in PL to address the environment differences between here and Drupal
Jira
http://vjira2:8080/browse/WWWD-2454
Summary
Prevent auto-escaping of patterns included within the Share component
Details
Auto-escaping is not enabled in Pattern Lab, so you won't see this issue on the PL side.
Auto-escaping is enabled on the Drupal side, as it should be for security. However, one of the side affects of the way the escaping is done is that if you set a variable to the result of an include function, the output will be escaped HTML. In the example below, link1 will be escaped HTML, while link2 and link3 will print as rendered links
This may actually be a bug in how Drupal's auto-escaping works since the result of an include function should be considered safe (as the examples for link2 and link3 above demonstrate). But, this PR gets the job done. If we choose this route, the rule of thumb is to never save the result of include() to a variable without printing it in Bolt components (use the technique for either link2 or link3 instead). The syntax for link1 is fine to use in Pattern Lab.
How to test
Reproduce the bug
Fix the bug