How to securely run D7 themes? #15
Comments
|
The answer is: folks should migrate their PHPTemplate templates over to Twig! The goal behind Retrofit is to lower the effort required to move to a supported version of Drupal in incremental stages. The security concern expressed is already existing on their site. Moving that code to a newer version of Drupal does not exacerbate the security concerns. This package could provide a |
I agree with this. Do you think Retrofit (or another project) should provide a tpl.php to twig converter to automate the parts of that that can be automated? There's some prior art in https://github.com/makinacorpus/php-twig-converter and discussion in rectorphp/rector#7097; not sure if there are any other projects that have taken it further.
I disagree with this. What exacerbates the concern is that in D7, you could mostly rely on preprocess functions to escape the variables that need escaping and in D10 you can't. For example, D7's field.tpl.php does
Are you saying that the idea would be to only run Retrofit during development and not on a production site? In that case, should docs/warnings be added to make that super clear to site owners? Because otherwise, I could easily imagine people thinking they can use Retrofit to upgrade from 7 to 10 in stages, but also deploy those interim stages to production. |
No, that is out of scope. This just ensures teams can start iterating on their refactors without it being a complete brick wall.
I understand. D7 had the escaping built into it's preprocess functions, we now delegate to Twig. So someone calling Or this package or wire in its own preprocess function to replicate what D7 did. $variables['label'] = check_plain($variables['label']);It'd be a game of whack-a-mole for these kind of things, but this entire package is a game of that.
No, this is a production tool so that folks can get off Drupal 7 in production onto Drupal 10+ and iteratively migrate their code. |
|
Drupal 10 also requires you to filter user input manually in the same way that Drupal 7 did. It's just that Drupal 10 has a bonus feature to save your bacon when you forget. |
#12 is cool!
I'm assuming the motivation for it is to be able to run a site's custom Drupal 7 theme in Drupal 10. What are your thoughts on how to handle
printstatements within tpl.php files? In Twig,{{ foo }}is smart about knowing whether foo needs to be escaped, and so in Drupal 10 we don't pre-escape variables passed to the template.One possible approach would be to instruct the site owner to replace all occurrences of
printwithretrofit_drupal_print()or similar, so that that function could then do something similar to what Twig's{{ foo }}does.Any other approaches worth considering?
The text was updated successfully, but these errors were encountered: