You are here

trait DynamicPluginConfigWithCsrfTokenUrlTrait in Drupal 10

Provides a trait for CKEditor 5 with dynamically generated CSRF token URLs.

The Text Editor module's APIs predate the concept of bubbleable metadata. To prevent URLs with CSRF tokens from breaking cacheability, placeholders are used for those CSRF tokens since https://drupal.org/i/2512132. Placeholders are designed to be attached to the data in which they exist, so they can be replaced at the last possible moment, without interfering with cacheability. Unfortunately, because it is not possible to associate bubbleable metadata with a Text Editor's JS settings, we have to manually process these. This is acceptable only because a text editor's JS settings are not cacheable anyway (just like forms are not cacheable).

@internal

Hierarchy

See also

\Drupal\Core\Access\CsrfAccessCheck

\Drupal\Core\Access\RouteProcessorCsrf::processOutbound()

\Drupal\Core\Render\BubbleableMetadata

\Drupal\editor\Plugin\EditorPluginInterface::getJSSettings()

\Drupal\ckeditor5\Plugin\CKEditor5Plugin\ImageUpload::getDynamicPluginConfig()

\Drupal\ckeditor5\Plugin\CKEditor5Plugin\Media::getDynamicPluginConfig()

https://www.drupal.org/project/drupal/issues/2512132

File

core/modules/ckeditor5/src/Plugin/CKEditor5Plugin/DynamicPluginConfigWithCsrfTokenUrlTrait.php, line 32

Namespace

Drupal\ckeditor5\Plugin\CKEditor5Plugin
View source
trait DynamicPluginConfigWithCsrfTokenUrlTrait {

  /**
   * Gets the given URL with all placeholders replaced.
   *
   * @param \Drupal\Core\Url $url
   *   A URL which generates CSRF token placeholders.
   *
   * @return string
   *   The URL string, with all placeholders replaced.
   */
  private static function getUrlWithReplacedCsrfTokenPlaceholder(Url $url) : string {
    $generated_url = $url
      ->toString(TRUE);
    $url_with_csrf_token_placeholder = [
      '#plain_text' => $generated_url
        ->getGeneratedUrl(),
    ];
    $generated_url
      ->applyTo($url_with_csrf_token_placeholder);
    return (string) \Drupal::service('renderer')
      ->renderPlain($url_with_csrf_token_placeholder);
  }

}

Members