diff --git a/core/lib/Drupal/Component/Render/FormattableMarkup.php b/core/lib/Drupal/Component/Render/FormattableMarkup.php
index d9fbf2f43937994fd2ca1a409eab6b8c85764a5c..e5637e34db7e5c3f1e68363dddef84381942b618 100644
--- a/core/lib/Drupal/Component/Render/FormattableMarkup.php
+++ b/core/lib/Drupal/Component/Render/FormattableMarkup.php
@@ -227,11 +227,16 @@ protected static function placeholderFormat($string, array $args) {
default:
// We do not trigger an error for placeholder that start with an
// alphabetic character.
+ // @todo https://www.drupal.org/node/2807743 Change to an exception
+ // and always throw regardless of the first character.
if (!ctype_alpha($key[0])) {
// We trigger an error as we may want to introduce new placeholders
// in the future without breaking backward compatibility.
trigger_error('Invalid placeholder (' . $key . ') in string: ' . $string, E_USER_ERROR);
}
+ // If the placeholder is not a recognised placeholder ensure non-safe
+ // values are escaped.
+ $args[$key] = '' . static::placeholderEscape($value) . '';
break;
}
}
diff --git a/core/tests/Drupal/Tests/Component/Utility/SafeMarkupTest.php b/core/tests/Drupal/Tests/Component/Utility/SafeMarkupTest.php
index cbf86d209d4d02049f3642dd068ffe416ba16fe2..b149769e55462a91d0ba03306888fe3c04623950 100644
--- a/core/tests/Drupal/Tests/Component/Utility/SafeMarkupTest.php
+++ b/core/tests/Drupal/Tests/Component/Utility/SafeMarkupTest.php
@@ -137,7 +137,7 @@ public function testFormat($string, array $args, $expected, $message, $expected_
UrlHelper::setAllowedProtocols(['http', 'https', 'mailto']);
$result = SafeMarkup::format($string, $args);
- $this->assertEquals($expected, $result, $message);
+ $this->assertEquals($expected, (string) $result, $message);
$this->assertEquals($expected_is_safe, $result instanceof MarkupInterface, 'SafeMarkup::format correctly sets the result as safe or not safe.');
foreach ($args as $arg) {
@@ -171,6 +171,8 @@ function providerFormat() {
$tests['non-url-with-colon'] = ['Hey giraffe MUUUH', [':url' => "llamas: they are not URLs"], 'Hey giraffe MUUUH', '', TRUE];
$tests['non-url-with-html'] = ['Hey giraffe MUUUH', [':url' => "not a url"], 'Hey giraffe MUUUH', '', TRUE];
+ // Tests non-standard placeholders.
+ $tests['non-standard-placeholder'] = ['Hey risky', ['risky' => ""], 'Hey <script>alert('foo');</script>', '', TRUE];
return $tests;
}
/**