Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[SDPA-1815] Process webform event using decode entities #30

Closed
wants to merge 2 commits into from
Closed

[SDPA-1815] Process webform event using decode entities #30

wants to merge 2 commits into from

Conversation

enzolutions
Copy link
Contributor

@enzolutions enzolutions commented Feb 12, 2019
edited
Loading

JIRA issue: https://digital-engagement.atlassian.net/browse/SDPA-1815

Related PRs:

Changed

  1. Process webform event using decode entities

Screenshots

sonnykt
sonnykt suggested changes Feb 14, 2019
View reviewed changes
tide_event.module
@@ -123,38 +123,38 @@ function tide_event_webform_submission_presave($submission) {
$event_details_data = [
'type' => 'event_details',
'field_paragraph_link' => [
'uri' => Html::escape($submission_data['website_url_for_booking']),
'uri' => Html::decodeEntities(Html::escape($submission_data['website_url_for_booking'])),
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@enzolutions Why do we need to escape/decode input data? Those utility functions from Html are for sanitising output.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@sonnykt @GROwen requested to Sanitize the input of the user from FE, I am open to any suggestions

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@enzolutions @GROwen pls refer to https://www.drupal.org/docs/develop/security/why-does-drupal-filter-on-output

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree with you and that document, I already discuss that with @GROwen, so Guy is your call. we could remove those? and trust in Drupal Entity Saving validation for user Input?

@anthony-malkoun
Copy link
Contributor

This is the wrong approach to me. As discussed in the JIRA ticket we should not be sanitising input and will need to be careful on render (either from the frontend, but probably more correctly on JSONAPI output) that output is sanitised.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sonnykt sonnykt sonnykt requested changes

Assignees

@enzolutions enzolutions

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@enzolutions @anthony-malkoun @sonnykt