summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorNathaniel Catchpole2015-09-03 22:36:44 (GMT)
committerNathaniel Catchpole2015-09-03 22:36:44 (GMT)
commitf13b2d59bd811f1abecde0dfcf2d8bbc228360b3 (patch)
tree8d6e80e1c6eaf6d30245802ae6e1f6271159e5f8
parent31007609541740b5505fde892e165ddacf0f31af (diff)
Revert "Issue #2560641 by alexpott, lauriii, Xano, borisson_, ianthomas_uk: Remove all usages SafeMarkup::checkPlain() from render arrays"
This reverts commit 31007609541740b5505fde892e165ddacf0f31af.
-rw-r--r--core/includes/theme.inc4
-rw-r--r--core/lib/Drupal/Core/Field/Plugin/Field/FieldFormatter/BasicStringFormatter.php4
-rw-r--r--core/lib/Drupal/Core/Field/Plugin/Field/FieldFormatter/LanguageFormatter.php5
-rw-r--r--core/lib/Drupal/Core/Field/Plugin/Field/FieldFormatter/StringFormatter.php16
-rw-r--r--core/lib/Drupal/Core/Field/WidgetBase.php7
-rw-r--r--core/modules/block/src/BlockViewBuilder.php3
-rw-r--r--core/modules/block/src/Controller/BlockLibraryController.php3
-rw-r--r--core/modules/color/color.module3
-rw-r--r--core/modules/comment/src/CommentTypeListBuilder.php4
-rw-r--r--core/modules/config_translation/src/Controller/ConfigTranslationBlockListBuilder.php5
-rw-r--r--core/modules/config_translation/src/Controller/ConfigTranslationFieldListBuilder.php3
-rw-r--r--core/modules/config_translation/src/Controller/ConfigTranslationMapperList.php3
-rw-r--r--core/modules/config_translation/src/Tests/ConfigTranslationOverviewTest.php3
-rw-r--r--core/modules/config_translation/src/Tests/ConfigTranslationUiTest.php4
-rw-r--r--core/modules/contact/src/Controller/ContactController.php3
-rw-r--r--core/modules/dblog/src/Controller/DbLogController.php4
-rw-r--r--core/modules/field/src/Tests/String/UuidFormatterTest.php2
-rw-r--r--core/modules/field_ui/src/FieldConfigListBuilder.php3
-rw-r--r--core/modules/file/src/Plugin/Field/FieldFormatter/BaseFieldFileFormatterBase.php6
-rw-r--r--core/modules/file/src/Plugin/Field/FieldWidget/FileWidget.php3
-rw-r--r--core/modules/filter/src/FilterFormatListBuilder.php14
-rw-r--r--core/modules/filter/src/Plugin/Filter/FilterHtml.php4
-rw-r--r--core/modules/help/src/Controller/HelpController.php3
-rw-r--r--core/modules/language/src/Form/NegotiationConfigureForm.php9
-rw-r--r--core/modules/locale/src/Form/TranslateEditForm.php14
-rw-r--r--core/modules/locale/src/Form/TranslationStatusForm.php5
-rw-r--r--core/modules/node/src/NodeListBuilder.php3
-rw-r--r--core/modules/node/src/NodeTypeForm.php3
-rw-r--r--core/modules/node/src/Plugin/Search/NodeSearch.php13
-rw-r--r--core/modules/node/src/Tests/NodeTitleTest.php18
-rw-r--r--core/modules/node/src/Tests/NodeTitleXSSTest.php6
-rw-r--r--core/modules/path/src/Form/EditForm.php3
-rw-r--r--core/modules/simpletest/src/AssertContentTrait.php19
-rw-r--r--core/modules/system/src/Form/ModulesListForm.php3
-rw-r--r--core/modules/system/src/Tests/System/PageTitleTest.php9
-rw-r--r--core/modules/system/tests/modules/database_test/src/Form/DatabaseTestForm.php5
-rw-r--r--core/modules/system/tests/modules/form_test/src/FormTestArgumentsObject.php3
-rw-r--r--core/modules/system/tests/modules/test_page_test/src/Controller/Test.php12
-rw-r--r--core/modules/system/tests/modules/test_page_test/test_page_test.routing.yml8
-rw-r--r--core/modules/tracker/tracker.pages.inc3
-rw-r--r--core/modules/update/src/Form/UpdateManagerUpdate.php7
-rw-r--r--core/modules/user/src/Form/UserPermissionsForm.php3
-rw-r--r--core/modules/user/src/Plugin/views/access/Permission.php3
-rw-r--r--core/modules/user/src/UserListBuilder.php2
-rw-r--r--core/modules/views/src/Plugin/views/display/Block.php3
-rw-r--r--core/modules/views/src/Plugin/views/display/DisplayPluginBase.php4
-rw-r--r--core/modules/views/src/Plugin/views/filter/FilterPluginBase.php2
-rw-r--r--core/modules/views/src/Tests/SearchIntegrationTest.php5
-rw-r--r--core/modules/views_ui/src/Tests/XssTest.php4
-rw-r--r--core/modules/views_ui/src/ViewEditForm.php4
-rw-r--r--core/modules/views_ui/src/ViewListBuilder.php3
-rw-r--r--core/modules/views_ui/tests/src/Unit/ViewListBuilderTest.php6
52 files changed, 150 insertions, 141 deletions
diff --git a/core/includes/theme.inc b/core/includes/theme.inc
index 6f05be0..329ff58 100644
--- a/core/includes/theme.inc
+++ b/core/includes/theme.inc
@@ -20,7 +20,6 @@ use Drupal\Core\Template\Attribute;
use Drupal\Core\Theme\ThemeSettings;
use Drupal\Component\Utility\NestedArray;
use Drupal\Core\Render\Element;
-use Drupal\Core\Render\SafeString;
/**
* @defgroup content_flags Content markers
@@ -1242,8 +1241,7 @@ function template_preprocess_html(&$variables) {
}
if (!empty($variables['page']['#title'])) {
$head_title = array(
- // Marking the title as safe since it has had the tags stripped.
- 'title' => SafeString::create(trim(strip_tags($variables['page']['#title']))),
+ 'title' => trim(strip_tags($variables['page']['#title'])),
'name' => $site_config->get('name'),
);
}
diff --git a/core/lib/Drupal/Core/Field/Plugin/Field/FieldFormatter/BasicStringFormatter.php b/core/lib/Drupal/Core/Field/Plugin/Field/FieldFormatter/BasicStringFormatter.php
index 9d2b730..c03b96d 100644
--- a/core/lib/Drupal/Core/Field/Plugin/Field/FieldFormatter/BasicStringFormatter.php
+++ b/core/lib/Drupal/Core/Field/Plugin/Field/FieldFormatter/BasicStringFormatter.php
@@ -7,7 +7,7 @@
namespace Drupal\Core\Field\Plugin\Field\FieldFormatter;
-use Drupal\Component\Utility\Html;
+use Drupal\Component\Utility\SafeMarkup;
use Drupal\Core\Field\FormatterBase;
use Drupal\Core\Field\FieldItemListInterface;
@@ -37,7 +37,7 @@ class BasicStringFormatter extends FormatterBase {
foreach ($items as $delta => $item) {
// The text value has no text format assigned to it, so the user input
// should equal the output, including newlines.
- $elements[$delta] = array('#markup' => nl2br(Html::escape($item->value)));
+ $elements[$delta] = array('#markup' => nl2br(SafeMarkup::checkPlain($item->value)));
}
return $elements;
diff --git a/core/lib/Drupal/Core/Field/Plugin/Field/FieldFormatter/LanguageFormatter.php b/core/lib/Drupal/Core/Field/Plugin/Field/FieldFormatter/LanguageFormatter.php
index e4b41b8..dea2989 100644
--- a/core/lib/Drupal/Core/Field/Plugin/Field/FieldFormatter/LanguageFormatter.php
+++ b/core/lib/Drupal/Core/Field/Plugin/Field/FieldFormatter/LanguageFormatter.php
@@ -7,6 +7,7 @@
namespace Drupal\Core\Field\Plugin\Field\FieldFormatter;
+use Drupal\Component\Utility\SafeMarkup;
use Drupal\Core\Entity\EntityManagerInterface;
use Drupal\Core\Field\FieldDefinitionInterface;
use Drupal\Core\Field\FieldItemInterface;
@@ -122,9 +123,7 @@ class LanguageFormatter extends StringFormatter {
// storage by LanguageManager::getLanguages()) or in its native language
// name. That only depends on formatter settings and no language condition.
$languages = $this->getSetting('native_language') ? $this->languageManager->getNativeLanguages(LanguageInterface::STATE_ALL) : $this->languageManager->getLanguages(LanguageInterface::STATE_ALL);
- return [
- '#plain_text' => $item->language && isset($languages[$item->language->getId()]) ? $languages[$item->language->getId()]->getName() : ''
- ];
+ return $item->language && isset($languages[$item->language->getId()]) ? SafeMarkup::checkPlain($languages[$item->language->getId()]->getName()) : '';
}
}
diff --git a/core/lib/Drupal/Core/Field/Plugin/Field/FieldFormatter/StringFormatter.php b/core/lib/Drupal/Core/Field/Plugin/Field/FieldFormatter/StringFormatter.php
index fd5c3bb..6276f95 100644
--- a/core/lib/Drupal/Core/Field/Plugin/Field/FieldFormatter/StringFormatter.php
+++ b/core/lib/Drupal/Core/Field/Plugin/Field/FieldFormatter/StringFormatter.php
@@ -7,7 +7,7 @@
namespace Drupal\Core\Field\Plugin\Field\FieldFormatter;
-use Drupal\Component\Utility\Html;
+use Drupal\Component\Utility\SafeMarkup;
use Drupal\Core\Entity\EntityManagerInterface;
use Drupal\Core\Entity\RevisionableInterface;
use Drupal\Core\Field\FieldDefinitionInterface;
@@ -128,16 +128,16 @@ class StringFormatter extends FormatterBase implements ContainerFactoryPluginInt
}
foreach ($items as $delta => $item) {
- $view_value = $this->viewValue($item);
+ $string = $this->viewValue($item);
if ($url) {
$elements[$delta] = [
'#type' => 'link',
- '#title' => $view_value,
+ '#title' => $string,
'#url' => $url,
];
}
else {
- $elements[$delta] = is_array($view_value) ? $view_value : ['#markup' => $view_value];
+ $elements[$delta] = ['#markup' => $string];
}
}
return $elements;
@@ -149,15 +149,13 @@ class StringFormatter extends FormatterBase implements ContainerFactoryPluginInt
* @param \Drupal\Core\Field\FieldItemInterface $item
* One field item.
*
- * @return array
- * The textual output generated as a render array.
+ * @return string
+ * The textual output generated.
*/
protected function viewValue(FieldItemInterface $item) {
// The text value has no text format assigned to it, so the user input
// should equal the output, including newlines.
- return [
- '#markup' => nl2br(Html::escape($item->value))
- ];
+ return nl2br(SafeMarkup::checkPlain($item->value));
}
}
diff --git a/core/lib/Drupal/Core/Field/WidgetBase.php b/core/lib/Drupal/Core/Field/WidgetBase.php
index 575daf9..0103071 100644
--- a/core/lib/Drupal/Core/Field/WidgetBase.php
+++ b/core/lib/Drupal/Core/Field/WidgetBase.php
@@ -10,6 +10,7 @@ namespace Drupal\Core\Field;
use Drupal\Component\Utility\Html;
use Drupal\Component\Utility\NestedArray;
use Drupal\Component\Utility\SortArray;
+use Drupal\Component\Utility\SafeMarkup;
use Drupal\Core\Form\FormStateInterface;
use Drupal\Core\Render\Element;
use Symfony\Component\Validator\ConstraintViolationInterface;
@@ -84,7 +85,7 @@ abstract class WidgetBase extends PluginSettingsBase implements WidgetInterface
if ($this->handlesMultipleValues() || isset($get_delta)) {
$delta = isset($get_delta) ? $get_delta : 0;
$element = array(
- '#title' => $this->fieldDefinition->getLabel(),
+ '#title' => SafeMarkup::checkPlain($this->fieldDefinition->getLabel()),
'#description' => FieldFilteredString::create(\Drupal::token()->replace($this->fieldDefinition->getDescription())),
);
$element = $this->formSingleElement($items, $delta, $element, $form, $form_state);
@@ -163,7 +164,7 @@ abstract class WidgetBase extends PluginSettingsBase implements WidgetInterface
break;
}
- $title = $this->fieldDefinition->getLabel();
+ $title = SafeMarkup::checkPlain($this->fieldDefinition->getLabel());
$description = FieldFilteredString::create(\Drupal::token()->replace($this->fieldDefinition->getDescription()));
$elements = array();
@@ -178,7 +179,7 @@ abstract class WidgetBase extends PluginSettingsBase implements WidgetInterface
// table.
if ($is_multiple) {
$element = [
- '#title' => $this->t('@title (value @number)', ['@title' => $title, '@number' => $delta + 1]),
+ '#title' => $title . ' ' . $this->t('(value @number)', ['@number' => $delta + 1]),
'#title_display' => 'invisible',
'#description' => '',
];
diff --git a/core/modules/block/src/BlockViewBuilder.php b/core/modules/block/src/BlockViewBuilder.php
index 9a582352..6e99faa 100644
--- a/core/modules/block/src/BlockViewBuilder.php
+++ b/core/modules/block/src/BlockViewBuilder.php
@@ -7,6 +7,7 @@
namespace Drupal\block;
+use Drupal\Component\Utility\SafeMarkup;
use Drupal\Core\Block\MainContentBlockPluginInterface;
use Drupal\Core\Cache\Cache;
use Drupal\Core\Cache\CacheableMetadata;
@@ -163,6 +164,8 @@ class BlockViewBuilder extends EntityViewBuilder {
'#block' => $entity,
];
+ $build['#configuration']['label'] = SafeMarkup::checkPlain($configuration['label']);
+
// If an alter hook wants to modify the block contents, it can append
// another #pre_render hook.
$module_handler->alter(['block_view', "block_view_$base_id"], $build, $plugin);
diff --git a/core/modules/block/src/Controller/BlockLibraryController.php b/core/modules/block/src/Controller/BlockLibraryController.php
index 972dd73..2a0148f 100644
--- a/core/modules/block/src/Controller/BlockLibraryController.php
+++ b/core/modules/block/src/Controller/BlockLibraryController.php
@@ -8,6 +8,7 @@
namespace Drupal\block\Controller;
use Drupal\Component\Serialization\Json;
+use Drupal\Component\Utility\SafeMarkup;
use Drupal\Core\Block\BlockManagerInterface;
use Drupal\Core\Controller\ControllerBase;
use Drupal\Core\EventSubscriber\MainContentViewSubscriber;
@@ -108,7 +109,7 @@ class BlockLibraryController extends ControllerBase {
'#prefix' => '<div class="block-filter-text-source">',
'#suffix' => '</div>',
];
- $row['category']['data'] = $plugin_definition['category'];
+ $row['category']['data'] = SafeMarkup::checkPlain($plugin_definition['category']);
$links['add'] = [
'title' => $this->t('Place block'),
'url' => Url::fromRoute('block.admin_add', ['plugin_id' => $plugin_id, 'theme' => $theme]),
diff --git a/core/modules/color/color.module b/core/modules/color/color.module
index 46ddce5..fa9499b 100644
--- a/core/modules/color/color.module
+++ b/core/modules/color/color.module
@@ -8,6 +8,7 @@ use Drupal\Component\Utility\Unicode;
use Drupal\Core\Asset\CssOptimizer;
use Drupal\Component\Utility\Bytes;
use Drupal\Component\Utility\Environment;
+use Drupal\Component\Utility\SafeMarkup;
use Drupal\Core\Cache\Cache;
use Drupal\Core\Form\FormStateInterface;
use Drupal\Core\Language\LanguageInterface;
@@ -250,7 +251,7 @@ function color_scheme_form($complete_form, FormStateInterface $form_state, $them
if (isset($names[$name])) {
$form['palette'][$name] = array(
'#type' => 'textfield',
- '#title' => $names[$name],
+ '#title' => SafeMarkup::checkPlain($names[$name]),
'#value_callback' => 'color_palette_color_value',
'#default_value' => $value,
'#size' => 8,
diff --git a/core/modules/comment/src/CommentTypeListBuilder.php b/core/modules/comment/src/CommentTypeListBuilder.php
index f8a3451..4f99871 100644
--- a/core/modules/comment/src/CommentTypeListBuilder.php
+++ b/core/modules/comment/src/CommentTypeListBuilder.php
@@ -7,6 +7,8 @@
namespace Drupal\comment;
+use Drupal\Component\Utility\SafeMarkup;
+use Drupal\Component\Utility\Xss;
use Drupal\Core\Config\Entity\ConfigEntityListBuilder;
use Drupal\Core\Entity\EntityInterface;
@@ -43,7 +45,7 @@ class CommentTypeListBuilder extends ConfigEntityListBuilder {
* {@inheritdoc}
*/
public function buildRow(EntityInterface $entity) {
- $row['type'] = $entity->label();
+ $row['type'] = SafeMarkup::checkPlain($entity->label());
$row['description']['data'] = ['#markup' => $entity->getDescription()];
return $row + parent::buildRow($entity);
}
diff --git a/core/modules/config_translation/src/Controller/ConfigTranslationBlockListBuilder.php b/core/modules/config_translation/src/Controller/ConfigTranslationBlockListBuilder.php
index c6e8a49..74e276a 100644
--- a/core/modules/config_translation/src/Controller/ConfigTranslationBlockListBuilder.php
+++ b/core/modules/config_translation/src/Controller/ConfigTranslationBlockListBuilder.php
@@ -7,6 +7,7 @@
namespace Drupal\config_translation\Controller;
+use Drupal\Component\Utility\SafeMarkup;
use Drupal\Core\Entity\EntityInterface;
use Drupal\Core\Entity\EntityStorageInterface;
use Drupal\Core\Entity\EntityTypeInterface;
@@ -69,12 +70,12 @@ class ConfigTranslationBlockListBuilder extends ConfigTranslationEntityListBuild
);
$row['theme'] = array(
- 'data' => $this->themes[$theme]->info['name'],
+ 'data' => SafeMarkup::checkPlain($this->themes[$theme]->info['name']),
'class' => 'table-filter-text-source',
);
$row['category'] = array(
- 'data' => $plugin_definition['category'],
+ 'data' => SafeMarkup::checkPlain($plugin_definition['category']),
'class' => 'table-filter-text-source',
);
diff --git a/core/modules/config_translation/src/Controller/ConfigTranslationFieldListBuilder.php b/core/modules/config_translation/src/Controller/ConfigTranslationFieldListBuilder.php
index 282d3eb..1b2a08b 100644
--- a/core/modules/config_translation/src/Controller/ConfigTranslationFieldListBuilder.php
+++ b/core/modules/config_translation/src/Controller/ConfigTranslationFieldListBuilder.php
@@ -7,6 +7,7 @@
namespace Drupal\config_translation\Controller;
+use Drupal\Component\Utility\SafeMarkup;
use Drupal\Component\Utility\Unicode;
use Drupal\Core\Entity\EntityInterface;
use Drupal\Core\Entity\EntityManagerInterface;
@@ -122,7 +123,7 @@ class ConfigTranslationFieldListBuilder extends ConfigTranslationEntityListBuild
if ($this->displayBundle()) {
$bundle = $entity->get('bundle');
$row['bundle'] = array(
- 'data' => $this->baseEntityBundles[$bundle]['label'],
+ 'data' => SafeMarkup::checkPlain($this->baseEntityBundles[$bundle]['label']),
'class' => 'table-filter-text-source',
);
}
diff --git a/core/modules/config_translation/src/Controller/ConfigTranslationMapperList.php b/core/modules/config_translation/src/Controller/ConfigTranslationMapperList.php
index 5c95452..e32714b 100644
--- a/core/modules/config_translation/src/Controller/ConfigTranslationMapperList.php
+++ b/core/modules/config_translation/src/Controller/ConfigTranslationMapperList.php
@@ -7,6 +7,7 @@
namespace Drupal\config_translation\Controller;
+use Drupal\Component\Utility\SafeMarkup;
use Drupal\config_translation\ConfigMapperInterface;
use Drupal\Core\Controller\ControllerBase;
use Symfony\Component\DependencyInjection\ContainerInterface;
@@ -93,7 +94,7 @@ class ConfigTranslationMapperList extends ControllerBase {
* A render array structure of fields for this mapper.
*/
public function buildRow(ConfigMapperInterface $mapper) {
- $row['label'] = $mapper->getTypeLabel();
+ $row['label'] = SafeMarkup::checkPlain($mapper->getTypeLabel());
$row['operations']['data'] = $this->buildOperations($mapper);
return $row;
}
diff --git a/core/modules/config_translation/src/Tests/ConfigTranslationOverviewTest.php b/core/modules/config_translation/src/Tests/ConfigTranslationOverviewTest.php
index eb5cf75..221b7d6 100644
--- a/core/modules/config_translation/src/Tests/ConfigTranslationOverviewTest.php
+++ b/core/modules/config_translation/src/Tests/ConfigTranslationOverviewTest.php
@@ -7,6 +7,7 @@
namespace Drupal\config_translation\Tests;
+use Drupal\Component\Utility\SafeMarkup;
use Drupal\language\Entity\ConfigurableLanguage;
use Drupal\simpletest\WebTestBase;
@@ -102,7 +103,7 @@ class ConfigTranslationOverviewTest extends WebTestBase {
$base_url = 'admin/structure/config_test/manage/' . $test_entity->id();
$this->drupalGet('admin/config/regional/config-translation/config_test');
$this->assertLinkByHref($base_url . '/translate');
- $this->assertEscaped($test_entity->label());
+ $this->assertText(SafeMarkup::checkPlain($test_entity->label()));
// Make sure there is only a single 'Translate' operation for each
// dropbutton.
diff --git a/core/modules/config_translation/src/Tests/ConfigTranslationUiTest.php b/core/modules/config_translation/src/Tests/ConfigTranslationUiTest.php
index e4a4e3f..41840ad 100644
--- a/core/modules/config_translation/src/Tests/ConfigTranslationUiTest.php
+++ b/core/modules/config_translation/src/Tests/ConfigTranslationUiTest.php
@@ -753,9 +753,9 @@ class ConfigTranslationUiTest extends WebTestBase {
$this->clickLink('Add');
$this->assertText('Translatable field setting');
- $this->assertEscaped($translatable_field_setting);
+ $this->assertRaw(SafeMarkup::checkPlain($translatable_field_setting));
$this->assertText('Translatable storage setting');
- $this->assertEscaped($translatable_storage_setting);
+ $this->assertRaw(SafeMarkup::checkPlain($translatable_storage_setting));
}
/**
diff --git a/core/modules/contact/src/Controller/ContactController.php b/core/modules/contact/src/Controller/ContactController.php
index 1abd33c..7233bb8 100644
--- a/core/modules/contact/src/Controller/ContactController.php
+++ b/core/modules/contact/src/Controller/ContactController.php
@@ -11,6 +11,7 @@ use Drupal\Core\Controller\ControllerBase;
use Drupal\contact\ContactFormInterface;
use Drupal\Core\Render\RendererInterface;
use Drupal\user\UserInterface;
+use Drupal\Component\Utility\SafeMarkup;
use Symfony\Component\DependencyInjection\ContainerInterface;
use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
@@ -86,7 +87,7 @@ class ContactController extends ControllerBase {
));
$form = $this->entityFormBuilder()->getForm($message);
- $form['#title'] = $contact_form->label();
+ $form['#title'] = SafeMarkup::checkPlain($contact_form->label());
$form['#cache']['contexts'][] = 'user.permissions';
$this->renderer->addCacheableDependency($form, $config);
return $form;
diff --git a/core/modules/dblog/src/Controller/DbLogController.php b/core/modules/dblog/src/Controller/DbLogController.php
index eff6626..08d826b 100644
--- a/core/modules/dblog/src/Controller/DbLogController.php
+++ b/core/modules/dblog/src/Controller/DbLogController.php
@@ -8,7 +8,9 @@
namespace Drupal\dblog\Controller;
use Drupal\Component\Utility\Html;
+use Drupal\Component\Utility\SafeMarkup;
use Drupal\Component\Utility\Unicode;
+use Drupal\Component\Utility\Xss;
use Drupal\Core\Controller\ControllerBase;
use Drupal\Core\Database\Connection;
use Drupal\Core\Datetime\DateFormatter;
@@ -281,7 +283,7 @@ class DbLogController extends ControllerBase {
),
array(
array('data' => $this->t('Hostname'), 'header' => TRUE),
- $dblog->hostname,
+ SafeMarkup::checkPlain($dblog->hostname),
),
array(
array('data' => $this->t('Operations'), 'header' => TRUE),
diff --git a/core/modules/field/src/Tests/String/UuidFormatterTest.php b/core/modules/field/src/Tests/String/UuidFormatterTest.php
index 4d849cd..2eaf7e9 100644
--- a/core/modules/field/src/Tests/String/UuidFormatterTest.php
+++ b/core/modules/field/src/Tests/String/UuidFormatterTest.php
@@ -51,7 +51,7 @@ class UuidFormatterTest extends KernelTestBase {
$render_array = $uuid_field->view(['settings' => ['link_to_entity' => TRUE]]);
$this->assertIdentical($render_array[0]['#type'], 'link');
- $this->assertIdentical($render_array[0]['#title']['#markup'], $entity->uuid());
+ $this->assertIdentical($render_array[0]['#title'], $entity->uuid());
$this->assertIdentical($render_array[0]['#url']->toString(), $entity->url());
}
diff --git a/core/modules/field_ui/src/FieldConfigListBuilder.php b/core/modules/field_ui/src/FieldConfigListBuilder.php
index 1dd2c7c..d3feac1 100644
--- a/core/modules/field_ui/src/FieldConfigListBuilder.php
+++ b/core/modules/field_ui/src/FieldConfigListBuilder.php
@@ -8,6 +8,7 @@
namespace Drupal\field_ui;
use Drupal\Component\Utility\Html;
+use Drupal\Component\Utility\SafeMarkup;
use Drupal\Core\Config\Entity\ConfigEntityListBuilder;
use Drupal\Core\Entity\EntityInterface;
use Drupal\Core\Entity\EntityManagerInterface;
@@ -130,7 +131,7 @@ class FieldConfigListBuilder extends ConfigEntityListBuilder {
$row = array(
'id' => Html::getClass($field_config->getName()),
'data' => array(
- 'label' => $field_config->getLabel(),
+ 'label' => SafeMarkup::checkPlain($field_config->getLabel()),
'field_name' => $field_config->getName(),
'field_type' => array(
'data' => array(
diff --git a/core/modules/file/src/Plugin/Field/FieldFormatter/BaseFieldFileFormatterBase.php b/core/modules/file/src/Plugin/Field/FieldFormatter/BaseFieldFileFormatterBase.php
index 31d5e05..8654712 100644
--- a/core/modules/file/src/Plugin/Field/FieldFormatter/BaseFieldFileFormatterBase.php
+++ b/core/modules/file/src/Plugin/Field/FieldFormatter/BaseFieldFileFormatterBase.php
@@ -56,17 +56,17 @@ abstract class BaseFieldFileFormatterBase extends FormatterBase {
}
foreach ($items as $delta => $item) {
- $view_value = $this->viewValue($item);
+ $string = $this->viewValue($item);
if ($url) {
$elements[$delta] = [
'#type' => 'link',
- '#title' => $view_value,
+ '#title' => $string,
'#url' => Url::fromUri($url),
];
}
else {
- $elements[$delta] = is_array($view_value) ? $view_value : ['#markup' => $view_value];
+ $elements[$delta] = is_array($string) ? $string : ['#markup' => $string];
}
}
diff --git a/core/modules/file/src/Plugin/Field/FieldWidget/FileWidget.php b/core/modules/file/src/Plugin/Field/FieldWidget/FileWidget.php
index acba472..fb69d9c 100644
--- a/core/modules/file/src/Plugin/Field/FieldWidget/FileWidget.php
+++ b/core/modules/file/src/Plugin/Field/FieldWidget/FileWidget.php
@@ -7,6 +7,7 @@
namespace Drupal\file\Plugin\Field\FieldWidget;
+use Drupal\Component\Utility\SafeMarkup;
use Drupal\Component\Utility\NestedArray;
use Drupal\Core\Field\FieldDefinitionInterface;
use Drupal\Core\Field\FieldFilteredString;
@@ -118,7 +119,7 @@ class FileWidget extends WidgetBase implements ContainerFactoryPluginInterface {
break;
}
- $title = $this->fieldDefinition->getLabel();
+ $title = SafeMarkup::checkPlain($this->fieldDefinition->getLabel());
$description = FieldFilteredString::create($this->fieldDefinition->getDescription());
$elements = array();
diff --git a/core/modules/filter/src/FilterFormatListBuilder.php b/core/modules/filter/src/FilterFormatListBuilder.php
index 685112a..5ae317e 100644
--- a/core/modules/filter/src/FilterFormatListBuilder.php
+++ b/core/modules/filter/src/FilterFormatListBuilder.php
@@ -98,10 +98,10 @@ class FilterFormatListBuilder extends DraggableListBuilder {
if ($entity->isFallbackFormat()) {
$fallback_choice = $this->configFactory->get('filter.settings')->get('always_show_fallback_choice');
if ($fallback_choice) {
- $row['roles']['#markup'] = $this->t('All roles may use this format');
+ $roles_markup = $this->t('All roles may use this format');
}
else {
- $row['roles']['#markup'] = $this->t('This format is shown when no other formats are available');
+ $roles_markup = $this->t('This format is shown when no other formats are available');
}
// Emphasize the fallback role text since it is important to understand
// how it works which configuring filter formats. Additionally, it is not
@@ -110,14 +110,12 @@ class FilterFormatListBuilder extends DraggableListBuilder {
$row['roles']['#suffix'] = '</em>';
}
else {
- $row['roles'] = [
- '#theme' => 'item_list',
- '#items' => filter_get_roles_by_format($entity),
- '#empty' => $this->t('No roles may use this format'),
- '#context' => ['list_style' => 'comma-list'],
- ];
+ $roles = array_map('\Drupal\Component\Utility\SafeMarkup::checkPlain', filter_get_roles_by_format($entity));
+ $roles_markup = $roles ? implode(', ', $roles) : $this->t('No roles may use this format');
}
+ $row['roles']['#markup'] = $roles_markup;
+
return $row + parent::buildRow($entity);
}
diff --git a/core/modules/filter/src/Plugin/Filter/FilterHtml.php b/core/modules/filter/src/Plugin/Filter/FilterHtml.php
index 4708cc6..63e3f57 100644
--- a/core/modules/filter/src/Plugin/Filter/FilterHtml.php
+++ b/core/modules/filter/src/Plugin/Filter/FilterHtml.php
@@ -149,7 +149,7 @@ class FilterHtml extends FilterBase {
array('data' =>
array(
'#prefix' => '<code>',
- '#plain_text' => $tips[$tag][1],
+ '#markup' => Html::escape($tips[$tag][1]),
'#suffix' => '</code>'
),
'class' => array('type')),
@@ -193,7 +193,7 @@ class FilterHtml extends FilterBase {
array(
'data' => array(
'#prefix' => '<code>',
- '#plain_text' => $entity[1],
+ '#markup' => Html::escape($entity[1]),
'#suffix' => '</code>',
),
'class' => array('type'),
diff --git a/core/modules/help/src/Controller/HelpController.php b/core/modules/help/src/Controller/HelpController.php
index 4ebd4c8..802f9d9 100644
--- a/core/modules/help/src/Controller/HelpController.php
+++ b/core/modules/help/src/Controller/HelpController.php
@@ -12,6 +12,7 @@ use Drupal\Core\Routing\RouteMatchInterface;
use Drupal\Core\Url;
use Symfony\Component\DependencyInjection\ContainerInterface;
use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
+use Drupal\Component\Utility\SafeMarkup;
/**
* Controller routines for help routes.
@@ -114,7 +115,7 @@ class HelpController extends ControllerBase {
$build = array();
if ($this->moduleHandler()->implementsHook($name, 'help')) {
$module_name = $this->moduleHandler()->getName($name);
- $build['#title'] = $module_name;
+ $build['#title'] = SafeMarkup::checkPlain($module_name);
$temp = $this->moduleHandler()->invoke($name, 'help', array("help.page.$name", $this->routeMatch));
if (empty($temp)) {
diff --git a/core/modules/language/src/Form/NegotiationConfigureForm.php b/core/modules/language/src/Form/NegotiationConfigureForm.php
index 7f23045..938564e 100644
--- a/core/modules/language/src/Form/NegotiationConfigureForm.php
+++ b/core/modules/language/src/Form/NegotiationConfigureForm.php
@@ -8,6 +8,7 @@
namespace Drupal\language\Form;
use Drupal\Core\Block\BlockManagerInterface;
+use Drupal\Component\Utility\SafeMarkup;
use Drupal\Component\Utility\Unicode;
use Drupal\Component\Utility\Xss;
use Drupal\Core\Config\ConfigFactoryInterface;
@@ -276,22 +277,22 @@ class NegotiationConfigureForm extends ConfigFormBase {
if (isset($types[$type])) {
$table_form['#language_negotiation_info'][$method_id] = $method;
- $method_name = $method['name'];
+ $method_name = SafeMarkup::checkPlain($method['name']);
$table_form['weight'][$method_id] = array(
'#type' => 'weight',
- '#title' => $this->t('Weight for @title language detection method', array('@title' => Unicode::strtolower($method_name))),
+ '#title' => $this->t('Weight for !title language detection method', array('!title' => Unicode::strtolower($method_name))),
'#title_display' => 'invisible',
'#default_value' => $weight,
'#attributes' => array('class' => array("language-method-weight-$type")),
'#delta' => 20,
);
- $table_form['title'][$method_id] = array('#plain_text' => $method_name);
+ $table_form['title'][$method_id] = array('#markup' => $method_name);
$table_form['enabled'][$method_id] = array(
'#type' => 'checkbox',
- '#title' => $this->t('Enable @title language detection method', array('@title' => Unicode::strtolower($method_name))),
+ '#title' => $this->t('Enable !title language detection method', array('!title' => Unicode::strtolower($method_name))),
'#title_display' => 'invisible',
'#default_value' => $enabled,
);
diff --git a/core/modules/locale/src/Form/TranslateEditForm.php b/core/modules/locale/src/Form/TranslateEditForm.php
index dbd450a..e9c5359 100644
--- a/core/modules/locale/src/Form/TranslateEditForm.php
+++ b/core/modules/locale/src/Form/TranslateEditForm.php
@@ -7,6 +7,7 @@
namespace Drupal\locale\Form;
+use Drupal\Component\Utility\Html;
use Drupal\Core\Form\FormStateInterface;
use Drupal\Core\Render\Element;
use Drupal\locale\SourceString;
@@ -72,9 +73,7 @@ class TranslateEditForm extends TranslateFormBase {
'#type' => 'item',
'#title' => $this->t('Source string (@language)', array('@language' => $this->t('Built-in English'))),
'#title_display' => 'invisible',
- '#plain_text' => $source_array[0],
- '#preffix' => '<span lang="en">',
- '#suffix' => '</span>',
+ '#markup' => '<span lang="en">' . Html::escape($source_array[0]) . '</span>',
);
}
else {
@@ -83,16 +82,13 @@ class TranslateEditForm extends TranslateFormBase {
$original_singular = [
'#type' => 'item',
'#title' => $this->t('Singular form'),
- '#plain_text' => $source_array[0],
- '#prefix' => '<span class="visually-hidden">' . $this->t('Source string (@language)', array('@language' => $this->t('Built-in English'))) . '</span><span lang="en">',
- '#suffix' => '</span>',
+ '#markup' => '<span lang="en">' . Html::escape($source_array[0]) . '</span>',
+ '#prefix' => '<span class="visually-hidden">' . $this->t('Source string (@language)', array('@language' => $this->t('Built-in English'))) . '</span>',
];
$original_plural = [
'#type' => 'item',
'#title' => $this->t('Plural form'),
- '#plain_text' => $source_array[1],
- '#preffix' => '<span lang="en">',
- '#suffix' => '</span>',
+ '#markup' => '<span lang="en">' . Html::escape($source_array[1]) . '</span>',
];
$form['strings'][$string->lid]['original'] = [
$original_singular,
diff --git a/core/modules/locale/src/Form/TranslationStatusForm.php b/core/modules/locale/src/Form/TranslationStatusForm.php
index f71ec52..d257139 100644
--- a/core/modules/locale/src/Form/TranslationStatusForm.php
+++ b/core/modules/locale/src/Form/TranslationStatusForm.php
@@ -7,6 +7,7 @@
namespace Drupal\locale\Form;
+use Drupal\Component\Utility\SafeMarkup;
use Drupal\Core\Extension\ModuleHandlerInterface;
use Drupal\Core\Form\FormBase;
use Drupal\Core\Form\FormStateInterface;
@@ -81,7 +82,7 @@ class TranslationStatusForm extends FormBase {
// Build data options for the select table.
foreach ($updates as $langcode => $update) {
- $title = $languages[$langcode]->getName();
+ $title = SafeMarkup::checkPlain($languages[$langcode]->getName());
$locale_translation_update_info = array('#theme' => 'locale_translation_update_info');
foreach (array('updates', 'not_found') as $update_status) {
if (isset($update[$update_status])) {
@@ -93,7 +94,7 @@ class TranslationStatusForm extends FormBase {
'class' => array('label'),
'data' => array(
'#title' => $title,
- '#plain_text' => $title,
+ '#markup' => $title,
),
),
'status' => array(
diff --git a/core/modules/node/src/NodeListBuilder.php b/core/modules/node/src/NodeListBuilder.php
index 26f2876..7acbfc9 100644
--- a/core/modules/node/src/NodeListBuilder.php
+++ b/core/modules/node/src/NodeListBuilder.php
@@ -7,6 +7,7 @@
namespace Drupal\node;
+use Drupal\Component\Utility\SafeMarkup;
use Drupal\Core\Datetime\DateFormatter;
use Drupal\Core\Entity\EntityInterface;
use Drupal\Core\Entity\EntityListBuilder;
@@ -118,7 +119,7 @@ class NodeListBuilder extends EntityListBuilder {
'#suffix' => ' ' . drupal_render($mark),
'#url' => $uri,
);
- $row['type'] = node_get_type_label($entity);
+ $row['type'] = SafeMarkup::checkPlain(node_get_type_label($entity));
$row['author']['data'] = array(
'#theme' => 'username',
'#account' => $entity->getOwner(),
diff --git a/core/modules/node/src/NodeTypeForm.php b/core/modules/node/src/NodeTypeForm.php
index 24b47b3..ff757f9 100644
--- a/core/modules/node/src/NodeTypeForm.php
+++ b/core/modules/node/src/NodeTypeForm.php
@@ -9,6 +9,7 @@ namespace Drupal\node;
use Drupal\Core\Entity\EntityForm;
use Drupal\Core\Entity\EntityManagerInterface;
+use Drupal\Component\Utility\SafeMarkup;
use Drupal\Core\Entity\EntityTypeInterface;
use Drupal\Core\Form\FormStateInterface;
use Drupal\Core\Url;
@@ -54,7 +55,7 @@ class NodeTypeForm extends EntityForm {
$type = $this->entity;
if ($this->operation == 'add') {
- $form['#title'] = $this->t('Add content type');
+ $form['#title'] = SafeMarkup::checkPlain($this->t('Add content type'));
$fields = $this->entityManager->getBaseFieldDefinitions('node');
// Create a node with a fake bundle using the type's UUID so that we can
// get the default values for workflow settings.
diff --git a/core/modules/node/src/Plugin/Search/NodeSearch.php b/core/modules/node/src/Plugin/Search/NodeSearch.php
index ce5ddb6..bab5cc9 100644
--- a/core/modules/node/src/Plugin/Search/NodeSearch.php
+++ b/core/modules/node/src/Plugin/Search/NodeSearch.php
@@ -7,6 +7,7 @@
namespace Drupal\node\Plugin\Search;
+use Drupal\Component\Utility\SafeMarkup;
use Drupal\Core\Access\AccessResult;
use Drupal\Core\Config\Config;
use Drupal\Core\Database\Connection;
@@ -345,7 +346,7 @@ class NodeSearch extends ConfigurableSearchPluginBase implements AccessibleInter
$result = array(
'link' => $node->url('canonical', array('absolute' => TRUE, 'language' => $language)),
- 'type' => $type->label(),
+ 'type' => SafeMarkup::checkPlain($type->label()),
'title' => $node->label(),
'node' => $node,
'extra' => $extra,
@@ -445,15 +446,9 @@ class NodeSearch extends ConfigurableSearchPluginBase implements AccessibleInter
$build = $node_render->view($node, 'search_index', $language->getId());
unset($build['#theme']);
+ $rendered = $this->renderer->renderPlain($build);
- // Add the title to text so it is searchable.
- $build['search_title'] = [
- '#prefix' => '<h1>',
- '#plain_text' => $node->label($language->getId()),
- '#suffix' => '</h1>',
- '#weight' => -1000
- ];
- $text = $this->renderer->renderPlain($build);
+ $text = '<h1>' . SafeMarkup::checkPlain($node->label($language->getId())) . '</h1>' . $rendered;
// Fetch extra data normally not visible.
$extra = $this->moduleHandler->invokeAll('node_update_index', array($node, $language->getId()));
diff --git a/core/modules/node/src/Tests/NodeTitleTest.php b/core/modules/node/src/Tests/NodeTitleTest.php
index 40460a6..ddf1fc6 100644
--- a/core/modules/node/src/Tests/NodeTitleTest.php
+++ b/core/modules/node/src/Tests/NodeTitleTest.php
@@ -8,7 +8,6 @@
namespace Drupal\node\Tests;
use Drupal\comment\Tests\CommentTestTrait;
-use Drupal\Component\Utility\Html;
/**
* Tests node title.
@@ -86,22 +85,5 @@ class NodeTitleTest extends NodeTestBase {
// Test that 0 appears in the template <h1>.
$xpath = '//h1';
$this->assertEqual(current($this->xpath($xpath)), 0, 'Node title is displayed as 0.', 'Node');
-
- // Test edge case where node title contains special characters.
- $edge_case_title = 'article\'s "title".';
- $settings = array(
- 'title' => $edge_case_title,
- );
- $node = $this->drupalCreateNode($settings);
- // Test that the title appears as <title>. The title will be escaped on the
- // the page.
- $edge_case_title_escaped = Html::escape($edge_case_title);
- $this->drupalGet('node/' . $node->id());
- $this->assertTitle($edge_case_title_escaped . ' | Drupal', 'Page title is equal to article\'s "title".', 'Node');
-
- // Test that the title appears as <title> when reloading the node page.
- $this->drupalGet('node/' . $node->id());
- $this->assertTitle($edge_case_title_escaped . ' | Drupal', 'Page title is equal to article\'s "title".', 'Node');
-
}
}
diff --git a/core/modules/node/src/Tests/NodeTitleXSSTest.php b/core/modules/node/src/Tests/NodeTitleXSSTest.php
index 70e4498..f0e80ea 100644
--- a/core/modules/node/src/Tests/NodeTitleXSSTest.php
+++ b/core/modules/node/src/Tests/NodeTitleXSSTest.php
@@ -7,8 +7,6 @@
namespace Drupal\node\Tests;
-use Drupal\Component\Utility\Html;
-
/**
* Create a node with dangerous tags in its title and test that they are
* escaped.
@@ -36,8 +34,8 @@ class NodeTitleXSSTest extends NodeTestBase {
$node = $this->drupalCreateNode($settings);
$this->drupalGet('node/' . $node->id());
- // Titles should be escaped.
- $this->assertTitle(Html::escape($title) . ' | Drupal', 'Title is displayed when viewing a node.');
+ // assertTitle() decodes HTML-entities inside the <title> element.
+ $this->assertTitle($title . ' | Drupal', 'Title is displayed when viewing a node.');
$this->assertNoRaw($xss, 'Harmful tags are escaped when viewing a node.');
$this->drupalGet('node/' . $node->id() . '/edit');
diff --git a/core/modules/path/src/Form/EditForm.php b/core/modules/path/src/Form/EditForm.php
index a1f4a77..fc85a42 100644
--- a/core/modules/path/src/Form/EditForm.php
+++ b/core/modules/path/src/Form/EditForm.php
@@ -7,6 +7,7 @@
namespace Drupal\path\Form;
+use Drupal\Component\Utility\SafeMarkup;
use Drupal\Core\Form\FormStateInterface;
use Drupal\Core\Url;
@@ -35,7 +36,7 @@ class EditForm extends PathFormBase {
public function buildForm(array $form, FormStateInterface $form_state, $pid = NULL) {
$form = parent::buildForm($form, $form_state, $pid);
- $form['#title'] = $this->path['alias'];
+ $form['#title'] = SafeMarkup::checkPlain($this->path['alias']);
$form['pid'] = array(
'#type' => 'hidden',
'#value' => $this->path['pid'],
diff --git a/core/modules/simpletest/src/AssertContentTrait.php b/core/modules/simpletest/src/AssertContentTrait.php
index eaf4b41..c601943 100644
--- a/core/modules/simpletest/src/AssertContentTrait.php
+++ b/core/modules/simpletest/src/AssertContentTrait.php
@@ -775,19 +775,14 @@ trait AssertContentTrait {
* TRUE on pass, FALSE on fail.
*/
protected function assertTitle($title, $message = '', $group = 'Other') {
- // Don't use xpath as it messes with HTML escaping.
- preg_match('@<title>(.*)</title>@', $this->getRawContent(), $matches);
- if (isset($matches[1])) {
- $actual = $matches[1];
- if (!$message) {
- $message = SafeMarkup::format('Page title @actual is equal to @expected.', array(
- '@actual' => var_export($actual, TRUE),
- '@expected' => var_export($title, TRUE),
- ));
- }
- return $this->assertEqual($actual, $title, $message, $group);
+ $actual = (string) current($this->xpath('//title'));
+ if (!$message) {
+ $message = SafeMarkup::format('Page title @actual is equal to @expected.', array(
+ '@actual' => var_export($actual, TRUE),
+ '@expected' => var_export($title, TRUE),
+ ));
}
- return $this->fail('No title element found on the page.');
+ return $this->assertEqual($actual, $title, $message, $group);
}
/**
diff --git a/core/modules/system/src/Form/ModulesListForm.php b/core/modules/system/src/Form/ModulesListForm.php
index 0a52d2f..289928f 100644
--- a/core/modules/system/src/Form/ModulesListForm.php
+++ b/core/modules/system/src/Form/ModulesListForm.php
@@ -7,6 +7,7 @@
namespace Drupal\system\Form;
+use Drupal\Component\Utility\SafeMarkup;
use Drupal\Component\Utility\Unicode;
use Drupal\Core\Config\PreExistingConfigException;
use Drupal\Core\Config\UnmetDependenciesException;
@@ -168,7 +169,7 @@ class ModulesListForm extends FormBase {
*/
public function buildForm(array $form, FormStateInterface $form_state) {
require_once DRUPAL_ROOT . '/core/includes/install.inc';
- $distribution = drupal_install_profile_distribution_name();
+ $distribution = SafeMarkup::checkPlain(drupal_install_profile_distribution_name());
// Include system.admin.inc so we can use the sort callbacks.
$this->moduleHandler->loadInclude('system', 'inc', 'system.admin');
diff --git a/core/modules/system/src/Tests/System/PageTitleTest.php b/core/modules/system/src/Tests/System/PageTitleTest.php
index 56fa556..369b554 100644
--- a/core/modules/system/src/Tests/System/PageTitleTest.php
+++ b/core/modules/system/src/Tests/System/PageTitleTest.php
@@ -147,6 +147,15 @@ class PageTitleTest extends WebTestBase {
$this->drupalGet('test-page-cached-controller');
$this->assertTitle('Cached title | Drupal');
$this->assertRaw(Html::escape('<span>Cached title</span>') . '</h1>');
+
+ // Ensure that titles are cacheable and are escaped normally if the
+ // controller escapes them use Html::escape().
+ $this->drupalGet('test-page-cached-controller-safe');
+ $this->assertTitle('<span>Cached title</span> | Drupal');
+ $this->assertRaw(Html::escape('<span>Cached title</span>') . '</h1>');
+ $this->drupalGet('test-page-cached-controller-safe');
+ $this->assertTitle('<span>Cached title</span> | Drupal');
+ $this->assertRaw(Html::escape('<span>Cached title</span>') . '</h1>');
}
}
diff --git a/core/modules/system/tests/modules/database_test/src/Form/DatabaseTestForm.php b/core/modules/system/tests/modules/database_test/src/Form/DatabaseTestForm.php
index 73f39b1..342151e 100644
--- a/core/modules/system/tests/modules/database_test/src/Form/DatabaseTestForm.php
+++ b/core/modules/system/tests/modules/database_test/src/Form/DatabaseTestForm.php
@@ -7,6 +7,7 @@
namespace Drupal\database_test\Form;
+use Drupal\Component\Utility\SafeMarkup;
use Drupal\Core\Form\FormBase;
use Drupal\Core\Form\FormStateInterface;
use Drupal\user\Entity\User;
@@ -55,8 +56,8 @@ class DatabaseTestForm extends FormBase {
foreach (User::loadMultiple($uids) as $account) {
$options[$account->id()] = array(
- 'title' => array('data' => array('#title' => $account->getUsername())),
- 'username' => $account->getUsername(),
+ 'title' => array('data' => array('#title' => SafeMarkup::checkPlain($account->getUsername()))),
+ 'username' => SafeMarkup::checkPlain($account->getUsername()),
'status' => $account->isActive() ? t('active') : t('blocked'),
);
}
diff --git a/core/modules/system/tests/modules/form_test/src/FormTestArgumentsObject.php b/core/modules/system/tests/modules/form_test/src/FormTestArgumentsObject.php
index 9c347be..a7fa82c 100644
--- a/core/modules/system/tests/modules/form_test/src/FormTestArgumentsObject.php
+++ b/core/modules/system/tests/modules/form_test/src/FormTestArgumentsObject.php
@@ -7,6 +7,7 @@
namespace Drupal\form_test;
+use Drupal\Component\Utility\SafeMarkup;
use Drupal\Core\Form\ConfigFormBase;
use Drupal\Core\Form\FormStateInterface;
@@ -37,7 +38,7 @@ class FormTestArgumentsObject extends ConfigFormBase {
$form['bananas'] = array(
'#type' => 'textfield',
- '#default_value' => $arg,
+ '#default_value' => SafeMarkup::checkPlain($arg),
'#title' => $this->t('Bananas'),
);
diff --git a/core/modules/system/tests/modules/test_page_test/src/Controller/Test.php b/core/modules/system/tests/modules/test_page_test/src/Controller/Test.php
index 934e6a2..b0d4136 100644
--- a/core/modules/system/tests/modules/test_page_test/src/Controller/Test.php
+++ b/core/modules/system/tests/modules/test_page_test/src/Controller/Test.php
@@ -7,7 +7,7 @@
namespace Drupal\test_page_test\Controller;
-use Drupal\Component\Utility\Html;
+use Drupal\Component\Utility\SafeMarkup;
/**
* Defines a test controller for page titles.
@@ -54,13 +54,19 @@ class Test {
/**
* Defines a controller with a cached render array.
*
+ * @param bool $mark_safe
+ * Whether or not to mark the title as safe use SafeMarkup::checkPlain.
+ *
* @return array
* A render array
*/
- public function controllerWithCache() {
+ public function controllerWithCache($mark_safe = FALSE) {
$build = [];
$build['#title'] = '<span>Cached title</span>';
- $build['#cache']['keys'] = ['test_controller', 'with_title'];
+ if ($mark_safe) {
+ $build['#title'] = SafeMarkup::checkPlain($build['#title']);
+ }
+ $build['#cache']['keys'] = ['test_controller', 'with_title', $mark_safe];
return $build;
}
diff --git a/core/modules/system/tests/modules/test_page_test/test_page_test.routing.yml b/core/modules/system/tests/modules/test_page_test/test_page_test.routing.yml
index 2408423..5330be8 100644
--- a/core/modules/system/tests/modules/test_page_test/test_page_test.routing.yml
+++ b/core/modules/system/tests/modules/test_page_test/test_page_test.routing.yml
@@ -28,6 +28,14 @@ test_page_test.cached_controller:
requirements:
_access: 'TRUE'
+test_page_test.cached_controller.safe:
+ path: '/test-page-cached-controller-safe'
+ defaults:
+ _controller: '\Drupal\test_page_test\Controller\Test::controllerWithCache'
+ mark_safe: true
+ requirements:
+ _access: 'TRUE'
+
test_page_test.dynamic_title:
path: '/test-page-dynamic-title'
defaults:
diff --git a/core/modules/tracker/tracker.pages.inc b/core/modules/tracker/tracker.pages.inc
index 47bd3ef..ffbf316 100644
--- a/core/modules/tracker/tracker.pages.inc
+++ b/core/modules/tracker/tracker.pages.inc
@@ -5,6 +5,7 @@
* User page callbacks for tracker.module.
*/
+use Drupal\Component\Utility\SafeMarkup;
use Drupal\Core\Cache\Cache;
use Drupal\node\Entity\Node;
@@ -84,7 +85,7 @@ function tracker_page($account = NULL) {
}
$row = array(
- 'type' => node_get_type_label($node),
+ 'type' => SafeMarkup::checkPlain(node_get_type_label($node)),
'title' => array(
'data' => array(
'#type' => 'link',
diff --git a/core/modules/update/src/Form/UpdateManagerUpdate.php b/core/modules/update/src/Form/UpdateManagerUpdate.php
index cafa4d1..f0f64ea 100644
--- a/core/modules/update/src/Form/UpdateManagerUpdate.php
+++ b/core/modules/update/src/Form/UpdateManagerUpdate.php
@@ -7,6 +7,7 @@
namespace Drupal\update\Form;
+use Drupal\Component\Utility\SafeMarkup;
use Drupal\Core\Extension\ModuleHandlerInterface;
use Drupal\Core\Form\FormBase;
use Drupal\Core\Form\FormStateInterface;
@@ -114,14 +115,14 @@ class UpdateManagerUpdate extends FormBase {
$project_name = $this->l($project['title'], Url::fromUri($project['link']));
}
else {
- $project_name = $project['title'];
+ $project_name = SafeMarkup::checkPlain($project['title']);
}
}
elseif (!empty($project['info']['name'])) {
- $project_name = $project['info']['name'];
+ $project_name = SafeMarkup::checkPlain($project['info']['name']);
}
else {
- $project_name = $name;
+ $project_name = SafeMarkup::checkPlain($name);
}
if ($project['project_type'] == 'theme' || $project['project_type'] == 'theme-disabled') {
$project_name .= ' ' . $this->t('(Theme)');
diff --git a/core/modules/user/src/Form/UserPermissionsForm.php b/core/modules/user/src/Form/UserPermissionsForm.php
index e96efda..0e0a01a 100644
--- a/core/modules/user/src/Form/UserPermissionsForm.php
+++ b/core/modules/user/src/Form/UserPermissionsForm.php
@@ -7,6 +7,7 @@
namespace Drupal\user\Form;
+use Drupal\Component\Utility\SafeMarkup;
use Drupal\Core\Extension\ModuleHandlerInterface;
use Drupal\Core\Form\FormBase;
use Drupal\Core\Form\FormStateInterface;
@@ -93,7 +94,7 @@ class UserPermissionsForm extends FormBase {
$admin_roles = array();
foreach ($this->getRoles() as $role_name => $role) {
// Retrieve role names for columns.
- $role_names[$role_name] = $role->label();
+ $role_names[$role_name] = SafeMarkup::checkPlain($role->label());
// Fetch permissions for the roles.
$role_permissions[$role_name] = $role->getPermissions();
$admin_roles[$role_name] = $role->isAdmin();
diff --git a/core/modules/user/src/Plugin/views/access/Permission.php b/core/modules/user/src/Plugin/views/access/Permission.php
index fab8f88..0dc5165 100644
--- a/core/modules/user/src/Plugin/views/access/Permission.php
+++ b/core/modules/user/src/Plugin/views/access/Permission.php
@@ -7,6 +7,7 @@
namespace Drupal\user\Plugin\views\access;
+use Drupal\Component\Utility\SafeMarkup;
use Drupal\Core\Extension\ModuleHandlerInterface;
use Drupal\Core\Form\FormStateInterface;
use Drupal\Core\Session\AccountInterface;
@@ -120,7 +121,7 @@ class Permission extends AccessPluginBase implements CacheablePluginInterface {
foreach ($permissions as $perm => $perm_item) {
$provider = $perm_item['provider'];
$display_name = $this->moduleHandler->getName($provider);
- $perms[$display_name][$perm] = strip_tags($perm_item['title']);
+ $perms[$display_name][$perm] = SafeMarkup::checkPlain(strip_tags($perm_item['title']));
}
$form['perm'] = array(
diff --git a/core/modules/user/src/UserListBuilder.php b/core/modules/user/src/UserListBuilder.php
index 85b52f2..7575b86 100644
--- a/core/modules/user/src/UserListBuilder.php
+++ b/core/modules/user/src/UserListBuilder.php
@@ -138,7 +138,7 @@ class UserListBuilder extends EntityListBuilder {
);
$row['status'] = $entity->isActive() ? $this->t('active') : $this->t('blocked');
- $roles = user_role_names(TRUE);
+ $roles = array_map('\Drupal\Component\Utility\SafeMarkup::checkPlain', user_role_names(TRUE));
unset($roles[RoleInterface::AUTHENTICATED_ID]);
$users_roles = array();
foreach ($entity->getRoles() as $role) {
diff --git a/core/modules/views/src/Plugin/views/display/Block.php b/core/modules/views/src/Plugin/views/display/Block.php
index 08e4467..411c50e 100644
--- a/core/modules/views/src/Plugin/views/display/Block.php
+++ b/core/modules/views/src/Plugin/views/display/Block.php
@@ -7,6 +7,7 @@
namespace Drupal\views\Plugin\views\display;
+use Drupal\Component\Utility\SafeMarkup;
use Drupal\Core\Entity\EntityManagerInterface;
use Drupal\Core\Form\FormStateInterface;
use Drupal\views\Plugin\Block\ViewsBlock;
@@ -148,7 +149,7 @@ class Block extends DisplayPluginBase {
if (empty($block_description)) {
$block_description = $this->t('None');
}
- $block_category = $this->getOption('block_category');
+ $block_category = SafeMarkup::checkPlain($this->getOption('block_category'));
$options['block_description'] = array(
'category' => 'block',
diff --git a/core/modules/views/src/Plugin/views/display/DisplayPluginBase.php b/core/modules/views/src/Plugin/views/display/DisplayPluginBase.php
index 534925c..f9ae57a 100644
--- a/core/modules/views/src/Plugin/views/display/DisplayPluginBase.php
+++ b/core/modules/views/src/Plugin/views/display/DisplayPluginBase.php
@@ -1062,7 +1062,7 @@ abstract class DisplayPluginBase extends PluginBase implements DisplayPluginInte
}
// Use strip tags as there should never be HTML in the path.
// However, we need to preserve special characters like " that
- // were encoded by \Drupal\Component\Utility\Html::escape().
+ // were removed by SafeMarkup::checkPlain().
$tokens["!$count"] = isset($this->view->args[$count - 1]) ? strip_tags(Html::decodeEntities($this->view->args[$count - 1])) : '';
}
@@ -1394,7 +1394,7 @@ abstract class DisplayPluginBase extends PluginBase implements DisplayPluginInte
if ($this->defaultableSections($section)) {
views_ui_standard_display_dropdown($form, $form_state, $section);
}
- $form['#title'] = $this->display['display_title'] . ': ';
+ $form['#title'] = SafeMarkup::checkPlain($this->display['display_title']) . ': ';
// Set the 'section' to highlight on the form.
// If it's the item we're looking at is pulling from the default display,
diff --git a/core/modules/views/src/Plugin/views/filter/FilterPluginBase.php b/core/modules/views/src/Plugin/views/filter/FilterPluginBase.php
index 8c716f1..d2e9fe8 100644
--- a/core/modules/views/src/Plugin/views/filter/FilterPluginBase.php
+++ b/core/modules/views/src/Plugin/views/filter/FilterPluginBase.php
@@ -766,7 +766,7 @@ abstract class FilterPluginBase extends HandlerBase implements CacheablePluginIn
$value = $this->options['group_info']['identifier'];
$form[$value] = array(
- '#title' => $this->options['group_info']['label'],
+ '#title' => SafeMarkup::checkPlain($this->options['group_info']['label']),
'#type' => $this->options['group_info']['widget'],
'#default_value' => $this->group_info,
'#options' => $groups,
diff --git a/core/modules/views/src/Tests/SearchIntegrationTest.php b/core/modules/views/src/Tests/SearchIntegrationTest.php
index 78c43ac..2edd22d 100644
--- a/core/modules/views/src/Tests/SearchIntegrationTest.php
+++ b/core/modules/views/src/Tests/SearchIntegrationTest.php
@@ -108,16 +108,15 @@ class SearchIntegrationTest extends ViewTestBase {
'type' => $type->id(),
];
$this->drupalCreateNode($node);
- $node['title'] = "Drupal's search rocks <em>really</em> rocks!";
+ $node['title'] = "Drupal's search rocks really rocks!";
$this->drupalCreateNode($node);
$this->cronRun();
$this->drupalGet('test-arg/rocks');
$xpath = '//div[@class="views-row"]//a';
/** @var \SimpleXMLElement[] $results */
$results = $this->xpath($xpath);
- $this->assertEqual((string) $results[0], "Drupal's search rocks <em>really</em> rocks!");
+ $this->assertEqual((string) $results[0], "Drupal's search rocks really rocks!");
$this->assertEqual((string) $results[1], "Drupal's search rocks.");
- $this->assertEscaped("Drupal's search rocks <em>really</em> rocks!");
// Test sorting with another set of titles.
$node = [
diff --git a/core/modules/views_ui/src/Tests/XssTest.php b/core/modules/views_ui/src/Tests/XssTest.php
index a847434..21080cb 100644
--- a/core/modules/views_ui/src/Tests/XssTest.php
+++ b/core/modules/views_ui/src/Tests/XssTest.php
@@ -23,10 +23,10 @@ class XssTest extends UITestBase {
public function testViewsUi() {
$this->drupalGet('admin/structure/views');
- $this->assertEscaped('<script>alert("foo");</script>, <marquee>test</marquee>', 'The view tag is properly escaped.');
+ $this->assertRaw('&lt;script&gt;alert(&quot;foo&quot;);&lt;/script&gt;, &lt;marquee&gt;test&lt;/marquee&gt;', 'The view tag is properly escaped.');
$this->drupalGet('admin/structure/views/view/sa_contrib_2013_035');
- $this->assertEscaped('<marquee>test</marquee>', 'Field admin label is properly escaped.');
+ $this->assertRaw('&amp;lt;marquee&amp;gt;test&amp;lt;/marquee&amp;gt;', 'Field admin label is properly escaped.');
$this->drupalGet('admin/structure/views/nojs/handler/sa_contrib_2013_035/page_1/header/area');
$this->assertRaw('[title] == &amp;lt;marquee&amp;gt;test&amp;lt;/marquee&amp;gt;', 'Token label is properly escaped.');
diff --git a/core/modules/views_ui/src/ViewEditForm.php b/core/modules/views_ui/src/ViewEditForm.php
index e13ae62..05bc5fd 100644
--- a/core/modules/views_ui/src/ViewEditForm.php
+++ b/core/modules/views_ui/src/ViewEditForm.php
@@ -494,7 +494,7 @@ class ViewEditForm extends ViewFormBase {
$build['top']['display_title'] = array(
'#theme' => 'views_ui_display_tab_setting',
'#description' => $this->t('Display name'),
- '#link' => $view->getExecutable()->displayHandlers->get($display['id'])->optionLink($display_title, 'display_title'),
+ '#link' => $view->getExecutable()->displayHandlers->get($display['id'])->optionLink(SafeMarkup::checkPlain($display_title), 'display_title'),
);
}
@@ -1060,7 +1060,7 @@ class ViewEditForm extends ViewFormBase {
continue;
}
- $field_name = $handler->adminLabel(TRUE);
+ $field_name = SafeMarkup::checkPlain($handler->adminLabel(TRUE));
if (!empty($field['relationship']) && !empty($relationships[$field['relationship']])) {
$field_name = '(' . $relationships[$field['relationship']] . ') ' . $field_name;
}
diff --git a/core/modules/views_ui/src/ViewListBuilder.php b/core/modules/views_ui/src/ViewListBuilder.php
index 0d8125b..ece0acf 100644
--- a/core/modules/views_ui/src/ViewListBuilder.php
+++ b/core/modules/views_ui/src/ViewListBuilder.php
@@ -7,6 +7,7 @@
namespace Drupal\views_ui;
+use Drupal\Component\Utility\SafeMarkup;
use Drupal\Component\Plugin\PluginManagerInterface;
use Drupal\Core\Entity\EntityInterface;
use Drupal\Core\Config\Entity\ConfigEntityListBuilder;
@@ -277,7 +278,7 @@ class ViewListBuilder extends ConfigEntityListBuilder {
$all_paths[] = \Drupal::l('/' . $path, Url::fromUserInput('/' . $path));
}
else {
- $all_paths[] = '/' . $path;
+ $all_paths[] = SafeMarkup::checkPlain('/' . $path);
}
}
}
diff --git a/core/modules/views_ui/tests/src/Unit/ViewListBuilderTest.php b/core/modules/views_ui/tests/src/Unit/ViewListBuilderTest.php
index 4089d3a..d4bc2b6 100644
--- a/core/modules/views_ui/tests/src/Unit/ViewListBuilderTest.php
+++ b/core/modules/views_ui/tests/src/Unit/ViewListBuilderTest.php
@@ -7,7 +7,6 @@
namespace Drupal\Tests\views_ui\Unit;
-use Drupal\Component\Utility\SafeMarkup;
use Drupal\Core\DependencyInjection\ContainerBuilder;
use Drupal\Core\Entity\EntityInterface;
use Drupal\Tests\UnitTestCase;
@@ -166,10 +165,7 @@ class ViewListBuilderTest extends UnitTestCase {
$this->assertEquals($expected_displays, $row['data']['view_name']['data']['#displays']);
$display_paths = $row['data']['path']['data']['#items'];
- // These values will be escaped by Twig when rendered.
- $this->assertEquals('/test_page, /<object>malformed_path</object>, /<script>alert("placeholder_page/%")</script>', implode(', ', $display_paths));
- $this->assertFalse(SafeMarkup::isSafe('/<object>malformed_path</object>'), '/<script>alert("/<object>malformed_path</object> is not marked safe.');
- $this->assertFalse(SafeMarkup::isSafe('/<script>alert("placeholder_page/%")'), '/<script>alert("/<script>alert("placeholder_page/%") is not marked safe.');
+ $this->assertEquals('/test_page, /&lt;object&gt;malformed_path&lt;/object&gt;, /&lt;script&gt;alert(&quot;placeholder_page/%&quot;)&lt;/script&gt;', implode(', ', $display_paths));
}
}