diff options
| author | Alex Pott | 2018-05-11 09:14:14 (GMT) |
|---|---|---|
| committer | Alex Pott | 2018-05-11 09:14:14 (GMT) |
| commit | 4105b5560b4f3b9f29734b6ab12e213367c9fd5a (patch) | |
| tree | d3306d5c760c9c1dec4c8c06fa6afa138cad6dfa /core/lib/Drupal/Core/Render | |
| parent | d6caa271211ac9eb5c8663d1a1dd7ceb0246f31a (diff) | |
Issue #2528284 by cilefen, dawehner, Cottser, David_Rothstein: Document that alternate Drupal 8 theme engines must implement auto-escape or they are not secure
Diffstat (limited to 'core/lib/Drupal/Core/Render')
| -rw-r--r-- | core/lib/Drupal/Core/Render/theme.api.php | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/core/lib/Drupal/Core/Render/theme.api.php b/core/lib/Drupal/Core/Render/theme.api.php index 754641c..2bb2eb9 100644 --- a/core/lib/Drupal/Core/Render/theme.api.php +++ b/core/lib/Drupal/Core/Render/theme.api.php @@ -765,6 +765,12 @@ function hook_extension() { /** * Render a template using the theme engine. * + * It is the theme engine's responsibility to escape variables. The only + * exception is if a variable implements + * \Drupal\Component\Render\MarkupInterface. Drupal is inherently unsafe if + * other variables are not escaped. The helper function + * theme_render_and_autoescape() may be used for this. + * * @param string $template_file * The path (relative to the Drupal root directory) to the template to be * rendered including its extension in the format 'path/to/TEMPLATE_NAME.EXT'. |