Dec 26, 2015

Drupal 8, Beta 15 --> RC 1: Eliminating use of checkPlain( )

Since SafeMarkup::checkPlain() is now deprecated and possibly intended to be removed along with other SafeMarkup methods, I decided to address this in migrating to RC 1.

In the common use case where D8's Twig templates are used for output, you can dispense with checkPlain() entirely and rely on Twig's autoescaping. That turned out to apply to our simple use of forms to input and render a few text values.

In the original code, checkPlain() was called both to process user-entered values as well as to sanitize those values before they were placed into render arrays. When I typed <script> into a form field, it was incorrectly escaped twice and displayed as   &lt;script&gt;

Removing those calls works fine and conforms to what is considered good practice for D8. Potentially unsafe markup is stored as is in the database, but Twig converts it before it is sent to the browser.

The article  SafeMarkup methods are removed  is extremely useful in how it breaks down the different use cases for checkPlain() and what needs to be done differently for each in D8 in order to prevent unsafe markup from being rendered.

Besides Twig templates, the other use cases are:

-  Text placed into a render array by using the #plain_text key
-  A mixture of escaped markup with markup not to be escaped
-  Non-HTML responses, eg. JSON

The discussion also applies to the check_plain() function in Drupal 7, for which checkPlain() was a replacement. If you're starting out with a conversion from D7, the article is a must read.

Sources:

SafeMarkup::set(), SafeMarkup::checkPlain(), and other methods are removed from Drupal 8 core
https://groups.drupal.org/node/478558

SafeMarkup methods are removed
https://www.drupal.org/node/2549395

Twig autoescape enabled and text sanitization APIs updated
https://www.drupal.org/node/2296163

Dec 19, 2015

Module: "Configuration inspector for Drupal 8"

In my recent post on Missing langcode in configuration schema I discovered that the langcode key in configuration schema is now required by default by Testing module automated tests.

The test results had error messages that said "Uncaught PHP Exception Drupal\Core\Config\Schema\SchemaIncompleteException" and "langcode missing schema".

As a result of that debugging, I got interested in a module called Configuration Inspector for Drupal 8.

Installing the module adds a new tab named Inspect to the page at  
/admin/config/development/configuration

That tab shows all of the Configuration Keys on the site, to which core contributes quite a few.

For the settings for our module, after I removed the langcode key from the .schema.yml file, the tab showed that the configuration key had 1 error. Going to the Raw Data page for the key then showed under Configuration Validation,

array ( 
  'optimizely.settings:langcode' => 'missing schema',
)

This is the gist of what the exceptions had said in the results from running the automated tests, but if I had used this config inspector early on to validate the schema, I would have spotted the error sooner rather than after the testing failed.

     * * *

The inspector also shows the types and the values of individual items. In our case, this includes a project id number whose value had been submitted through a form and stored programmatically by using the Simple Configuration API.

There was no entry shown for the langcode item, which is defined but had no value. I was able to provide one by adding code in hook_install(), again, by using the Simple Configuration API.

Sources:

Configuration inspector for Drupal 8
https://www.drupal.org/project/config_inspector

Configuration API in Drupal 8
https://www.drupal.org/node/1667894

Configuration schema/metadata
https://www.drupal.org/node/1905070
 

Dec 12, 2015

Drupal 8, Beta 14 --> Beta 15: Missing langcode in configuration schema

In migrating from Drupal 8 beta 14 to beta 15, the functionality of the module itself worked fine, but some of the automated tests were failing with error messages that included the following.
Uncaught PHP Exception Drupal\Core\Config\Schema\SchemaIncompleteException: "Schema errors for optimizely.settings with the following errors: optimizely.settings:langcode missing schema" at /var/www/html/opti/core/lib/Drupal/Core/Config/Testing/ConfigSchemaChecker.php line 98
In this message, optimizely.settings is the name of a group of configuration settings. It is also a configuration key in a .schema.yml file that is required for automated testing, which I blogged about earlier at Beta 3 --> Beta 4:  Configuration schema and metadata.

The article Fix config schema mentioned a very similar error message and stated "Because of a recent core change all tests are failing". I looked at the patches in that article, but I could not figure out what needed to be added in our case.

Then a search through the core code for the string "langcode:" led me to add langcode: as a key to the .schema.yml file as in the following.

optimizely.settings:
  type: mapping
  label: 'Optimizely Config Data'
  mapping:
    optimizely_id:
      type: integer
      label: 'Optimizely ID Number'
      translatable: false
    langcode:
      type: string
      label: 'Language code'


Problem solved. All automated tests passed after this change.

Update:  Also see my later post on  Module: Configuration Inspector for Drupal 8.

Sources:

Beta 3 --> Beta 4: Configuration schema and metadata
http://optimizely-to-drupal-8.blogspot.com/2014/12/beta-3-beta-4-configuration-schema-and.html

Fix config schema
https://www.drupal.org/node/2547365

All TestBase derived tests now enforce strict configuration schema adherence by default
https://www.drupal.org/node/2391795

Configuration schema/metadata
https://www.drupal.org/node/1905070