diff --git a/core/lib/Drupal/Component/Utility/Html.php b/core/lib/Drupal/Component/Utility/Html.php index 892f069..6470943 100644 --- a/core/lib/Drupal/Component/Utility/Html.php +++ b/core/lib/Drupal/Component/Utility/Html.php @@ -366,7 +366,8 @@ public static function decodeEntities($text) { * - < (less than) becomes < * - > (greater than) becomes > * Special characters that have already been escaped will be double-escaped - * (for example, "<" becomes "&lt;"). + * (for example, "<" becomes "&lt;"), and invalid UTF-8 encoding + * will be converted to the Unicode replacement character ("�"). * * This method is not the opposite of Html::decodeEntities(). For example, * this method will not encode "é" to "é", whereas @@ -385,7 +386,7 @@ public static function decodeEntities($text) { * @ingroup sanitization */ public static function escape($text) { - return htmlspecialchars($text, ENT_QUOTES, 'UTF-8'); + return htmlspecialchars($text, ENT_QUOTES | ENT_SUBSTITUTE, 'UTF-8'); } } diff --git a/core/tests/Drupal/Tests/Component/Utility/HtmlTest.php b/core/tests/Drupal/Tests/Component/Utility/HtmlTest.php index a8f2614..178a662 100644 --- a/core/tests/Drupal/Tests/Component/Utility/HtmlTest.php +++ b/core/tests/Drupal/Tests/Component/Utility/HtmlTest.php @@ -288,6 +288,7 @@ public function providerEscape() { array('→', '→'), array('➼', '➼'), array('€', '€'), + array('Drup�al', "Drup\x80al"), ); } diff --git a/core/tests/Drupal/Tests/Component/Utility/SafeMarkupTest.php b/core/tests/Drupal/Tests/Component/Utility/SafeMarkupTest.php index 90a475f..fa1ef85 100644 --- a/core/tests/Drupal/Tests/Component/Utility/SafeMarkupTest.php +++ b/core/tests/Drupal/Tests/Component/Utility/SafeMarkupTest.php @@ -45,11 +45,11 @@ public function testSet($text, $message) { * @see testSet() */ public function providerSet() { - // Checks that invalid multi-byte sequences are rejected. - $tests[] = array("Foo\xC0barbaz", '', 'SafeMarkup::checkPlain() rejects invalid sequence "Foo\xC0barbaz"', TRUE); - $tests[] = array("Fooÿñ", 'SafeMarkup::set() accepts valid sequence "Fooÿñ"'); - $tests[] = array(new TextWrapper("Fooÿñ"), 'SafeMarkup::set() accepts valid sequence "Fooÿñ" in an object implementing __toString()'); - $tests[] = array("
", 'SafeMarkup::set() accepts HTML'); + // Checks that invalid multi-byte sequences are escaped. + $tests[] = array("Foo\xC0barbaz", 'Foo�barbaz', 'Invalid sequence "Foo\xC0barbaz" is escaped', TRUE); + $tests[] = array("Fooÿñ", 'SafeMarkup::set() does not escape valid sequence "Fooÿñ"'); + $tests[] = array(new TextWrapper("Fooÿñ"), 'SafeMarkup::set() does not escape valid sequence "Fooÿñ" in an object implementing __toString()'); + $tests[] = array("
", 'SafeMarkup::set() does not escape HTML'); return $tests; } @@ -140,10 +140,10 @@ function testCheckPlain($text, $expected, $message, $ignorewarnings = FALSE) { * @see testCheckPlain() */ function providerCheckPlain() { - // Checks that invalid multi-byte sequences are rejected. - $tests[] = array("Foo\xC0barbaz", '', 'SafeMarkup::checkPlain() rejects invalid sequence "Foo\xC0barbaz"', TRUE); - $tests[] = array("\xc2\"", '', 'SafeMarkup::checkPlain() rejects invalid sequence "\xc2\""', TRUE); - $tests[] = array("Fooÿñ", "Fooÿñ", 'SafeMarkup::checkPlain() accepts valid sequence "Fooÿñ"'); + // Checks that invalid multi-byte sequences are escaped. + $tests[] = array("Foo\xC0barbaz", 'Foo�barbaz', 'SafeMarkup::checkPlain() escapes invalid sequence "Foo\xC0barbaz"', TRUE); + $tests[] = array("\xc2\"", '�"', 'SafeMarkup::checkPlain() escapes invalid sequence "\xc2\""', TRUE); + $tests[] = array("Fooÿñ", "Fooÿñ", 'SafeMarkup::checkPlain() does not escape valid sequence "Fooÿñ"'); // Checks that special characters are escaped. $tests[] = array("