Score:1

Why precisely the twig raw filter is unsecure?

za flag

Why precisely the twig raw filter is insecure in the drupal context?

What would be an example of a potential threat ?

And what need to be done on the ckeditor field format side to protect potential malicious code, if the raw filter is used ?

id flag
This is all documented: https://www.drupal.org/docs/security-in-drupal/writing-secure-code-for-drupal
No Sssweat avatar
ua flag
See [How do I get the raw field value in a twig template?](https://drupal.stackexchange.com/questions/228388/how-do-i-get-the-raw-field-value-in-a-twig-template/228393#228393) to do it safely.
Score:3
de flag

Twig templates escape special characters to prevent potential hacking. Twig raw puts out the data without escaping it, meaning that if it is user-supplied data, it's insecure and could be used for hacking.

Matoeil avatar
za flag
is the admin/config/content/formats/manage/basic_html limitations and filter not protective enough ? would u have an example ?
Jaypan avatar
de flag
There are multiple levels of filters. Twig filters are just one of them.
4uk4 avatar
cn flag
@Matoeil, when you have filtered with a text format you don't need `|raw` because the filtered markup is already marked as safe.
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.