summaryrefslogtreecommitdiffstats
path: root/core/lib/Drupal/Core/Render
diff options
context:
space:
mode:
authorAlex Pott2018-05-11 09:14:14 (GMT)
committerAlex Pott2018-05-11 09:14:14 (GMT)
commit4105b5560b4f3b9f29734b6ab12e213367c9fd5a (patch)
treed3306d5c760c9c1dec4c8c06fa6afa138cad6dfa /core/lib/Drupal/Core/Render
parentd6caa271211ac9eb5c8663d1a1dd7ceb0246f31a (diff)
Issue #2528284 by cilefen, dawehner, Cottser, David_Rothstein: Document that alternate Drupal 8 theme engines must implement auto-escape or they are not secure
Diffstat (limited to 'core/lib/Drupal/Core/Render')
-rw-r--r--core/lib/Drupal/Core/Render/theme.api.php6
1 files changed, 6 insertions, 0 deletions
diff --git a/core/lib/Drupal/Core/Render/theme.api.php b/core/lib/Drupal/Core/Render/theme.api.php
index 754641c..2bb2eb9 100644
--- a/core/lib/Drupal/Core/Render/theme.api.php
+++ b/core/lib/Drupal/Core/Render/theme.api.php
@@ -765,6 +765,12 @@ function hook_extension() {
/**
* Render a template using the theme engine.
*
+ * It is the theme engine's responsibility to escape variables. The only
+ * exception is if a variable implements
+ * \Drupal\Component\Render\MarkupInterface. Drupal is inherently unsafe if
+ * other variables are not escaped. The helper function
+ * theme_render_and_autoescape() may be used for this.
+ *
* @param string $template_file
* The path (relative to the Drupal root directory) to the template to be
* rendered including its extension in the format 'path/to/TEMPLATE_NAME.EXT'.