Problem/Motivation
If a block's admin title contains text such as ' then when it's disabled, that is double-escaped.
Eg, not disabled:
This block's great!
Disabled:
This block's great! (disabled)
Steps to reproduce
From #18:
Steps to test -
1. Go to the admin site.
2. Go to /admin/structure/block/list/bartik.
3. Click on Place block.
4. Pop-up will open, click on Add custom block.
5. Add a custom block, use a title with characters that are HTML escaped, and click on save.
6. Select the region where it should display and click on save block.
7. Click on Configure, select disable.
8. Verify.
Proposed resolution
From #8:
The #plain_text
is meant to escape $info['label'], so this is introducing an XSS sanitization bypasses. The problem is having
#plain_text used for a filed that might sometimes contain:
$this->t('@label (disabled)', ['@label' => $info['label']])
@placholders also do their own plain-text escaping, so that means it happens twice for that case. So we still need it to be escaped at least once when the block is rendered.
An alternative would be to rewrite it with something like:
if ($info_status) {
$form[$entity_id]['info'][#'plain_text'] = $info['label'];
}
else {
$form[$entity_id]['info'][#'markup'] = $this->t('@label (disabled)', ['@label' => $info['label']]);
}
Before patch:
After patch:
Remaining tasks
Write patchWrite tests
Review
User interface changes
None
API changes
None
Data model changes
None
Release notes snippet
None