Skip to Content

Drupal

Jonathan Brown: Generating safe markup in Drupal 8

Planet Drupal - 19 September 2014 - 11:29am

The most insecure part of a Drupal website is typically the theme. Drupal 8 is using Twig as its template layer. This is a massive leap forward. It's no longer possible to put SQL queries in a template file!

Furthermore, Drupal 8 is now taking advantage of a security feature of Twig: autoescape. Every variable in a Twig template will be escaped if it is not marked as safe. This makes it much harder to introduce XSS vulnerabilities.

Unfortunately any HTML that your module produces will end up being double-escaped and the HTML itself will be visible instead of the browser's rendering of it. The quick and dirty way to fix this problem is to wrap your string with \Drupal\Component\Utility\SafeMarkup::set:

<?php
$output = SafeMarkup::set('<div class="my-module">' . $my_variable . '<div>');
?>

But this defeats the whole point of using autoescape. The correct approach is that all HTML created by a module should be declared in a Twig template. This means that all the variables are guaranteed to be escaped. It is also very easy to implement.

First you need to declare the template in your hook_theme():

<?php
function my_module_theme(array $existing, $type, $theme, $path) {
  return array(
    'my_module_my_template' => array(
      'template' => 'my-template',
      'variables' => array(
        'variable1' => NULL,
        'variable2' => NULL,
      ),
    ),
  );
}
?>

You then need to create a Twig template file, for example my_module/templates/my-template.html.twig:

{#
/**
* @file
* Default theme implementation for my template.
*
* Available variables
* - variable1: The first variable.
* - variable2: The second variable.
*/
#}
<div class="my-template">
  This is the first variable: <b>{{ variable1 }}</b>.
  This is the second variable: <i>{{ variable2 }}</i>.
</div>

When you need to generate your html you should use the drupal_render() function:

<?php
$render = array(
  '#theme' => 'my_module_my_template',
  '#variable1' => t("First"),
  '#variable2' => t("Second"),
);

$output = drupal_render($render);
?>

Strings returned by drupal_render() are automatically marked as safe and will not be escaped again.

Categories: Drupal

Appnovation Technologies: Straight from the Source: Achieving Your Goals with osCaddie

Planet Drupal - 19 September 2014 - 11:02am
See why global non-profit organization Teach For All chose our osCaddie solution var switchTo5x = false;stLight.options({"publisher":"dr-75626d0b-d9b4-2fdb-6d29-1a20f61d683"});
Categories: Drupal

Drupal core announcements: Today there are zero Drupal 8 beta blockers! Here's what's next.

Planet Drupal - 19 September 2014 - 10:17am

As of 06:58 UTC today, September 19, there are zero Drupal 8 beta blockers. This means that, after more than nine months of focused effort, we are almost ready to release the first Drupal 8 beta!

When will Drupal 8.0.0-beta 1 be released?

Today (September 19), we have released one more Drupal 8 alpha, Drupal 8.0.0-alpha15. This alpha can be treated as a "beta release candidate". If no additional beta blockers are identified in the next 10-14 days, we will then tag the first beta! (If we do discover additional beta blockers, then we will evaluate them and adjust our timeline.)

What does beta mean?

Betas are good testing targets for developers and site builders who are comfortable reporting (and where possible, fixing) their own bugs, and who are prepared to rebuild their test sites from scratch if necessary. Beta releases are not recommended for non-technical users, nor for production websites.

See Dries' original announcement about the beta for more information on the beta and the criteria for beta blockers. The explanation of the Drupal 8 release management tags explains the differences between critical beta blockers and other issues impacted by the beta phase.

How can I help? Help stabilize the beta

The beta is an important milestone for Drupal 8. Help test the final alpha for critical and potentially beta-blocking bugs, and take extra care to avoid introducing regressions during this pre-beta window.

Beta deadline issues (complete by September 28)

This final pre-beta window is our final chance to complete beta deadline issues. As a reminder, changes to the following have a beta deadline:

  1. Non-critical changes to the core data model. (See the beta-to-beta upgrade path and data model stability policy and the beta-to-beta-upgrade path critical task for ongoing discussion of what is included in the Drupal 8 data model, how we will handle small data model additions, and when we will support a beta-to-beta upgrade path).
  2. Non-critical, backward-compatibility-breaking changes to the public APIs of the following critical subsystems:
    • The Configuration system
    • The Entity Field API
    • The Plugin API
    • The Menu and Routing APIs
  3. Other broad, non-critical changes that significantly break backward compatibility, at core maintainer discretion.

Beta deadline issues can be committed up until Sunday, September 28, after which there will be a freeze to ensure stability. If you have questions or concerns about completing a particular change, speak to a core maintainer about it soon.

If you know of issues that would introduce any of these changes, add the "beta deadline" issue tag so that contributors can find and help complete them before the beta. The following issues are particular priorities:

(Also see the full queue of known beta deadline issues.)

Keep in mind that API and schema additions may still be made during the beta phase, at core maintainer discretion. Limited API and data model changes will also happen during the beta phase, though core maintainers will try to isolate these changes to non-fundamental APIs or critical bug fixes. (See the ongoing beta-to-beta-upgrade path discussion.)

Beta target issues

"Beta target" issues are issues that we hope to complete early during the beta phase, but can still be added to Beta 2 or later. These are the next priority after important beta deadline issues. We especially need to work on:

(Also see the full queue of known beta target issues).

Thank you!

Many thanks to the 234 contributors who have helped resolve our 177 beta blockers in Drupal 8, and to the incredibly dedicated Drupal 8 branch maintainers. Your focus and effort is helping us build a solid Drupal 8 beta and, going forward, a better release.

Categories: Drupal

Bluespark Labs: Cleaning our repository history

Planet Drupal - 19 September 2014 - 8:49am

In our daily work we all make mistakes in our git commits. Sometimes this errors can easily be repaired just by reverting our commits. But if we are working in a public repository and we have accidentally pushed some sensitive information, we now have a problem.

That sensitive information is in our repository history and anybody who has the enough time to explore can gain access to that. Our clients or even ourselves are now dealing with a privacy issue.

We can always try to repair that commit in our local environment and push our code again using the --force parameter. But we know, when you do that, a kitten dies. And if your team members already pushed something, everything in the repository will be messed up.

So the best option is to try and fix this in a more elegant way that allow us to erase all the traces of our mistake, but preserves repository integrity.

Git provides the filter-branch command, but sometimes this powerful tool becomes too complicated and slow. In trying to find an easier way to do it, finally came across the BFG Repo-Cleaner.

This tool is an alternative to git filter-branch that provides a faster and easier way to clean git repositories. It is written in Java, so you need to make sure you have JRE 6.0 or above installed. To clean your repository you only have to follow the steps below:

Clone your repository using the --mirror option. Beforehand, you should repair manually your mistakes in the repository.

1 $ git clone --mirror git://example.com/my-repo.git

Now, download BFG and execute it against your cloned repository.
1 $ java -jar bfg.jar --strip-blobs-bigger-than&nbsp;1M&nbsp;my-repo.git
This step will remove all the blobs bigger than 1MB from your repository.

Once the index has been cleaned, examine your repository's history and then use the standard git gc command to strip out the unwanted dirty data, which Git will now recognise as surplus to requirements:
1 2 3 $ cd my-repo.git $ git reflog expire --expire=now --all $ git gc --prune=now --aggressive

Finally, once you're happy with the updated state of your repo, push it back up
1 $ git push

If everything went well, your repository won't include any of the accidentally committed files.

Here you have some common examples to use with Drupal:
Delete all files named 'id_rsa' or 'id_dsa' :
1 $ java -jar bfg.jar --delete-files id_{dsa,rsa} &nbsp;my-repo.git

Delete database dumps:
1 $ java -jar bfg.jar --delete-files *{mysql,mysql.gz}

Delete files folder:
1 $ java -jar bfg.jar --delete-folders files

We have to remark that BFG assumes that you have repaired your repository before executing it. You need to make sure your current commits are clean. This protects your current work and gives you peace of mind knowing that the BFG is only changing your repo history, not meddling with the current files of your project.

Finally, here you have some useful related links:

Tags: Drupal Planet
Categories: Drupal

OG Rebuilder

New Drupal Modules - 19 September 2014 - 7:05am

The OG Rebuilder module rebuilds the group's child nodes permissions whenever the group access configuration is changed.

Development sponsored by DRI Discovery/Reinvention/Integration/

Categories: Drupal

floskelwolke

New Drupal Modules - 19 September 2014 - 6:12am

Floskelwolke is a block Mudule, which imports the CSV data of the Web application Floskelwoke.de, a project of Udo Stiehl and Sebastian Pertsch.

Code comes as soon as possible...

Categories: Drupal

Code Karate: Drupal 7 Honeypot Module

Planet Drupal - 19 September 2014 - 5:48am
Episode Number: 169

In this tutorial you will learn about the Honeypot module. The Honeypot modules is a SPAM prevention module that uses a hidden form field to catch SPAM bots from posting onto your site. This tutorial shows you how to configure the module to work on various forms on your site.

Tags: DrupalFormsWebformDrupal 7Drupal PlanetSpam Prevention
Categories: Drupal

IconBox

New Drupal Modules - 19 September 2014 - 3:30am

IconBox can be used to Create different Content box with Fontawesome icon.

Content box and Fontawesome icon is fully customizable(color, size, border) using configuration page.

IconBox is fully Responsive.

Categories: Drupal

Master Config

New Drupal Modules - 19 September 2014 - 2:12am

Master Config module allows you to define scopes and module definitions for said scopes through the Drupal UI, rather than using settings.php. The advantage of this method is that less technical Drupal site users/builders can more easily use Master.

Categories: Drupal

Mail Domain Report

New Drupal Modules - 19 September 2014 - 1:20am

Creates a report of the mail domains used by the users on the site.

Categories: Drupal

HackMonkey: Configuring CSS Source Maps & Compass

Planet Drupal - 19 September 2014 - 1:04am

After hours of searching Google, lots of trial and error, and a bunch of grumbling, I had a breakthrough and finally figured out how to get Source Maps to work under Chrome and Compass. The problem is that this functionality has been around for over a year in various forms in the pre-release versions of Sass and Chrome. As such, many of the posts I found were out dated and didn't work with the current, stable versions. So this post is partially to document the process for myself (and a small victory lap!), but hopefully someone else will get something out of it.

Categories: Drupal

Commerce Cart Context

New Drupal Modules - 18 September 2014 - 10:48pm

This module provides a context condition that allows you to check whether a user's shopping cart contains any items or not.

You could use this to for instance show the shopping cart block only if the cart contains any items, or show a block enticing users to purchase only if their cart is empty.

Requirements
Categories: Drupal

EntityForm Null Storage

New Drupal Modules - 18 September 2014 - 9:18pm
Overview

Allows turning off storage of entity Form submissions on a per form-type basis.

Features

See overview.

Requirements

Entity form

Known problems

Please use the issue queue to report problems.

Categories: Drupal

Open Atrium Clone

New Drupal Modules - 18 September 2014 - 3:37pm

Adds the ability to clone spaces, section, or other content for Open Atrium

Submit an Issue or See issue queue

Categories: Drupal

Open Atrium Archive

New Drupal Modules - 18 September 2014 - 2:45pm

Provides the ability to archive content and restore it later for for Open Atrium

Submit an Issue or See issue queue

Categories: Drupal

Drupal core announcements: Drupal core updates for September 18th, 2014

Planet Drupal - 18 September 2014 - 2:43pm
What's new with Drupal 8?

The big news this week is we're still on one beta-blocker. Patches for the remaining beta blocker are coming rapidly with @effulgentsia, @plach and @fago working hard to get it over the line. Could we have zero beta blockers by DrupalCon?

Other keys issues to land this week include Remove ArrayAccess from FormState - never again deal with random arrays - rejoice - $form_state is a first-class object!. Thanks to @timplunkett and others who helped get this through. If you have any contrib projects accessing $form_state in an array fashion eg $form_state['values']['fooey']; then you need to familiarize yourself with the change record.

In a further sign that Drupal 8 is maturing into a modern HTTP framework, we now have support for a stack-php based middleware this will allow us to clean up how page caching, conent negotiotiaton, implementing ban.module's functionalty, options requests and various other elements of the request processing pipeline work. For more information on middlewares see Stackphp.com and this article or see the list of existing middlewares supported by stack-php, and therefore likely to be compatible with Drupal.

In the same vein Modularize kernel exception handling brought some much needed cleanup to to the way we handle exceptions and enables contrib modules to easily add their own exception handling, particularly for custom REST formats.

Over in Convert UnitTestBase to PHPUnit and Remove UnitTestBase, @sun, @Berdir and @tim.plunkett have been working towards removing Simpletest-based Unit tests. There are plenty of sessions around the future of testing at Drupalcon Amsterdam so be sure to check these out if testing is your thing.

The Consensus Banana is moving full-steam ahead with loads of issues resolved to move classes out of preprocessing and into templates landing this week. Meanwhile in Split Seven's style.css into SMACSS categories @LewisNyman has been making great strides towards bringing sanity to Seven's CSS structure.

@WimLeers, @alexpott and @chx worked tirelessly in Add cacheability metadata to access checks to harmonize our access-checking systems and add cacheability to the access results in the form of an AccessResultInterface, great work!

Over in Remove text_processing option from text fields, expose existing string field types as plain text in UI @Berdir, @Wim Leers, @dawehner consolidated our text field types, an important change for Site Builders.

Finally, PHPStorm 8 has been released with lots of support for Drupal 8 APIs!

Where's Drupal 8 at in terms of release?

Since the last Drupal Core Update on Sept. 4, we've fixed 19 critical issues and 24 major issues, and added 12 criticals and 19 majors. That puts us overall at 97 release-blocking critical issues and 644 major issues.

Where can I help? Top criticals to hit this week

Each week, we check with core maintainers and contributors for the "extra critical" criticals that are blocking other work. These issues are often tough problems with a long history. If you're familiar with the problem-space of one of these issues and have the time to dig in, help drive it forward by reviewing, improving, and testing its patch, and by making sure the issue's summary is up to date and any API changes are documented with a draft change record, we could use your help!

There are also several beta deadline issues that, while not quite critical, will need to be done before the beta if they're to be done at all. The following beta deadline issues are especially important:

More ways to help
  • Now that we're nearing beta, its time to turn our attention to release-blocking criticals.
  • Beta target issues are issues that can be added to Beta 1, Beta 2, or later, but would be best done sooner rather than later for solid beta releases.
  • With a looming beta, now we can ramp up our efforts on contrib modules - there's a sprint at Amsterdam just for that - so put your name on the list if this is your thing.

As always, if you're new to contributing to core, check out Core contribution mentoring hours. Twice per week, you can log into IRC and helpful Drupal core mentors will get you set up with answers to any of your questions, plus provide some useful issues to work on.

You can also help by sponsoring independent Drupal core development.

Notable Commits

The best of git log --since "2014-09-04" --pretty=oneline (200 commits in total):

  • Issue 2333113 by effulgentsia, plach: Add an EntityDefinitionUpdateManager so that entity handlers can respond (e.g., by updating db schema) to code updates in a controlled way (e.g., from update.php).
  • Issue 1857256 by dawehner, xjm, tim.plunkett, jibran, ParisLiakos, hussainweb, pcambra, ekes, InternetDevels, rhabbachi, rdrh555, tstoeckler, oadaeh, Gábor Hojtsy, vijaycs85: Fixed Convert the taxonomy listing and feed at /taxonomy/term/%term to Views.
  • Issue 2333501 by swentel | marcvangend: Implement ThirdPartySettingsInterface in EntityView|FormDisplay.
  • Issue 1740492 by dawehner, damiankloip, dasjo, xjm: Implement a default entity views data handler.
  • Issue 2331019 by slashrsm: Implement ThirdPartySettingsInterface in Vocabulary.
  • Issue 2320157 by moshe weitzman, Wim Leers, penyaskito, tim.plunkett: Generate placeholder content for Field types - essentially devel generate in core.
  • Issue 2329485 by damiankloip, dawehner: Allow permissions.yml files to declare 'permission_callbacks' for dynamic permissions.
  • Issue 1898478 by joelpittet, Cottser, lokapujya, m1r1k, jstoller, er.pushpinderrana, duellj, organicwire, jessebeach, idflood, Jalandhar, Risse, derheap, galooph, mike.roberts, tlattimore, nadavoid, LinL, steveoliver, chakrapani, likin, killerpoke, EVIIILJ, vlad.dancer, podarok, m86 | c4rl: Menu.inc - Convert theme_ functions to Twig.
  • Issue 1915056 by Arla, Berdir, amateescu | catch: Use entity reference for taxonomy parents.
  • Issue 2321745 by larowlan, tim.plunkett: Add #type => 'path' that accepts path but optionally stores URL object or route name and parameters.
  • Issue 474004 by mdrummond, kim.pepper, Wim Leers, jibran, tim.plunkett, joachim | JohnAlbin: Add options to system menu block so primary and secondary menus can be blocks rather than variables - essentially menu block module in core.
  • Issue 2068331 by roderik, slashrsm, pcambra, Sharique, piyuesh23, vijaycs85 | plach: Convert comment SQL queries to the Entity Query API.
  • Issue 2226493 by Berdir, Wim Leers, m1r1k, mr.baileys, andypost, scor, cbr, joelpittet: Apply formatters and widgets to Node base fields.
  • Issue 2302563 by chx, dawehner: Fixed Access check Url objects.

You can also always check the Change records for Drupal core for the full list of Drupal 8 API changes from Drupal 7.

Drupal 8 Around the Interwebs Drupal 8 in "Real Life" Whew! That's a wrap!

Do you follow Drupal Planet with devotion, or keep a close eye on the Drupal event calendar, or git pull origin 8.0.x every morning without fail before your coffee? We're looking for more contributors to help compile these posts. You could either take a few hours once every six weeks or so to put together a whole post, or help with one section more regularly. Read more about how you can volunteer to help with these posts!

Finally special thanks to KatteKrab for assisting with compiling this edition.

Categories: Drupal

Commerce Costs Profits

New Drupal Modules - 18 September 2014 - 12:09pm
Synopsis

Module adds Cost field to products and line items to be able to calculate profits in different reports.
It also replaces default commerce line item manager to let editing of line item cost and unit price in admin area and see margins and order total changing in realtime.
Two fields are added to order instances to collect expenses and calculate total order profit for later exposing it in reports.

Categories: Drupal

Drupal Watchdog: The Automagic Speed-Up Cache

Planet Drupal - 18 September 2014 - 10:05am
Feature Motivation

The granularity of cache expiration in Drupal has been a long-standing problem.

One can have the most effective cache in the world, but if it clears entirely on any content change, it is not really workable. A “page” in Drupal can have blocks, listing, entities, regions, and many other objects. When one contained item changes, the container of that item needs to be fully rebuilt; often, that is the whole page, a problem requiring a much-needed solution.

Why can't we just rebuild the parts that have actually changed?

Consider what would be the best case scenario here. Assume that every item listed above can be cached separately. Now if one single entity changes, the following would be our "perfect" page request:

  1. Drupal bootstraps.
  2. Drupal builds the page.
  3. Drupal notices that only the “content” region has changed and retrieves the remaining regions from cache.
  4. Drupal re-builds the content region.
  5. Drupal notices only one listing in the content region has changed and retrieves the remaining blocks from cache.
  6. Drupal builds the “missing” block.
  7. The block contains a listing of entities.
  8. Drupal re-builds the listing, and entity_view() is called on these entities.
  9. Drupal retrieves all entities except the changed one from cache.

We would have a bootstrap, then we would see just one region call, one block call, one listing call, and one entity building call. Is this really possible?

Yes and no.

There are certain implementation limitations – especially around page assets – and a unified caching strategy needs to take them into account.

State of the Art

Render Caching is the saving of HTML content in a storage cache, while retaining assets like CSS and JS files and other “out-of-band” data. It can be used for reconstructing the page content, without changing the state the page would have without render caching active. The render cached HTML markup needs to be removed from the cache, or updated in the cache when the objects used for generation of the markup change.

Categories: Drupal

Acquia: Drupal 8 developer experience wins, the PHP Renaissance and more with Angie Byron

Planet Drupal - 18 September 2014 - 9:06am

Part 2 of a 2-part conversation with Angie Byron in front of the cameras at NYC Camp 2014, held at United Nations headquarters in New York. In this part of our conversation, we talk about improvements in the Drupal developer- and learning-experience thanks to the major changes under the hood in Drupal 8; the "PHP Renaissance"; and about being welcomed "back into the fold" of the greater PHP world thanks to the nature of Drupal 8 being a sort of "meta project" (my words) that includes parts of many others.

Categories: Drupal
Syndicate content


Google+
about seo