Join Log in
Score:1
avatar Drupal

Why is single quote sign escaped inside render element attribute?

in flag
MilanG

When attribute text contains a single quote, like "It's a nice day" that single quote when rendered is escaped to "It's a nice day". Why is that happening and can it be prevented? Is twig doing that escaping?

https://api.drupal.org/api/drupal/core%21lib%21Drupal%21Core%21Template%21Attribute.php/class/Attribute/8.2.x

it says:

"The attribute keys and values are automatically escaped for output with Html::escape()."

and also:

"The attribute values are considered plain text and are treated as such. If a safe HTML string is detected, it is converted to plain text with PlainTextOutput::renderFromHtml() before being escaped."

Neither of those should do that conversion.

63
1 + 3
8
ru flag
Hudri
*Why is that happening and can it be prevented? * Because it takes only 2 seconds to see the massive security issue: `<a class="It's a nice day"...` vs. `<a class='It's no longer a nice day but a security issue by onclick='evilCode()'...` Do **NOT** prevent that.
0
Reply
ru flag
Hudri
Basically in 99 of 100 cases the answer to *Why is it escaped?* is *Because someone found a security issue* ;-)
6
Reply
cn flag
Clive
I want a t-shirt with that on @Hudri, great phrase!
1
Reply
Score:0
apaderno avatar Drupal
us flag
apaderno

Attributes built via the Attribute class are escaped.

The Attribute::__toString() code is the following one.

$return = '';

/** @var \Drupal\Core\Template\AttributeValueBase $value */
foreach ($this->storage as $name => $value) {
  $rendered = $value->render();
  if ($rendered) {
    $return .= ' ' . $rendered;
  }
}
return $return;

In a class that extend AttributeValueBase, for example AttributeString, render() contains the following code.

value = (string) $this;
if (isset($this->value) && static::RENDER_EMPTY_ATTRIBUTE || !empty($value)) {
  return Html::escape($this->name) . '="' . $value . '"';
}

AttributeString::__toString() contains the following code.

return Html::escape($this->value);

Html::escape() is called for the attribute name and its value. That's why an attribute built using code similar to the following one single quotes inside the attribute name and value are escaped.

$attributes = new Attribute(array());
$attributes['id'] = 'socks';
$attributes['style'] = 'background-color:white';
echo '<cat ' . $attributes . '>';

AttributeArray::__toString() uses the following code.

// Filter out any empty values before printing.
$this->value = array_unique(array_filter($this->value));
return Html::escape(implode(' ', $this->value));

This means that for an attribute built using code similar to the following one, the attribute value is escaped.

$attributes = new Attribute();
$attributes['class'] = array();
$attributes['class'][] = 'cat';
0 + 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.