Follow-up to #1825952: Turn on twig autoescape by default
Non-technical explanation
After #2264041: Add a test to ensure title callbacks are not vulnerable to XSS have proven that even battle hardened core developers can't write XSS free code we have introduced #1825952: Turn on twig autoescape by default to fix a torrent of security holes already present in core known and unknown and to avoid the most frequent kind of sechole(Security Hole) in the history of Drupal contrib. However, this has broken some places that were already securely written, resulting in broken layout and HTML tags shown to users. We need to find those places and update them to be compatible with the new method.
Problem/Motivation
#1825952: Turn on twig autoescape by default fixed escaping globally and caused HTML escaping on places where we explicitly set HTML in a variable. This was expected. The patch was an absolute must and avoiding / fixing all paths would've taken a lot of time and made an already big patch impossible to review and commit.
Instead we have opted to go ahead with this and let people find the broken pages. If people would've cared to review patches this could've been avoided but we know this is a no-go so instead we forced it.
@ti2m found escaped strings on several paths:
Another (and the last) update on the crawled urls. I enabled all modules on a fresh install and crawled the site as user 1. I only found two more urls with escaped strings (first two in the list below). But the general problem is, that e.g. node edit forms aren't covered at all as no node exists on a vanilla install. I could post a file with all covered urls, roughly 300, if anyone is interested.
The total list of urls with escaped HTML strings that I found:
- /admin/config/regional/translate/settings
- /admin/config/development/logging
- /admin/modules/uninstall
- /admin/config/regional/date-time/formats/add
- /admin/config/regional/date-time/formats/manage/long
- /admin/config/people/accounts/fields/user.user.user_picture
- /admin/config/content/formats/manage/basic_html
- /admin/structure/block
- /admin/structure/block/list/seven
- /admin/structure/views/nojs/rearrange-filter/frontpage/page_1
- /admin/structure/menu/manage/footer
- /filter/tips
- All 'manage fields' pages (ref: Screenshot)
Proposed resolution
If at all possible move all markup into a Twig template. If not then please read https://www.drupal.org/node/2311123 for alternative solutions. See aneek's patch at #2305831-35: Double escaping on /admin/modules/uninstall for an example.
Remaining tasks
Change the offending pieces to properly use Twig templates or use inline templates as described in https://www.drupal.org/node/2311123 .