diff --git a/core/includes/ajax.inc b/core/includes/ajax.inc index 7ab2059..9d482cc 100644 --- a/core/includes/ajax.inc +++ b/core/includes/ajax.inc @@ -387,7 +387,7 @@ function ajax_pre_render_element($element) { // uniquely, in which case a match on value is also needed. // @see _form_button_was_clicked() if (!empty($element['#is_button']) && empty($element['#has_garbage_value'])) { - $settings['submit']['_triggering_element_value'] = $element['#value']; + $settings['submit']['_triggering_element_value'] = (string) $element['#value']; } } diff --git a/core/includes/bootstrap.inc b/core/includes/bootstrap.inc index 3d41fcb..7087480 100644 --- a/core/includes/bootstrap.inc +++ b/core/includes/bootstrap.inc @@ -17,6 +17,7 @@ use Drupal\Core\Extension\ExtensionDiscovery; use Drupal\Core\Site\Settings; use Drupal\Core\Utility\Title; +use Drupal\Core\Template\SafeMarkup; use Drupal\Core\Utility\Error; use Symfony\Component\ClassLoader\ApcClassLoader; use Symfony\Component\DependencyInjection\ContainerInterface; @@ -1180,6 +1181,13 @@ function watchdog($type, $message, array $variables = array(), $severity = WATCH */ function drupal_set_message($message = NULL, $type = 'status', $repeat = FALSE) { if ($message) { + // Some sort of in-band signalling is required to store the information + // about the message being safe or not. While in general being binary safe + // is important, messages are for human consumption and never start with + // chr(0). + if ($message instanceof SafeMarkup) { + $message = chr(0) . $message; + } if (!isset($_SESSION['messages'][$type])) { $_SESSION['messages'][$type] = array(); } @@ -1223,6 +1231,14 @@ function drupal_set_message($message = NULL, $type = 'status', $repeat = FALSE) */ function drupal_get_messages($type = NULL, $clear_queue = TRUE) { if ($messages = drupal_set_message()) { + // Decode the SafeMarkup objects stored by drupal_set_message(). + foreach ($messages as $message_type => $messages_typed) { + foreach ($messages_typed as $key => $message) { + if (!$message instanceof SafeMarkup && $message[0] == chr(0)) { + $messages[$message_type][$key] = SafeMarkup::create(substr($message, 1)); + } + } + } if ($type) { if ($clear_queue) { unset($_SESSION['messages'][$type]); diff --git a/core/includes/common.inc b/core/includes/common.inc index 5572e54..294b1a5 100644 --- a/core/includes/common.inc +++ b/core/includes/common.inc @@ -29,6 +29,7 @@ use Drupal\Core\EventSubscriber\HtmlViewSubscriber; use Drupal\Core\Routing\GeneratorNotInitializedException; use Drupal\Core\Template\Attribute; +use Drupal\Core\Template\SafeMarkup; use Drupal\Core\Render\Element; use Drupal\Core\Session\AnonymousUserSession; @@ -485,7 +486,7 @@ function format_xml_elements($array) { $output .= ' <' . $key . '>' . (is_array($value) ? format_xml_elements($value) : String::checkPlain($value)) . "\n"; } } - return $output; + return SafeMarkup::create($output); } /** @@ -886,8 +887,7 @@ function l($text, $path, array $options = array()) { // Sanitize the link text if necessary. $text = $variables['options']['html'] ? $variables['text'] : String::checkPlain($variables['text']); - - return '' . $text . ''; + return SafeMarkup::create('' . $text . ''); } /** @@ -1440,6 +1440,9 @@ function drupal_html_class($class) { // static instead of drupal_static(). static $classes = array(); + // @todo Needs safe markup preservation or should be cast to string before + // arg is passed to this function? + $class = (string) $class; if (!isset($classes[$class])) { $classes[$class] = drupal_clean_css_identifier(drupal_strtolower($class)); } @@ -2829,6 +2832,7 @@ function drupal_pre_render_conditional_comments($elements) { * - meta: To provide meta information, such as a page refresh. * - link: To refer to stylesheets and other contextual information. * - script: To load JavaScript. + * This is not HTML escaped, do not pass in user input. * - #attributes: (optional) An array of HTML attributes to apply to the * tag. * - #value: (optional) A string containing tag content, such as inline @@ -2841,7 +2845,9 @@ function drupal_pre_render_conditional_comments($elements) { function drupal_pre_render_html_tag($element) { $attributes = isset($element['#attributes']) ? new Attribute($element['#attributes']) : ''; if (!isset($element['#value'])) { - $markup = '<' . $element['#tag'] . $attributes . " />\n"; + // Attributes are safe and we are assuming people don't use this function + // and second they don't pass unsafe variables to #tag. + $markup = SafeMarkup::create('<' . $element['#tag'] . $attributes . " />\n"); } else { $markup = '<' . $element['#tag'] . $attributes . '>'; @@ -2853,6 +2859,8 @@ function drupal_pre_render_html_tag($element) { $markup .= $element['#value_suffix']; } $markup .= '\n"; + // @TODO Creating safe markup, avoid if possible! + $markup = SafeMarkup::create($markup); } if (!empty($element['#noscript'])) { $element['#markup'] = ''; @@ -3261,7 +3269,7 @@ function drupal_render_page($page) { * @param bool $is_recursive_call * Whether this is a recursive call or not, for internal use. * - * @return string + * @return \Drupal\Core\Template\SafeMarkup|string * The rendered HTML. * * @see element_info() @@ -3286,6 +3294,7 @@ function drupal_render(&$elements, $is_recursive_call = FALSE) { $cached_element = drupal_render_cache_get($elements); if ($cached_element !== FALSE) { $elements = $cached_element; + $elements['#markup'] = SafeMarkup::create($elements['#markup']); // Only when we're not in a recursive drupal_render() call, // #post_render_cache callbacks must be executed, to prevent breaking the // render cache in case of nested elements with #cache set. @@ -3336,6 +3345,35 @@ function drupal_render(&$elements, $is_recursive_call = FALSE) { $elements['#children'] = ''; } + // Assume still safe unless the element or it's __toString return value aren't + // instances of Twig_Markup. + // @TODO simplify after https://drupal.org/node/2272279 + $get_string = function ($element) { + if (is_object($element) && method_exists($element, '__toString')) { + $markup = $element->__toString(); + } + else { + $markup = $element; + } + // This is necessary because $element can be a RenderWrapper. + if ($markup && !$element instanceof SafeMarkup && !$markup instanceof SafeMarkup) { + $markup = String::checkPlain($markup); + } + return $markup; + }; + + // @TODO simplify after https://drupal.org/node/2208061 and + // https://drupal.org/node/2273925 + if (isset($elements['#markup'])) { + if (is_object($elements['#markup']) && method_exists($elements['#markup'], '__toString')) { + $markup = $elements['#markup']->__toString(); + } + else { + $markup = $elements['#markup']; + } + $elements['#markup'] = SafeMarkup::create($markup); + } + // Assume that if #theme is set it represents an implemented hook. $theme_is_implemented = isset($elements['#theme']); @@ -3357,8 +3395,9 @@ function drupal_render(&$elements, $is_recursive_call = FALSE) { // process as drupal_render_children() but is inlined for speed. if ((!$theme_is_implemented || isset($elements['#render_children'])) && empty($elements['#children'])) { foreach ($children as $key) { - $elements['#children'] .= drupal_render($elements[$key], TRUE); + $elements['#children'] .= $get_string(drupal_render($elements[$key], TRUE)); } + $elements['#children'] = SafeMarkup::create($elements['#children']); } // If #theme is not implemented and the element has raw #markup as a @@ -3369,7 +3408,7 @@ function drupal_render(&$elements, $is_recursive_call = FALSE) { // required. Eventually #theme_wrappers will expect both #markup and // #children to be a single string as #children. if (!$theme_is_implemented && isset($elements['#markup'])) { - $elements['#children'] = $elements['#markup'] . $elements['#children']; + $elements['#children'] = SafeMarkup::create($get_string($elements['#markup']) . $get_string($elements['#children'])); } // Let the theme functions in #theme_wrappers add markup around the rendered @@ -3453,6 +3492,7 @@ function drupal_render(&$elements, $is_recursive_call = FALSE) { } $elements['#printed'] = TRUE; + $elements['#markup'] = SafeMarkup::create($elements['#markup']); return $elements['#markup']; } @@ -3466,7 +3506,7 @@ function drupal_render(&$elements, $is_recursive_call = FALSE) { * can be passed in to save another run of * \Drupal\Core\Render\Element::children(). * - * @return string + * @return \Drupal\Core\Template\SafeMarkup|string * The rendered HTML of all children of the element. * @see drupal_render() @@ -3475,13 +3515,13 @@ function drupal_render_children(&$element, $children_keys = NULL) { if ($children_keys === NULL) { $children_keys = Element::children($element); } - $output = ''; + $markups = array(); foreach ($children_keys as $key) { if (!empty($element[$key])) { - $output .= drupal_render($element[$key]); + $markups[] = drupal_render($element[$key]); } } - return $output; + return SafeMarkup::implode('', $markups); } /** diff --git a/core/includes/errors.inc b/core/includes/errors.inc index 8b0b9e4..b3a029c 100644 --- a/core/includes/errors.inc +++ b/core/includes/errors.inc @@ -8,6 +8,7 @@ use Drupal\Component\Utility\Xss; use Drupal\Core\Page\DefaultHtmlPageRenderer; use Drupal\Core\Utility\Error; +use Drupal\Core\Template\SafeMarkup; use Drupal\Component\Utility\String; use Symfony\Component\HttpFoundation\Response; @@ -212,7 +213,7 @@ function _drupal_log_error($error, $fatal = FALSE) { // Generate a backtrace containing only scalar argument values. $message .= '
' . format_backtrace($backtrace) . '
'; } - drupal_set_message($message, $class, TRUE); + drupal_set_message(SafeMarkup::create($message), $class, TRUE); } if ($fatal) { diff --git a/core/includes/form.inc b/core/includes/form.inc index 42206a4..7f635c9 100644 --- a/core/includes/form.inc +++ b/core/includes/form.inc @@ -15,6 +15,7 @@ use Drupal\Core\Language\Language; use Drupal\Core\Render\Element; use Drupal\Core\Template\Attribute; +use Drupal\Core\Template\SafeMarkup; use Drupal\Core\Utility\Color; use Symfony\Component\HttpFoundation\RedirectResponse; @@ -983,7 +984,7 @@ function form_select_options($element, $choices = NULL) { $options .= form_select_options($element, $choice); $options .= ''; } - elseif (is_object($choice)) { + elseif (is_object($choice) && isset($choice->option)) { $options .= form_select_options($element, $choice->option); } else { @@ -998,7 +999,7 @@ function form_select_options($element, $choices = NULL) { $options .= ''; } } - return $options; + return SafeMarkup::create($options); } /** @@ -1663,7 +1664,7 @@ function theme_tableselect($variables) { // A header can span over multiple cells and in this case the cells // are passed in an array. The order of this array determines the // order in which they are added. - if (!isset($element['#options'][$key][$fieldname]['data']) && is_array($element['#options'][$key][$fieldname])) { + if (is_array($element['#options'][$key][$fieldname]) && !isset($element['#options'][$key][$fieldname]['data'])) { foreach ($element['#options'][$key][$fieldname] as $cell) { $row['data'][] = $cell; } @@ -1976,7 +1977,7 @@ function form_process_machine_name($element, &$form_state) { $element['#machine_name'] += array( 'source' => array('label'), 'target' => '#' . $element['#id'], - 'label' => t('Machine name'), + 'label' => (string) t('Machine name'), 'replace_pattern' => '[^a-z0-9_]+', 'replace' => '_', 'standalone' => FALSE, @@ -2009,13 +2010,13 @@ function form_process_machine_name($element, &$form_state) { $element['#machine_name']['suffix'] = '#' . $suffix_id; if ($element['#machine_name']['standalone']) { - $element['#suffix'] .= '  '; + $element['#suffix'] = SafeMarkup::concat($element['#suffix'], SafeMarkup::create('  ')); } else { // Append a field suffix to the source form element, which will contain // the live preview of the machine name. $source += array('#field_suffix' => ''); - $source['#field_suffix'] .= '  '; + $source['#field_suffix'] = SafeMarkup::concat($source['#field_suffix'], SafeMarkup::create('  ')); $parents = array_merge($element['#machine_name']['source'], array('#field_suffix')); NestedArray::setValue($form_state['complete_form'], $parents, $source['#field_suffix']); @@ -2348,6 +2349,9 @@ function template_preprocess_input(&$variables) { function theme_input($variables) { $element = $variables['element']; $attributes = $variables['attributes']; + if (!$attributes instanceof Attribute) { + throw new \LogicException('Attributes are expected to be an instance of attributes'); + } return '' . drupal_render_children($element); } @@ -2976,8 +2980,6 @@ function theme_form_element_label($variables) { return ''; } - $title = Xss::filterAdmin($element['#title']); - $attributes = array(); // Style the label as class option to display inline with the element. if ($element['#title_display'] == 'after') { @@ -3008,6 +3010,8 @@ function theme_form_element_label($variables) { $attributes['class'][] = 'form-required'; } + $title = Xss::filterAdmin($element['#title']); + return '' . $title . ''; } diff --git a/core/includes/install.core.inc b/core/includes/install.core.inc index b00d23b..2a0f6a6 100644 --- a/core/includes/install.core.inc +++ b/core/includes/install.core.inc @@ -14,6 +14,7 @@ use Drupal\Core\Page\DefaultHtmlPageRenderer; use Drupal\Core\Site\Settings; use Drupal\Core\StringTranslation\Translator\FileTranslation; +use Drupal\Core\Template\SafeMarkup; use Drupal\Core\Extension\ExtensionDiscovery; use Drupal\Core\DependencyInjection\ContainerBuilder; use Symfony\Component\DependencyInjection\Reference; @@ -1709,9 +1710,9 @@ function install_finished(&$install_state) { // @see https://drupal.org/node/1317548 $pifr_assertion = 'Drupal installation complete'; - drupal_set_message(t('Congratulations, you installed @drupal!', array( + drupal_set_message(SafeMarkup::create(t('Congratulations, you installed @drupal!', array( '@drupal' => drupal_install_profile_distribution_name(), - )) . $pifr_assertion); + )) . $pifr_assertion)); } /** diff --git a/core/includes/theme.inc b/core/includes/theme.inc index 2b06429..9e028cc 100644 --- a/core/includes/theme.inc +++ b/core/includes/theme.inc @@ -21,6 +21,7 @@ use Drupal\Core\Page\MetaElement; use Drupal\Core\Template\Attribute; use Drupal\Core\Template\RenderWrapper; +use Drupal\Core\Template\SafeMarkup; use Drupal\Core\Theme\ThemeSettings; use Drupal\Component\Utility\NestedArray; use Drupal\Core\Render\Element; @@ -579,7 +580,7 @@ function _theme($hook, $variables = array()) { $output = ''; if (isset($info['function'])) { if (function_exists($info['function'])) { - $output = $info['function']($variables); + $output = SafeMarkup::create($info['function']($variables)); } } else { @@ -650,7 +651,7 @@ function _theme($hook, $variables = array()) { // restore path_to_theme() $theme_path = $temp; - return (string) $output; + return $output; } /** @@ -1712,7 +1713,9 @@ function theme_mark($variables) { * @see http://drupal.org/node/1842756 */ function template_preprocess_item_list(&$variables) { - $variables['title'] = (string) $variables['title']; + if (!$variables['title'] instanceof SafeMarkup) { + $variables['title'] = (string) $variables['title']; + } foreach ($variables['items'] as &$item) { $attributes = array(); @@ -2001,7 +2004,7 @@ function template_preprocess_html(&$variables) { // Construct page title. if ($page->hasTitle()) { $head_title = array( - 'title' => trim(strip_tags($page->getTitle())), + 'title' => SafeMarkup::create(trim(strip_tags($page->getTitle()))), 'name' => String::checkPlain($site_config->get('name')), ); } @@ -2021,7 +2024,7 @@ function template_preprocess_html(&$variables) { } $variables['head_title_array'] = $head_title; - $variables['head_title'] = implode(' | ', $head_title); + $variables['head_title'] = SafeMarkup::implode(' | ', $head_title); // @todo Remove drupal_*_html_head() and refactor accordingly. $html_heads = drupal_get_html_head(FALSE); @@ -2053,7 +2056,10 @@ function template_preprocess_html(&$variables) { // Wrap function calls in an object so they can be called when printed. $variables['head'] = new RenderWrapper(function() use ($page) { - return implode("\n", $page->getMetaElements()) . implode("\n", $page->getLinkElements()); + // HeadElement itself is safe and MetaElement and LinkElement both extend + // it so each element are safe. The result of concatenating a lot of them + // together is also safe. + return SafeMarkup::create(implode("\n", $page->getMetaElements()) . implode("\n", $page->getLinkElements())); }); $variables['styles'] = new RenderWrapper('drupal_get_css'); $variables['scripts'] = new RenderWrapper('drupal_get_js'); diff --git a/core/includes/theme.maintenance.inc b/core/includes/theme.maintenance.inc index 8a19a49..8b80102 100644 --- a/core/includes/theme.maintenance.inc +++ b/core/includes/theme.maintenance.inc @@ -7,6 +7,7 @@ use Drupal\Component\Utility\Unicode; use Drupal\Core\Site\Settings; +use Drupal\Core\Template\SafeMarkup; /** * Sets up the theming system for maintenance page. @@ -110,6 +111,8 @@ function _drupal_maintenance_theme() { * @param $variables * An associative array containing: * - items: An associative array of maintenance tasks. + * It's the caller's responsibility to ensure this array's items contains no + * XSS holes. * - active: The key for the currently active maintenance task. * * @ingroup themeable @@ -187,6 +190,8 @@ function theme_authorize_report($variables) { * @param $variables * An associative array containing: * - message: The log message. + * It's the caller's responsibility to ensure this string contains no + * XSS holes. * - success: A boolean indicating failure or success. * * @ingroup themeable diff --git a/core/lib/Drupal/Component/Diff/Engine/HWLDFWordAccumulator.php b/core/lib/Drupal/Component/Diff/Engine/HWLDFWordAccumulator.php index 384593b..2204602 100644 --- a/core/lib/Drupal/Component/Diff/Engine/HWLDFWordAccumulator.php +++ b/core/lib/Drupal/Component/Diff/Engine/HWLDFWordAccumulator.php @@ -4,6 +4,7 @@ use Drupal\Component\Utility\String; use Drupal\Component\Utility\Unicode; +use Drupal\Core\Template\SafeMarkup; /** * Additions by Axel Boldt follow, partly taken from diff.php, phpwiki-1.3.3 @@ -46,7 +47,8 @@ protected function _flushGroup($new_tag) { protected function _flushLine($new_tag) { $this->_flushGroup($new_tag); if ($this->line != '') { - array_push($this->lines, $this->line); + // @TODO this is really dicey! + array_push($this->lines, SafeMarkup::create($this->line)); } else { // make empty lines visible by inserting an NBSP diff --git a/core/lib/Drupal/Component/Utility/String.php b/core/lib/Drupal/Component/Utility/String.php index 9796a5f..109f691 100644 --- a/core/lib/Drupal/Component/Utility/String.php +++ b/core/lib/Drupal/Component/Utility/String.php @@ -7,6 +7,8 @@ namespace Drupal\Component\Utility; +use Drupal\Core\Template\SafeMarkup; + /** * Provides helpers to operate on strings. * @@ -22,16 +24,16 @@ class String { * @param string $text * The text to be checked or processed. * - * @return string - * An HTML safe version of $text, or an empty string if $text is not - * valid UTF-8. + * @return \Drupal\Core\Template\SafeMarkup|string + * A SafeMarkup object containing the HTML safe version of $text, or an + * empty string if $text is an empty string or not valid UTF-8. * * @ingroup sanitization * * @see drupal_validate_utf8() */ public static function checkPlain($text) { - return htmlspecialchars($text, ENT_QUOTES, 'UTF-8'); + return SafeMarkup::create(htmlspecialchars((string) $text, ENT_QUOTES, 'UTF-8')); } /** @@ -65,7 +67,8 @@ public static function decodeEntities($text) { * addition to formatting it. * * @param $string - * A string containing placeholders. + * A string containing placeholders. The string itself is not escaped, any + * unsafe content must be in $args and inserted via placeholders. * @param $args * An associative array of replacements to make. Occurrences in $string of * any key in $args are replaced with the corresponding value, after @@ -108,7 +111,7 @@ public static function format($string, array $args = array()) { // Pass-through. } } - return strtr($string, $args); + return SafeMarkup::create(strtr($string, $args)); } /** @@ -123,7 +126,8 @@ public static function format($string, array $args = array()) { * The formatted text (html). */ public static function placeholder($text) { - return '' . static::checkPlain($text) . ''; + return SafeMarkup::create('' . static::checkPlain($text) . ''); } + } diff --git a/core/lib/Drupal/Component/Utility/Xss.php b/core/lib/Drupal/Component/Utility/Xss.php index dc49913..af67803 100644 --- a/core/lib/Drupal/Component/Utility/Xss.php +++ b/core/lib/Drupal/Component/Utility/Xss.php @@ -7,6 +7,8 @@ namespace Drupal\Component\Utility; +use Drupal\Core\Template\SafeMarkup; + /** * Provides helper to filter for cross-site scripting. * @@ -90,7 +92,7 @@ public static function filter($string, $html_tags = array('a', 'em', 'strong', ' $splitter = function ($matches) use ($html_tags, $mode) { return static::split($matches[1], $html_tags, $mode); }; - return preg_replace_callback('% + return SafeMarkup::create(preg_replace_callback('% ( <(?=[^a-zA-Z!/]) # a lone < | # or @@ -99,7 +101,7 @@ public static function filter($string, $html_tags = array('a', 'em', 'strong', ' <[^>]*(>|$) # a string that starts with a <, up until the > or the end of the string | # or > # just a > - )%x', $splitter, $string); + )%x', $splitter, $string)); } /** diff --git a/core/lib/Drupal/Core/Ajax/AjaxResponseRenderer.php b/core/lib/Drupal/Core/Ajax/AjaxResponseRenderer.php index eac0b62..b2f87df 100644 --- a/core/lib/Drupal/Core/Ajax/AjaxResponseRenderer.php +++ b/core/lib/Drupal/Core/Ajax/AjaxResponseRenderer.php @@ -8,6 +8,7 @@ namespace Drupal\Core\Ajax; use Drupal\Core\Page\HtmlFragment; +use Drupal\Core\Template\SafeMarkup; use Symfony\Component\HttpFoundation\Response; /** @@ -36,9 +37,9 @@ public function render($content) { $content = $content->getContent(); } // Most controllers return a render array, but some return a string. - if (!is_array($content)) { + if (is_string($content) || $content instanceof SafeMarkup) { $content = array( - '#markup' => $content, + '#markup' => (string) $content, ); } @@ -74,11 +75,9 @@ public function render($content) { /** * Wraps drupal_render(). - * - * @todo: Remove as part of https://drupal.org/node/2182149 */ protected function drupalRender(&$elements, $is_recursive_call = FALSE) { - return drupal_render($elements, $is_recursive_call); + return (string) drupal_render($elements, $is_recursive_call); } /** diff --git a/core/lib/Drupal/Core/Config/StorableConfigBase.php b/core/lib/Drupal/Core/Config/StorableConfigBase.php index 4a5fd1d..3f5fa38 100644 --- a/core/lib/Drupal/Core/Config/StorableConfigBase.php +++ b/core/lib/Drupal/Core/Config/StorableConfigBase.php @@ -10,6 +10,7 @@ use Drupal\Component\Utility\String; use Drupal\Core\Config\Schema\Ignore; use Drupal\Core\Config\Schema\SchemaIncompleteException; +use Drupal\Core\Template\SafeMarkup; use Drupal\Core\TypedData\PrimitiveInterface; use Drupal\Core\TypedData\Type\FloatInterface; use Drupal\Core\TypedData\Type\IntegerInterface; @@ -140,6 +141,9 @@ protected function getSchemaWrapper() { * If there is any invalid value. */ protected function validateValue($key, $value) { + if ($value instanceof SafeMarkup) { + $value = (string) $value; + } // Minimal validation. Should not try to serialize resources or non-arrays. if (is_array($value)) { foreach ($value as $nested_value_key => $nested_value) { @@ -169,6 +173,10 @@ protected function validateValue($key, $value) { * Exception on unsupported/undefined data type deducted. */ protected function castValue($key, $value) { + if ($value instanceof SafeMarkup) { + $value = (string) $value; + } + $element = FALSE; try { $element = $this->getSchemaWrapper()->get($key); diff --git a/core/lib/Drupal/Core/Controller/ExceptionController.php b/core/lib/Drupal/Core/Controller/ExceptionController.php index 320cb06..8d75139 100644 --- a/core/lib/Drupal/Core/Controller/ExceptionController.php +++ b/core/lib/Drupal/Core/Controller/ExceptionController.php @@ -18,6 +18,7 @@ use Symfony\Component\HttpFoundation\JsonResponse; use Symfony\Component\HttpKernel\HttpKernelInterface; use Drupal\Component\Utility\String; +use Drupal\Core\Template\SafeMarkup; use Symfony\Component\Debug\Exception\FlattenException; use Drupal\Core\ContentNegotiation; use Drupal\Core\Utility\Error; @@ -312,7 +313,7 @@ public function on500Html(FlattenException $exception, Request $request) { // Generate a backtrace containing only scalar argument values. $message .= '
' . Error::formatFlattenedBacktrace($backtrace) . '
'; } - drupal_set_message($message, $class, TRUE); + drupal_set_message(SafeMarkup::create($message), $class, TRUE); } $content = $this->t('The website has encountered an error. Please try again later.'); diff --git a/core/lib/Drupal/Core/CoreServiceProvider.php b/core/lib/Drupal/Core/CoreServiceProvider.php index fe23fb6..99784f7 100644 --- a/core/lib/Drupal/Core/CoreServiceProvider.php +++ b/core/lib/Drupal/Core/CoreServiceProvider.php @@ -101,7 +101,7 @@ public static function registerTwig(ContainerBuilder $container) { 'cache' => drupal_installation_attempted() ? FALSE : Settings::get('twig_cache', TRUE), // @todo Remove in followup issue // @see http://drupal.org/node/1712444. - 'autoescape' => FALSE, + 'autoescape' => TRUE, 'debug' => Settings::get('twig_debug', FALSE), 'auto_reload' => Settings::get('twig_auto_reload', NULL), )) diff --git a/core/lib/Drupal/Core/Database/Install/Tasks.php b/core/lib/Drupal/Core/Database/Install/Tasks.php index c4d88d2..6d0dfe7 100644 --- a/core/lib/Drupal/Core/Database/Install/Tasks.php +++ b/core/lib/Drupal/Core/Database/Install/Tasks.php @@ -92,14 +92,14 @@ protected function hasPdoDriver() { * Assert test as failed. */ protected function fail($message) { - $this->results[$message] = FALSE; + $this->results[(string) $message] = FALSE; } /** * Assert test as a pass. */ protected function pass($message) { - $this->results[$message] = TRUE; + $this->results[(string) $message] = TRUE; } /** diff --git a/core/lib/Drupal/Core/Entity/EntityManager.php b/core/lib/Drupal/Core/Entity/EntityManager.php index 93e9fcf..34fd1fd 100644 --- a/core/lib/Drupal/Core/Entity/EntityManager.php +++ b/core/lib/Drupal/Core/Entity/EntityManager.php @@ -703,7 +703,7 @@ public function getEntityTypeLabels($group = FALSE) { foreach ($definitions as $entity_type_id => $definition) { if ($group) { - $options[$definition->getGroupLabel()][$entity_type_id] = $definition->getLabel(); + $options[(string) $definition->getGroupLabel()][$entity_type_id] = $definition->getLabel(); } else { $options[$entity_type_id] = $definition->getLabel(); @@ -717,7 +717,7 @@ public function getEntityTypeLabels($group = FALSE) { } // Make sure that the 'Content' group is situated at the top. - $content = $this->t('Content', array(), array('context' => 'Entity type group')); + $content = (string) $this->t('Content', array(), array('context' => 'Entity type group')); $options = array($content => $options[$content]) + $options; } diff --git a/core/lib/Drupal/Core/Extension/ThemeHandler.php b/core/lib/Drupal/Core/Extension/ThemeHandler.php index dbe2c78..8354bea 100644 --- a/core/lib/Drupal/Core/Extension/ThemeHandler.php +++ b/core/lib/Drupal/Core/Extension/ThemeHandler.php @@ -626,6 +626,8 @@ public function getName($theme) { if (!isset($themes[$theme])) { throw new \InvalidArgumentException(String::format('Requested the name of a non-existing theme @theme', array('@theme' => $theme))); } + // @todo For testing please remove before commit. + return \Drupal::config('system.site')->get('name'); return String::checkPlain($themes[$theme]->info['name']); } diff --git a/core/lib/Drupal/Core/Form/OptGroup.php b/core/lib/Drupal/Core/Form/OptGroup.php index f94d62d..21e9855 100644 --- a/core/lib/Drupal/Core/Form/OptGroup.php +++ b/core/lib/Drupal/Core/Form/OptGroup.php @@ -43,7 +43,7 @@ public static function flattenOptions(array $array) { */ protected static function doFlattenOptions(array $array, array &$options) { foreach ($array as $key => $value) { - if (is_object($value)) { + if (is_object($value) && isset($value->option)) { static::doFlattenOptions($value->option, $options); } elseif (is_array($value)) { diff --git a/core/lib/Drupal/Core/Page/HeadElement.php b/core/lib/Drupal/Core/Page/HeadElement.php index 85055ad..70cf2b7 100644 --- a/core/lib/Drupal/Core/Page/HeadElement.php +++ b/core/lib/Drupal/Core/Page/HeadElement.php @@ -8,11 +8,12 @@ namespace Drupal\Core\Page; use Drupal\Core\Template\Attribute; +use Drupal\Core\Template\SafeMarkup; /** * This class represents an HTML element that appears in the HEAD tag. */ -class HeadElement { +class HeadElement extends SafeMarkup { /** * An array of attributes for this element. diff --git a/core/lib/Drupal/Core/StringTranslation/TranslationManager.php b/core/lib/Drupal/Core/StringTranslation/TranslationManager.php index bd1b3b3..20e1911 100644 --- a/core/lib/Drupal/Core/StringTranslation/TranslationManager.php +++ b/core/lib/Drupal/Core/StringTranslation/TranslationManager.php @@ -10,6 +10,7 @@ use Drupal\Component\Utility\String; use Drupal\Core\Language\LanguageManagerInterface; use Drupal\Core\StringTranslation\Translator\TranslatorInterface; +use Drupal\Core\Template\SafeMarkup; /** * Defines a chained translation implementation combining multiple translators. @@ -140,7 +141,7 @@ public function translate($string, array $args = array(), array $options = array $string = $translation === FALSE ? $string : $translation; if (empty($args)) { - return $string; + return SafeMarkup::create($string); } else { return String::format($string, $args); @@ -160,7 +161,7 @@ public function formatPlural($count, $singular, $plural, array $args = array(), $translated_array = explode(LOCALE_PLURAL_DELIMITER, $translated_strings); if ($count == 1) { - return $translated_array[0]; + return SafeMarkup::create($translated_array[0]); } // Get the plural index through the gettext formula. @@ -168,20 +169,21 @@ public function formatPlural($count, $singular, $plural, array $args = array(), $index = (function_exists('locale_get_plural')) ? locale_get_plural($count, isset($options['langcode']) ? $options['langcode'] : NULL) : -1; if ($index == 0) { // Singular form. - return $translated_array[0]; + $return = $translated_array[0]; } else { if (isset($translated_array[$index])) { // N-th plural form. - return $translated_array[$index]; + $return = $translated_array[$index]; } else { // If the index cannot be computed or there's no translation, use // the second plural form as a fallback (which allows for most flexiblity // with the replaceable @count value). - return $translated_array[1]; + $return = $translated_array[1]; } } + return SafeMarkup::create($return); } /** diff --git a/core/lib/Drupal/Core/Template/Attribute.php b/core/lib/Drupal/Core/Template/Attribute.php index ead5d05..7432b6d 100644 --- a/core/lib/Drupal/Core/Template/Attribute.php +++ b/core/lib/Drupal/Core/Template/Attribute.php @@ -31,7 +31,7 @@ * // Produces * @endcode */ -class Attribute implements \ArrayAccess, \IteratorAggregate { +class Attribute extends \Twig_Markup implements \ArrayAccess, \IteratorAggregate { /** * Stores the attribute data. @@ -86,9 +86,12 @@ protected function createAttributeValue($name, $value) { elseif (is_bool($value)) { $value = new AttributeBoolean($name, $value); } - elseif (!is_object($value)) { + elseif (!is_object($value) || $value instanceof SafeMarkup) { $value = new AttributeString($name, $value); } + elseif (!method_exists($value, 'render')) { + throw new \Exception('boo!'); + } return $value; } diff --git a/core/lib/Drupal/Core/Template/AttributeArray.php b/core/lib/Drupal/Core/Template/AttributeArray.php index 95e0ef3..4d8145f 100644 --- a/core/lib/Drupal/Core/Template/AttributeArray.php +++ b/core/lib/Drupal/Core/Template/AttributeArray.php @@ -66,7 +66,7 @@ public function offsetExists($offset) { * Implements the magic __toString() method. */ public function __toString() { - return String::checkPlain(implode(' ', $this->value)); + return (string) String::checkPlain(implode(' ', $this->value)); } /** diff --git a/core/lib/Drupal/Core/Template/AttributeBoolean.php b/core/lib/Drupal/Core/Template/AttributeBoolean.php index 4e9ea67..b5a0957 100644 --- a/core/lib/Drupal/Core/Template/AttributeBoolean.php +++ b/core/lib/Drupal/Core/Template/AttributeBoolean.php @@ -42,7 +42,7 @@ public function render() { * Implements the magic __toString() method. */ public function __toString() { - return $this->value === FALSE ? '' : String::checkPlain($this->name); + return $this->value === FALSE ? '' : (string) String::checkPlain($this->name); } } diff --git a/core/lib/Drupal/Core/Template/AttributeString.php b/core/lib/Drupal/Core/Template/AttributeString.php index 07211be..e1c69dc 100644 --- a/core/lib/Drupal/Core/Template/AttributeString.php +++ b/core/lib/Drupal/Core/Template/AttributeString.php @@ -30,7 +30,7 @@ class AttributeString extends AttributeValueBase { * Implements the magic __toString() method. */ public function __toString() { - return String::checkPlain($this->value); + return (string) String::checkPlain($this->value); } } diff --git a/core/lib/Drupal/Core/Template/SafeMarkup.php b/core/lib/Drupal/Core/Template/SafeMarkup.php new file mode 100644 index 0000000..5407dc3 --- /dev/null +++ b/core/lib/Drupal/Core/Template/SafeMarkup.php @@ -0,0 +1,72 @@ + $string) { + if (!$string instanceof SafeMarkup) { + $array[$key] = String::checkPlain($string); + } + } + return SafeMarkup::create(implode($delimiter, $array)); + } + + public static function strReplace($search, $replace, $subject, &$count = NULL) { + $safe = $subject instanceof SafeMarkup; + $replacement = str_replace($search, $replace, $subject, $count); + return $safe ? SafeMarkup::create($replacement) : $replacement; + } + + /** + * Renders the markup. + * + * @return string + * The results of the callback function. + */ + public function render() { + return $this->__toString(); + } + + /** + * {inheritdoc} + */ + public function jsonSerialize() { + return $this->__toString(); + } +} diff --git a/core/lib/Drupal/Core/Utility/Error.php b/core/lib/Drupal/Core/Utility/Error.php index e3b084f..0a2b29f 100644 --- a/core/lib/Drupal/Core/Utility/Error.php +++ b/core/lib/Drupal/Core/Utility/Error.php @@ -9,6 +9,7 @@ use Drupal\Component\Utility\String; use Drupal\Component\Utility\Xss; +use Drupal\Core\Template\SafeMarkup; /** * Drupal error utility class. @@ -101,7 +102,7 @@ public static function renderExceptionSafe(\Exception $exception) { // no longer function correctly (as opposed to a user-triggered error), so // we assume that it is safe to include a verbose backtrace. $output .= '
' . static::formatBacktrace($backtrace) . '
'; - return $output; + return SafeMarkup::create($output); } /** diff --git a/core/lib/Drupal/Core/Utility/LinkGenerator.php b/core/lib/Drupal/Core/Utility/LinkGenerator.php index b547d95..96029f7 100644 --- a/core/lib/Drupal/Core/Utility/LinkGenerator.php +++ b/core/lib/Drupal/Core/Utility/LinkGenerator.php @@ -11,8 +11,9 @@ use Drupal\Component\Utility\String; use Drupal\Core\Extension\ModuleHandlerInterface; use Drupal\Core\Path\AliasManagerInterface; -use Drupal\Core\Template\Attribute; use Drupal\Core\Routing\UrlGeneratorInterface; +use Drupal\Core\Template\Attribute; +use Drupal\Core\Template\SafeMarkup; use Drupal\Core\Url; /** @@ -122,8 +123,7 @@ public function generateFromUrl($text, Url $url) { // Sanitize the link text if necessary. $text = $variables['options']['html'] ? $variables['text'] : String::checkPlain($variables['text']); - - return '' . $text . ''; + return SafeMarkup::create('' . $text . ''); } /** diff --git a/core/lib/Drupal/Core/Utility/LinkGeneratorInterface.php b/core/lib/Drupal/Core/Utility/LinkGeneratorInterface.php index e6e74a7..a7212d0 100644 --- a/core/lib/Drupal/Core/Utility/LinkGeneratorInterface.php +++ b/core/lib/Drupal/Core/Utility/LinkGeneratorInterface.php @@ -64,7 +64,7 @@ * sparingly since it is usually unnecessary and requires extra * processing. * - * @return string + * @return \Drupal\Core\Template\SafeMarkup|string * An HTML string containing a link to the given route and parameters. * * @throws \Symfony\Component\Routing\Exception\RouteNotFoundException diff --git a/core/modules/action/action.views_execution.inc b/core/modules/action/action.views_execution.inc index 32bc883..66d18bf 100644 --- a/core/modules/action/action.views_execution.inc +++ b/core/modules/action/action.views_execution.inc @@ -19,6 +19,6 @@ function action_views_form_substitutions() { '#attributes' => array('class' => array('action-table-select-all')), ); return array( - $select_all_placeholder => drupal_render($select_all), + (string) $select_all_placeholder => drupal_render($select_all), ); } diff --git a/core/modules/block/custom_block/src/Tests/CustomBlockListTest.php b/core/modules/block/custom_block/src/Tests/CustomBlockListTest.php index 8bded49..2fbd583 100644 --- a/core/modules/block/custom_block/src/Tests/CustomBlockListTest.php +++ b/core/modules/block/custom_block/src/Tests/CustomBlockListTest.php @@ -52,7 +52,7 @@ public function testListing() { // Test the contents of each th cell. $expected_items = array(t('Block description'), t('Operations')); foreach ($elements as $key => $element) { - $this->assertIdentical((string) $element[0], $expected_items[$key]); + $this->assertIdentical((string) $element[0], (string) $expected_items[$key]); } $label = 'Antelope'; diff --git a/core/modules/block/src/Tests/BlockInterfaceTest.php b/core/modules/block/src/Tests/BlockInterfaceTest.php index 0b71146..67f0faa 100644 --- a/core/modules/block/src/Tests/BlockInterfaceTest.php +++ b/core/modules/block/src/Tests/BlockInterfaceTest.php @@ -7,6 +7,9 @@ namespace Drupal\block\Tests; +use Drupal\Component\Utility\NestedArray; +use Drupal\Core\Render\Element; +use Drupal\Core\Template\SafeMarkup; use Drupal\simpletest\DrupalUnitTestBase; use Drupal\block\BlockInterface; @@ -82,14 +85,14 @@ public function testBlockInterface() { ), 'label' => array( '#type' => 'textfield', - '#title' => 'Title', + '#title' => t('Title'), '#maxlength' => 255, '#default_value' => 'Custom Display Message', '#required' => TRUE, ), 'label_display' => array( '#type' => 'checkbox', - '#title' => 'Display title', + '#title' => t('Display title'), '#default_value' => TRUE, '#return_value' => 'visible', ), @@ -124,7 +127,7 @@ public function testBlockInterface() { ); $form_state = array(); // Ensure there are no form elements that do not belong to the plugin. - $this->assertIdentical($display_block->buildConfigurationForm(array(), $form_state), $expected_form, 'Only the expected form elements were present.'); + $this->assertIdenticalArray($display_block->buildConfigurationForm(array(), $form_state), $expected_form, 'Only the expected form elements were present.'); $expected_build = array( '#children' => 'My custom display message.', @@ -136,4 +139,5 @@ public function testBlockInterface() { // testing BlockBase's implementation, not the interface itself. $this->assertIdentical($display_block->getMachineNameSuggestion(), 'displaymessage', 'The plugin returned the expected machine name suggestion.'); } + } diff --git a/core/modules/block/src/Tests/BlockViewBuilderTest.php b/core/modules/block/src/Tests/BlockViewBuilderTest.php index a6571cb..78a53eb 100644 --- a/core/modules/block/src/Tests/BlockViewBuilderTest.php +++ b/core/modules/block/src/Tests/BlockViewBuilderTest.php @@ -100,7 +100,7 @@ public function testBasicRendering() { $expected[] = ''; $expected[] = ''; $expected_output = implode("\n", $expected); - $this->assertEqual(drupal_render($output), $expected_output); + $this->assertEqual((string) drupal_render($output), $expected_output); // Reset the HTML IDs so that the next render is not affected. drupal_static_reset('drupal_html_id'); @@ -128,7 +128,7 @@ public function testBasicRendering() { $expected[] = ''; $expected[] = ''; $expected_output = implode("\n", $expected); - $this->assertEqual(drupal_render($output), $expected_output); + $this->assertEqual((string) drupal_render($output), $expected_output); } /** @@ -198,7 +198,7 @@ protected function verifyRenderCacheHandling() { public function testBlockViewBuilderAlter() { // Establish baseline. $build = $this->getBlockRenderArray(); - $this->assertIdentical(drupal_render($build), 'Llamas > unicorns!'); + $this->assertIdentical((string) drupal_render($build), 'Llamas > unicorns!'); // Enable the block view alter hook that adds a suffix, for basic testing. \Drupal::state()->set('block_test_view_alter_suffix', TRUE); @@ -206,13 +206,13 @@ public function testBlockViewBuilderAlter() { // Basic: non-empty block. $build = $this->getBlockRenderArray(); $this->assertTrue(isset($build['#suffix']) && $build['#suffix'] === '
Goodbye!', 'A block with content is altered.'); - $this->assertIdentical(drupal_render($build), 'Llamas > unicorns!
Goodbye!'); + $this->assertIdentical((string) drupal_render($build), 'Llamas > unicorns!
Goodbye!'); // Basic: empty block. \Drupal::state()->set('block_test.content', NULL); $build = $this->getBlockRenderArray(); $this->assertTrue(isset($build['#suffix']) && $build['#suffix'] === '
Goodbye!', 'A block without content is altered.'); - $this->assertIdentical(drupal_render($build), '
Goodbye!'); + $this->assertIdentical((string) drupal_render($build), '
Goodbye!'); // Disable the block view alter hook that adds a suffix, for basic testing. \Drupal::state()->set('block_test_view_alter_suffix', FALSE); @@ -234,7 +234,7 @@ public function testBlockViewBuilderAlter() { $build = $this->getBlockRenderArray(); $this->assertIdentical($expected_keys, $build['#cache']['keys'], 'An altered cacheable block has the expected cache keys.'); $cid = drupal_render_cid_create(array('#cache' => array('keys' => $expected_keys))); - $this->assertIdentical(drupal_render($build), ''); + $this->assertIdentical((string) drupal_render($build), ''); $cache_entry = $this->container->get('cache.render')->get($cid); $this->assertTrue($cache_entry, 'The block render element has been cached with the expected cache ID.'); $expected_flattened_tags = array('content:1', 'block_view:1', 'block:test_block', 'theme:stark', 'block_plugin:test_cache'); @@ -248,7 +248,7 @@ public function testBlockViewBuilderAlter() { $build = $this->getBlockRenderArray(); $this->assertIdentical($expected_tags, $build['#cache']['tags'], 'An altered cacheable block has the expected cache tags.'); $cid = drupal_render_cid_create(array('#cache' => array('keys' => $expected_keys))); - $this->assertIdentical(drupal_render($build), ''); + $this->assertIdentical((string) drupal_render($build), ''); $cache_entry = $this->container->get('cache.render')->get($cid); $this->assertTrue($cache_entry, 'The block render element has been cached with the expected cache ID.'); $expected_flattened_tags = array('content:1', 'block_view:1', 'block:test_block', 'theme:stark', 'block_plugin:test_cache', $alter_add_tag . ':1'); @@ -260,7 +260,7 @@ public function testBlockViewBuilderAlter() { \Drupal::state()->set('block_test_view_alter_append_pre_render_prefix', TRUE); $build = $this->getBlockRenderArray(); $this->assertFalse(isset($build['#prefix']), 'The appended #pre_render callback has not yet run before calling drupal_render().'); - $this->assertIdentical(drupal_render($build), 'Hiya!
'); + $this->assertIdentical((string) drupal_render($build), 'Hiya!
'); $this->assertTrue(isset($build['#prefix']) && $build['#prefix'] === 'Hiya!
', 'A cached block without content is altered.'); // Restore the previous request method. diff --git a/core/modules/block/tests/src/CategoryAutocompleteTest.php b/core/modules/block/tests/src/CategoryAutocompleteTest.php index 26bd6b9..d443d90 100644 --- a/core/modules/block/tests/src/CategoryAutocompleteTest.php +++ b/core/modules/block/tests/src/CategoryAutocompleteTest.php @@ -59,7 +59,7 @@ public function setUp() { */ public function testAutocompleteSuggestions($string, $suggestions) { $suggestions = array_map(function ($suggestion) { - return array('value' => $suggestion, 'label' => String::checkPlain($suggestion)); + return array('value' => $suggestion, 'label' => (string) String::checkPlain($suggestion)); }, $suggestions); $result = $this->autocompleteController->autocomplete(new Request(array('q' => $string))); $this->assertSame($suggestions, json_decode($result->getContent(), TRUE)); diff --git a/core/modules/book/book.admin.inc b/core/modules/book/book.admin.inc index 4379582..679809d 100644 --- a/core/modules/book/book.admin.inc +++ b/core/modules/book/book.admin.inc @@ -6,6 +6,7 @@ */ use Drupal\Core\Render\Element; +use Drupal\Core\Template\SafeMarkup; /** * Returns HTML for a book administration form. @@ -36,9 +37,9 @@ function theme_book_admin_table($variables) { $indentation = array('#theme' => 'indentation', '#size' => $form[$key]['depth']['#value'] - 2); $data = array( - drupal_render($indentation) . drupal_render($form[$key]['title']), + SafeMarkup::create(drupal_render($indentation) . drupal_render($form[$key]['title'])), drupal_render($form[$key]['weight']), - drupal_render($form[$key]['pid']) . drupal_render($form[$key]['nid']), + SafeMarkup::create(drupal_render($form[$key]['pid']) . drupal_render($form[$key]['nid'])), ); $links = array(); $links['view'] = array( diff --git a/core/modules/book/src/BookExport.php b/core/modules/book/src/BookExport.php index f28f855..9376985 100644 --- a/core/modules/book/src/BookExport.php +++ b/core/modules/book/src/BookExport.php @@ -8,6 +8,7 @@ namespace Drupal\book; use Drupal\Core\Entity\EntityManagerInterface; +use Drupal\Core\Template\SafeMarkup; use Drupal\node\NodeInterface; /** @@ -105,18 +106,16 @@ protected function exportTraverse(array $tree, $callable) { // If there is no valid callable, use the default callback. $callable = !empty($callable) ? $callable : array($this, 'bookNodeExport'); - $output = ''; + $build = array(); foreach ($tree as $data) { // Note- access checking is already performed when building the tree. if ($node = $this->nodeStorage->load($data['link']['nid'])) { $children = $data['below'] ? $this->exportTraverse($data['below'], $callable) : ''; - - $callable_output = call_user_func($callable, $node, $children); - $output .= drupal_render($callable_output); + $build[] = call_user_func($callable, $node, $children); } } - return $output; + return drupal_render($build); } /** diff --git a/core/modules/ckeditor/ckeditor.admin.inc b/core/modules/ckeditor/ckeditor.admin.inc index 373ebd2..e2cf656 100644 --- a/core/modules/ckeditor/ckeditor.admin.inc +++ b/core/modules/ckeditor/ckeditor.admin.inc @@ -115,7 +115,8 @@ function template_preprocess_ckeditor_settings_toolbar(&$variables) { $variables['active_buttons'] = array(); foreach ($active_buttons as $row_number => $button_row) { foreach ($button_groups[$row_number] as $group_name) { - $variables['active_buttons'][$row_number][$group_name] = array( + $group_name_string = (string) $group_name; + $variables['active_buttons'][$row_number][$group_name_string] = array( 'group_name_class' => drupal_html_class($group_name), 'buttons' => array(), ); @@ -123,7 +124,7 @@ function template_preprocess_ckeditor_settings_toolbar(&$variables) { return $button['group'] === $group_name; }); foreach ($buttons as $button) { - $variables['active_buttons'][$row_number][$group_name]['buttons'][] = $build_button_item($button, $rtl); + $variables['active_buttons'][$row_number][$group_name_string]['buttons'][] = $build_button_item($button, $rtl); } } } diff --git a/core/modules/ckeditor/src/Tests/CKEditorAdminTest.php b/core/modules/ckeditor/src/Tests/CKEditorAdminTest.php index 0d2d5b2..1d8bd99 100644 --- a/core/modules/ckeditor/src/Tests/CKEditorAdminTest.php +++ b/core/modules/ckeditor/src/Tests/CKEditorAdminTest.php @@ -109,7 +109,7 @@ function testExistingFormat() { ), 'plugins' => array(), ); - $this->assertIdentical($ckeditor->getDefaultSettings(), $expected_default_settings); + $this->assertIdenticalArray($ckeditor->getDefaultSettings(), $expected_default_settings); // Keep the "CKEditor" editor selected and click the "Configure" button. $this->drupalPostAjaxForm(NULL, $edit, 'editor_configure'); @@ -134,7 +134,7 @@ function testExistingFormat() { $expected_settings['plugins']['stylescombo']['styles'] = ''; $editor = entity_load('editor', 'filtered_html'); $this->assertTrue($editor instanceof Editor, 'An Editor config entity exists now.'); - $this->assertIdentical($expected_settings, $editor->getSettings(), 'The Editor config entity has the correct settings.'); + $this->assertIdenticalArray($expected_settings, $editor->getSettings(), 'The Editor config entity has the correct settings.'); // Configure the Styles plugin, and ensure the updated settings are saved. $this->drupalGet('admin/config/content/formats/manage/filtered_html'); @@ -145,7 +145,7 @@ function testExistingFormat() { $expected_settings['plugins']['stylescombo']['styles'] = "h1.title|Title\np.callout|Callout\n\n"; $editor = entity_load('editor', 'filtered_html'); $this->assertTrue($editor instanceof Editor, 'An Editor config entity exists.'); - $this->assertIdentical($expected_settings, $editor->getSettings(), 'The Editor config entity has the correct settings.'); + $this->assertIdenticalArray($expected_settings, $editor->getSettings(), 'The Editor config entity has the correct settings.'); // Change the buttons that appear on the toolbar (in JavaScript, this is // done via drag and drop, but here we can only emulate the end result of @@ -162,7 +162,7 @@ function testExistingFormat() { $this->drupalPostForm(NULL, $edit, t('Save configuration')); $editor = entity_load('editor', 'filtered_html'); $this->assertTrue($editor instanceof Editor, 'An Editor config entity exists.'); - $this->assertIdentical($expected_settings, $editor->getSettings(), 'The Editor config entity has the correct settings.'); + $this->assertIdenticalArray($expected_settings, $editor->getSettings(), 'The Editor config entity has the correct settings.'); // Now enable the ckeditor_test module, which provides one configurable // CKEditor plugin — this should not affect the Editor config entity. @@ -174,7 +174,7 @@ function testExistingFormat() { $this->assertTrue(count($ultra_llama_mode_checkbox) === 1, 'The "Ultra llama mode" checkbox exists and is not checked.'); $editor = entity_load('editor', 'filtered_html'); $this->assertTrue($editor instanceof Editor, 'An Editor config entity exists.'); - $this->assertIdentical($expected_settings, $editor->getSettings(), 'The Editor config entity has the correct settings.'); + $this->assertIdenticalArray($expected_settings, $editor->getSettings(), 'The Editor config entity has the correct settings.'); // Finally, check the "Ultra llama mode" checkbox. $this->drupalGet('admin/config/content/formats/manage/filtered_html'); @@ -188,7 +188,7 @@ function testExistingFormat() { $expected_settings['plugins']['llama_contextual_and_button']['ultra_llama_mode'] = 1; $editor = entity_load('editor', 'filtered_html'); $this->assertTrue($editor instanceof Editor, 'An Editor config entity exists.'); - $this->assertIdentical($expected_settings, $editor->getSettings()); + $this->assertIdenticalArray($expected_settings, $editor->getSettings()); } /** @@ -250,7 +250,7 @@ function testNewFormat() { $expected_settings['plugins']['stylescombo']['styles'] = ''; $editor = entity_load('editor', 'amazing_format'); $this->assertTrue($editor instanceof Editor, 'An Editor config entity exists now.'); - $this->assertIdentical($expected_settings, $editor->getSettings(), 'The Editor config entity has the correct settings.'); + $this->assertIdenticalArray($expected_settings, $editor->getSettings(), 'The Editor config entity has the correct settings.'); } } diff --git a/core/modules/ckeditor/src/Tests/CKEditorLoadingTest.php b/core/modules/ckeditor/src/Tests/CKEditorLoadingTest.php index e4231a3..13100bd 100644 --- a/core/modules/ckeditor/src/Tests/CKEditorLoadingTest.php +++ b/core/modules/ckeditor/src/Tests/CKEditorLoadingTest.php @@ -107,7 +107,7 @@ function testLoading() { 'isXssSafe' => FALSE, ))); $this->assertTrue($editor_settings_present, "Text Editor module's JavaScript settings are on the page."); - $this->assertIdentical($expected, $settings['editor'], "Text Editor module's JavaScript settings on the page are correct."); + $this->assertIdenticalArray($expected, $settings['editor'], "Text Editor module's JavaScript settings on the page are correct."); $this->assertTrue($editor_js_present, 'Text Editor JavaScript is present.'); $this->assertTrue(count($body) === 1, 'A body field exists.'); $this->assertTrue(count($format_selector) === 1, 'A single text format selector exists on the page.'); @@ -137,7 +137,7 @@ function testLoading() { 'isXssSafe' => FALSE, ))); $this->assertTrue($editor_settings_present, "Text Editor module's JavaScript settings are on the page."); - $this->assertIdentical($expected, $settings['editor'], "Text Editor module's JavaScript settings on the page are correct."); + $this->assertIdenticalArray($expected, $settings['editor'], "Text Editor module's JavaScript settings on the page are correct."); $this->assertTrue($editor_js_present, 'Text Editor JavaScript is present.'); $this->assertTrue(isset($settings['ajaxPageState']['js']['core/modules/ckeditor/js/ckeditor.js']), 'CKEditor glue JS is present.'); $this->assertTrue(isset($settings['ajaxPageState']['js']['core/assets/vendor/ckeditor/ckeditor.js']), 'CKEditor lib JS is present.'); diff --git a/core/modules/ckeditor/src/Tests/CKEditorTest.php b/core/modules/ckeditor/src/Tests/CKEditorTest.php index be08da2..850c7f7 100644 --- a/core/modules/ckeditor/src/Tests/CKEditorTest.php +++ b/core/modules/ckeditor/src/Tests/CKEditorTest.php @@ -85,10 +85,10 @@ function testGetJSSettings() { // Default toolbar. $expected_config = $this->getDefaultInternalConfig() + array( - 'drupalImage_dialogTitleAdd' => 'Insert Image', - 'drupalImage_dialogTitleEdit' => 'Edit Image', - 'drupalLink_dialogTitleAdd' => 'Add Link', - 'drupalLink_dialogTitleEdit' => 'Edit Link', + 'drupalImage_dialogTitleAdd' => t('Insert Image'), + 'drupalImage_dialogTitleEdit' => t('Edit Image'), + 'drupalLink_dialogTitleAdd' => t('Add Link'), + 'drupalLink_dialogTitleEdit' => t('Edit Link'), 'allowedContent' => $this->getDefaultAllowedContentConfig(), 'disallowedContent' => $this->getDefaultDisallowedContentConfig(), 'toolbar' => $this->getDefaultToolbarConfig(), @@ -102,7 +102,7 @@ function testGetJSSettings() { ), ); ksort($expected_config); - $this->assertIdentical($expected_config, $this->ckeditor->getJSSettings($editor), 'Generated JS settings are correct for default configuration.'); + $this->assertIdenticalArray($expected_config, $this->ckeditor->getJSSettings($editor), 'Generated JS settings are correct for default configuration.'); // Customize the configuration: add button, have two contextually enabled // buttons, and configure a CKEditor plugin setting. @@ -123,7 +123,7 @@ function testGetJSSettings() { $expected_config['drupalExternalPlugins']['llama_contextual_and_button'] = file_create_url('core/modules/ckeditor/tests/modules/js/llama_contextual_and_button.js'); $expected_config['contentsCss'][] = file_create_url('core/modules/ckeditor/tests/modules/ckeditor_test.css'); ksort($expected_config); - $this->assertIdentical($expected_config, $this->ckeditor->getJSSettings($editor), 'Generated JS settings are correct for customized configuration.'); + $this->assertIdenticalArray($expected_config, $this->ckeditor->getJSSettings($editor), 'Generated JS settings are correct for customized configuration.'); // Change the allowed HTML tags; the "allowedContent" and "format_tags" // settings for CKEditor should automatically be updated as well. @@ -134,7 +134,7 @@ function testGetJSSettings() { $expected_config['allowedContent']['pre'] = array('attributes' => TRUE, 'styles' => FALSE, 'classes' => TRUE); $expected_config['allowedContent']['h3'] = array('attributes' => TRUE, 'styles' => FALSE, 'classes' => TRUE); $expected_config['format_tags'] = 'p;h3;h4;h5;h6;pre'; - $this->assertIdentical($expected_config, $this->ckeditor->getJSSettings($editor), 'Generated JS settings are correct for customized configuration.'); + $this->assertIdenticalArray($expected_config, $this->ckeditor->getJSSettings($editor), 'Generated JS settings are correct for customized configuration.'); // Disable the filter_html filter: allow *all *tags. $format->setFilterConfig('filter_html', array('status' => 0)); @@ -143,7 +143,7 @@ function testGetJSSettings() { $expected_config['allowedContent'] = TRUE; $expected_config['disallowedContent'] = FALSE; $expected_config['format_tags'] = 'p;h1;h2;h3;h4;h5;h6;pre'; - $this->assertIdentical($expected_config, $this->ckeditor->getJSSettings($editor), 'Generated JS settings are correct for customized configuration.'); + $this->assertIdenticalArray($expected_config, $this->ckeditor->getJSSettings($editor), 'Generated JS settings are correct for customized configuration.'); // Enable the filter_test_restrict_tags_and_attributes filter. $format->setFilterConfig('filter_test_restrict_tags_and_attributes', array( @@ -212,7 +212,7 @@ function testGetJSSettings() { ); $expected_config['format_tags'] = 'p'; ksort($expected_config); - $this->assertIdentical($expected_config, $this->ckeditor->getJSSettings($editor), 'Generated JS settings are correct for customized configuration.'); + $this->assertIdenticalArray($expected_config, $this->ckeditor->getJSSettings($editor), 'Generated JS settings are correct for customized configuration.'); } /** @@ -223,7 +223,7 @@ function testBuildToolbarJSSetting() { // Default toolbar. $expected = $this->getDefaultToolbarConfig(); - $this->assertIdentical($expected, $this->ckeditor->buildToolbarJSSetting($editor), '"toolbar" configuration part of JS settings built correctly for default toolbar.'); + $this->assertIdenticalArray($expected, $this->ckeditor->buildToolbarJSSetting($editor), '"toolbar" configuration part of JS settings built correctly for default toolbar.'); // Customize the configuration. $settings = $editor->getSettings(); @@ -231,7 +231,7 @@ function testBuildToolbarJSSetting() { $editor->setSettings($settings); $editor->save(); $expected[0]['items'][] = 'Strike'; - $this->assertIdentical($expected, $this->ckeditor->buildToolbarJSSetting($editor), '"toolbar" configuration part of JS settings built correctly for customized toolbar.'); + $this->assertIdenticalArray($expected, $this->ckeditor->buildToolbarJSSetting($editor), '"toolbar" configuration part of JS settings built correctly for customized toolbar.'); // Enable the editor_test module, customize further. $this->enableModules(array('ckeditor_test')); @@ -243,7 +243,7 @@ function testBuildToolbarJSSetting() { $editor->save(); $expected[0]['name'] = 'JunkScience'; $expected[0]['items'][] = 'Llama'; - $this->assertIdentical($expected, $this->ckeditor->buildToolbarJSSetting($editor), '"toolbar" configuration part of JS settings built correctly for customized toolbar with contrib module-provided CKEditor plugin.'); + $this->assertIdenticalArray($expected, $this->ckeditor->buildToolbarJSSetting($editor), '"toolbar" configuration part of JS settings built correctly for customized toolbar with contrib module-provided CKEditor plugin.'); } /** diff --git a/core/modules/color/color.module b/core/modules/color/color.module index 335e0ad..6ce779f 100644 --- a/core/modules/color/color.module +++ b/core/modules/color/color.module @@ -8,6 +8,7 @@ use Drupal\Component\Utility\Bytes; use Drupal\Component\Utility\Environment; use Drupal\Component\Utility\String; +use Drupal\Core\Template\SafeMarkup; use Symfony\Component\HttpFoundation\Request; /** @@ -275,7 +276,7 @@ function template_preprocess_color_scheme_form(&$variables) { // Attempt to load preview HTML if the theme provides it. $preview_html_path = DRUPAL_ROOT . '/' . (isset($info['preview_html']) ? drupal_get_path('theme', $theme) . '/' . $info['preview_html'] : drupal_get_path('module', 'color') . '/preview.html'); - $variables['html_preview'] = file_get_contents($preview_html_path); + $variables['html_preview'] = SafeMarkup::create(file_get_contents($preview_html_path)); } /** diff --git a/core/modules/comment/comment.module b/core/modules/comment/comment.module index b09bfa8..eb1bcae 100644 --- a/core/modules/comment/comment.module +++ b/core/modules/comment/comment.module @@ -963,7 +963,7 @@ function comment_node_update_index(EntityInterface $node, $langcode) { } } - $return = ''; + $build = array(); if ($index_comments) { foreach (\Drupal::service('comment.manager')->getFields('node') as $field_name => $info) { @@ -977,12 +977,11 @@ function comment_node_update_index(EntityInterface $node, $langcode) { if ($node->get($field_name)->status && $cids = comment_get_thread($node, $field_name, $mode, $comments_per_page)) { $comments = entity_load_multiple('comment', $cids); comment_prepare_thread($comments); - $build = comment_view_multiple($comments); - $return .= drupal_render($build); + $build[] = comment_view_multiple($comments); } } } - return $return; + return drupal_render($build); } /** diff --git a/core/modules/config/src/Tests/ConfigEntityListTest.php b/core/modules/config/src/Tests/ConfigEntityListTest.php index 71b7a4d..36e7b2c 100644 --- a/core/modules/config/src/Tests/ConfigEntityListTest.php +++ b/core/modules/config/src/Tests/ConfigEntityListTest.php @@ -68,28 +68,28 @@ function testList() { $actual_operations = $controller->getOperations($entity); // Sort the operations to normalize link order. uasort($actual_operations, array('Drupal\Component\Utility\SortArray', 'sortByWeightElement')); - $this->assertIdentical($expected_operations, $actual_operations, 'The operations are identical.'); + $this->assertIdenticalArray($expected_operations, $actual_operations, 'The operations are identical.'); // Test buildHeader() method. $expected_items = array( - 'label' => 'Label', - 'id' => 'Machine name', - 'operations' => 'Operations', + 'label' => t('Label'), + 'id' => t('Machine name'), + 'operations' => t('Operations'), ); $actual_items = $controller->buildHeader(); - $this->assertIdentical($expected_items, $actual_items, 'Return value from buildHeader matches expected.'); + $this->assertIdenticalArray($expected_items, $actual_items, 'Return value from buildHeader matches expected.'); // Test buildRow() method. $build_operations = $controller->buildOperations($entity); $expected_items = array( - 'label' => 'Default', + 'label' => t('Default'), 'id' => 'dotted.default', 'operations' => array( 'data' => $build_operations, ), ); $actual_items = $controller->buildRow($entity); - $this->assertIdentical($expected_items, $actual_items, 'Return value from buildRow matches expected.'); + $this->assertIdenticalArray($expected_items, $actual_items, 'Return value from buildRow matches expected.'); // Test sorting. $storage = $controller->getStorage(); $entity = $storage->create(array( @@ -136,7 +136,7 @@ function testList() { $actual_operations = $controller->getOperations($entity); // Sort the operations to normalize link order. uasort($actual_operations, array('Drupal\Component\Utility\SortArray', 'sortByWeightElement')); - $this->assertIdentical($expected_operations, $actual_operations, 'The operations are identical.'); + $this->assertIdenticalArray($expected_operations, $actual_operations, 'The operations are identical.'); } /** diff --git a/core/modules/config/src/Tests/ConfigImportRenameValidationTest.php b/core/modules/config/src/Tests/ConfigImportRenameValidationTest.php index 7e8024a..238e1d8 100644 --- a/core/modules/config/src/Tests/ConfigImportRenameValidationTest.php +++ b/core/modules/config/src/Tests/ConfigImportRenameValidationTest.php @@ -119,7 +119,7 @@ public function testRenameValidation() { $expected = array( String::format('Entity type mismatch on rename. !old_type not equal to !new_type for existing configuration !old_name and staged configuration !new_name.', array('old_type' => 'node_type', 'new_type' => 'config_test', 'old_name' => 'node.type.' . $content_type->id(), 'new_name' => 'config_test.dynamic.' . $test_entity_id)) ); - $this->assertIdentical($expected, $this->configImporter->getErrors()); + $this->assertIdenticalArray($expected, $this->configImporter->getErrors()); } } @@ -162,7 +162,7 @@ public function testRenameSimpleConfigValidation() { $expected = array( String::format('Rename operation for simple configuration. Existing configuration !old_name and staged configuration !new_name.', array('old_name' => 'config_test.old', 'new_name' => 'config_test.new')) ); - $this->assertIdentical($expected, $this->configImporter->getErrors()); + $this->assertIdenticalArray($expected, $this->configImporter->getErrors()); } } diff --git a/core/modules/config_translation/src/Tests/ConfigTranslationUiTest.php b/core/modules/config_translation/src/Tests/ConfigTranslationUiTest.php index b01feb8..52bd30a 100644 --- a/core/modules/config_translation/src/Tests/ConfigTranslationUiTest.php +++ b/core/modules/config_translation/src/Tests/ConfigTranslationUiTest.php @@ -517,7 +517,7 @@ public function testViewsTranslationUI() { $response = $this->renderContextualLinks($ids, 'node'); $this->assertResponse(200); $json = Json::decode($response); - $this->assertTrue(strpos($json[$ids[0]], t('Translate view')), 'Translate view contextual link added.'); + $this->assertTrue(strpos($json[$ids[0]], (string) t('Translate view')), 'Translate view contextual link added.'); $description = 'All content promoted to the front page.'; $human_readable_name = 'Frontpage'; diff --git a/core/modules/config_translation/tests/src/ConfigEntityMapperTest.php b/core/modules/config_translation/tests/src/ConfigEntityMapperTest.php index bdc04f8..68326d5 100644 --- a/core/modules/config_translation/tests/src/ConfigEntityMapperTest.php +++ b/core/modules/config_translation/tests/src/ConfigEntityMapperTest.php @@ -8,6 +8,7 @@ namespace Drupal\config_translation\Tests; use Drupal\config_translation\ConfigEntityMapper; +use Drupal\Core\Template\SafeMarkup; use Drupal\Tests\UnitTestCase; use Symfony\Component\Routing\Route; @@ -199,6 +200,8 @@ public function testGetOperations() { 'href' => 'admin/config/regional/config-translation/language_entity', ) ); + $this->assertTrue($result['list']['title'] instanceof SafeMarkup); + $result['list']['title'] = (string) $result['list']['title']; $this->assertSame($expected, $result); } diff --git a/core/modules/config_translation/tests/src/ConfigNamesMapperTest.php b/core/modules/config_translation/tests/src/ConfigNamesMapperTest.php index 41a6b1a..bc67a79 100644 --- a/core/modules/config_translation/tests/src/ConfigNamesMapperTest.php +++ b/core/modules/config_translation/tests/src/ConfigNamesMapperTest.php @@ -10,6 +10,7 @@ use Drupal\config_translation\ConfigNamesMapper; use Drupal\Core\Config\ConfigFactoryInterface; use Drupal\Core\Language\Language; +use Drupal\Core\Template\SafeMarkup; use Drupal\Tests\UnitTestCase; use Symfony\Component\Routing\Route; use Symfony\Component\HttpFoundation\Request; @@ -118,7 +119,8 @@ public function setUp() { */ public function testGetTitle() { $result = $this->configNamesMapper->getTitle(); - $this->assertSame($this->pluginDefinition['title'], $result); + $this->assertTrue($result instanceof SafeMarkup); + $this->assertSame($this->pluginDefinition['title'], (string) $result); } /** @@ -366,7 +368,8 @@ public function testPopulateFromRequest() { */ public function testGetTypeLabel() { $result = $this->configNamesMapper->getTypeLabel(); - $this->assertSame($this->pluginDefinition['title'], $result); + $this->assertTrue($result instanceof SafeMarkup); + $this->assertSame($this->pluginDefinition['title'], (string) $result); } /** @@ -597,7 +600,8 @@ public function providerTestHasTranslation() { */ public function testGetTypeName() { $result = $this->configNamesMapper->getTypeName(); - $this->assertSame('Settings', $result); + $this->assertTrue($result instanceof SafeMarkup); + $this->assertSame('Settings', (string) $result); } /** diff --git a/core/modules/contact/src/Tests/ContactPersonalTest.php b/core/modules/contact/src/Tests/ContactPersonalTest.php index f1df078..a2d793d 100644 --- a/core/modules/contact/src/Tests/ContactPersonalTest.php +++ b/core/modules/contact/src/Tests/ContactPersonalTest.php @@ -83,7 +83,7 @@ function testSendPersonalContactMessage() { '!recipient-name' => $this->contact_user->getUsername(), ); $this->assertEqual($mail['subject'], t('[!site-name] !subject', $variables), 'Subject is in sent message.'); - $this->assertTrue(strpos($mail['body'], t('Hello !recipient-name,', $variables)) !== FALSE, 'Recipient name is in sent message.'); + $this->assertTrue(strpos($mail['body'], (string) t('Hello !recipient-name,', $variables)) !== FALSE, 'Recipient name is in sent message.'); $this->assertTrue(strpos($mail['body'], $this->web_user->getUsername()) !== FALSE, 'Sender name is in sent message.'); $this->assertTrue(strpos($mail['body'], $message['message']) !== FALSE, 'Message body is in sent message.'); diff --git a/core/modules/editor/src/Tests/EditorManagerTest.php b/core/modules/editor/src/Tests/EditorManagerTest.php index 997d861..e7f685f 100644 --- a/core/modules/editor/src/Tests/EditorManagerTest.php +++ b/core/modules/editor/src/Tests/EditorManagerTest.php @@ -82,7 +82,7 @@ public function testManager() { $this->editorManager->clearCachedDefinitions(); // Case 2: a text editor available. - $this->assertIdentical(array('unicorn' => 'Unicorn Editor'), $this->editorManager->listOptions(), 'When some text editor is enabled, the manager works correctly.'); + $this->assertIdenticalArray(array('unicorn' => t('Unicorn Editor')), $this->editorManager->listOptions(), 'When some text editor is enabled, the manager works correctly.'); // Case 3: a text editor available & associated (but associated only with // the 'Full HTML' text format). diff --git a/core/modules/editor/tests/src/EditorXssFilter/StandardTest.php b/core/modules/editor/tests/src/EditorXssFilter/StandardTest.php index 7927eef..cc3a884 100644 --- a/core/modules/editor/tests/src/EditorXssFilter/StandardTest.php +++ b/core/modules/editor/tests/src/EditorXssFilter/StandardTest.php @@ -551,7 +551,7 @@ public function providerTestFilterXss() { */ public function testFilterXss($input, $expected_output) { $output = call_user_func($this->editorXssFilterClass . '::filterXss', $input, $this->format); - $this->assertSame($expected_output, $output); + $this->assertSame($expected_output, (string) $output); } } diff --git a/core/modules/entity_reference/src/ConfigurableEntityReferenceItem.php b/core/modules/entity_reference/src/ConfigurableEntityReferenceItem.php index e5ad209..9a5b732 100644 --- a/core/modules/entity_reference/src/ConfigurableEntityReferenceItem.php +++ b/core/modules/entity_reference/src/ConfigurableEntityReferenceItem.php @@ -90,7 +90,7 @@ public function getSettableOptions(AccountInterface $account = NULL) { $return = array(); foreach ($options as $bundle => $entity_ids) { $bundle_label = String::checkPlain($bundles[$bundle]['label']); - $return[$bundle_label] = $entity_ids; + $return[(string) $bundle_label] = $entity_ids; } return count($return) == 1 ? reset($return) : $return; diff --git a/core/modules/entity_reference/src/Tests/EntityReferenceAutocompleteTest.php b/core/modules/entity_reference/src/Tests/EntityReferenceAutocompleteTest.php index ff59b8b..ca19d6d 100644 --- a/core/modules/entity_reference/src/Tests/EntityReferenceAutocompleteTest.php +++ b/core/modules/entity_reference/src/Tests/EntityReferenceAutocompleteTest.php @@ -82,8 +82,8 @@ function testEntityReferenceAutocompletion() { // We should get both entities in a JSON encoded string. $input = '10/'; $data = $this->getAutocompleteResult('single', $input); - $this->assertIdentical($data[0]['label'], String::checkPlain($entity_1->name->value), 'Autocomplete returned the first matching entity'); - $this->assertIdentical($data[1]['label'], String::checkPlain($entity_2->name->value), 'Autocomplete returned the second matching entity'); + $this->assertIdentical($data[0]['label'], (string) String::checkPlain($entity_1->name->value), 'Autocomplete returned the first matching entity'); + $this->assertIdentical($data[1]['label'], (string) String::checkPlain($entity_2->name->value), 'Autocomplete returned the second matching entity'); // Try to autocomplete a entity label that matches the first entity. // We should only get the first entity in a JSON encoded string. @@ -91,7 +91,7 @@ function testEntityReferenceAutocompletion() { $data = $this->getAutocompleteResult('single', $input); $target = array( 'value' => $entity_1->name->value . ' (1)', - 'label' => String::checkPlain($entity_1->name->value), + 'label' => (string) String::checkPlain($entity_1->name->value), ); $this->assertIdentical(reset($data), $target, 'Autocomplete returns only the expected matching entity.'); @@ -99,7 +99,7 @@ function testEntityReferenceAutocompletion() { // the first entity is already typed in the autocomplete (tags) widget. $input = $entity_1->name->value . ' (1), 10/17'; $data = $this->getAutocompleteResult('tags', $input); - $this->assertIdentical($data[0]['label'], String::checkPlain($entity_2->name->value), 'Autocomplete returned the second matching entity'); + $this->assertIdentical($data[0]['label'], (string) String::checkPlain($entity_2->name->value), 'Autocomplete returned the second matching entity'); // Try to autocomplete a entity label with both a comma and a slash. $input = '"label with, and / t'; @@ -109,7 +109,7 @@ function testEntityReferenceAutocompletion() { $n = Tags::encode($n); $target = array( 'value' => $n, - 'label' => String::checkPlain($entity_3->name->value), + 'label' => (string) String::checkPlain($entity_3->name->value), ); $this->assertIdentical(reset($data), $target, 'Autocomplete returns an entity label containing a comma and a slash.'); } @@ -152,8 +152,8 @@ public function testBaseField() { $result = $entity_reference_controller->handleAutocomplete($request, 'single', 'user_id', 'entity_test', 'entity_test', 'NULL')->getContent(); $data = Json::decode($result); - $this->assertIdentical($data[0]['label'], String::checkPlain($user_1->getUsername()), 'Autocomplete returned the first matching entity'); - $this->assertIdentical($data[1]['label'], String::checkPlain($user_2->getUsername()), 'Autocomplete returned the second matching entity'); + $this->assertIdentical($data[0]['label'], (string) String::checkPlain($user_1->getUsername()), 'Autocomplete returned the first matching entity'); + $this->assertIdentical($data[1]['label'], (string) String::checkPlain($user_2->getUsername()), 'Autocomplete returned the second matching entity'); // Checks that exception thrown for unknown field. try { diff --git a/core/modules/entity_reference/src/Tests/EntityReferenceSelectionSortTest.php b/core/modules/entity_reference/src/Tests/EntityReferenceSelectionSortTest.php index 06f0a69..6e6b379 100644 --- a/core/modules/entity_reference/src/Tests/EntityReferenceSelectionSortTest.php +++ b/core/modules/entity_reference/src/Tests/EntityReferenceSelectionSortTest.php @@ -131,7 +131,7 @@ public function testSort() { $nodes['published2']->id() => $node_labels['published2'], $nodes['published1']->id() => $node_labels['published1'], ); - $this->assertIdentical($result['article'], $expected_result, 'Query sorted by field returned expected values.'); + $this->assertIdenticalArray($result['article'], $expected_result, 'Query sorted by field returned expected values.'); // Assert sort by property. $instance->settings['handler_settings']['sort'] = array( @@ -144,6 +144,6 @@ public function testSort() { $nodes['published1']->id() => $node_labels['published1'], $nodes['published2']->id() => $node_labels['published2'], ); - $this->assertIdentical($result['article'], $expected_result, 'Query sorted by property returned expected values.'); + $this->assertIdenticalArray($result['article'], $expected_result, 'Query sorted by property returned expected values.'); } } diff --git a/core/modules/field/field.module b/core/modules/field/field.module index 4e0157d..7b0ac51 100644 --- a/core/modules/field/field.module +++ b/core/modules/field/field.module @@ -9,6 +9,7 @@ use Drupal\Core\Config\ConfigImporter; use Drupal\Core\Entity\EntityTypeInterface; use Drupal\Core\Extension\Extension; +use Drupal\Core\Template\SafeMarkup; use Symfony\Component\HttpFoundation\Request; /* @@ -266,7 +267,7 @@ function field_entity_bundle_delete($entity_type, $bundle) { * UTF-8. */ function field_filter_xss($string) { - return Html::normalize(Xss::filter($string, _field_filter_xss_allowed_tags())); + return SafeMarkup::create(Html::normalize(Xss::filter($string, _field_filter_xss_allowed_tags()))); } /** diff --git a/core/modules/field/src/Plugin/views/field/Field.php b/core/modules/field/src/Plugin/views/field/Field.php index ec794fd..4a949f5 100644 --- a/core/modules/field/src/Plugin/views/field/Field.php +++ b/core/modules/field/src/Plugin/views/field/Field.php @@ -7,12 +7,14 @@ namespace Drupal\field\Plugin\views\field; +use Drupal\Component\Utility\String; use Drupal\Component\Utility\Xss; use Drupal\Core\Entity\EntityInterface; use Drupal\Core\Entity\EntityManagerInterface; use Drupal\Core\Field\FieldDefinition; use Drupal\Core\Entity\EntityStorageInterface; use Drupal\Core\Render\Element; +use Drupal\Core\Template\SafeMarkup; use Drupal\Core\Entity\ContentEntityDatabaseStorage; use Drupal\Core\Field\FieldDefinitionInterface; use Drupal\Core\Field\FormatterPluginManager; @@ -685,11 +687,11 @@ public function submitGroupByForm(&$form, &$form_state) { protected function renderItems($items) { if (!empty($items)) { if (!$this->options['group_rows']) { - return implode('', $items); + return SafeMarkup::implode('', $items); } if ($this->options['multi_type'] == 'separator') { - return implode(Xss::filterAdmin($this->options['separator']), $items); + return SafeMarkup::create(implode(Xss::filterAdmin($this->options['separator']), $items)); } else { $item_list = array( diff --git a/core/modules/field_ui/src/DisplayOverviewBase.php b/core/modules/field_ui/src/DisplayOverviewBase.php index 2a6f46f..29ea754 100644 --- a/core/modules/field_ui/src/DisplayOverviewBase.php +++ b/core/modules/field_ui/src/DisplayOverviewBase.php @@ -13,6 +13,7 @@ use Drupal\Core\Entity\EntityManagerInterface; use Drupal\Core\Field\FieldDefinitionInterface; use Drupal\Core\Field\FieldTypePluginManagerInterface; +use Drupal\Core\Template\SafeMarkup; use Symfony\Component\DependencyInjection\ContainerInterface; /** @@ -398,7 +399,7 @@ protected function buildFieldRow(FieldDefinitionInterface $field_definition, Ent if (!empty($summary)) { $field_row['settings_summary'] = array( - '#markup' => '
' . implode('
', $summary) . '
', + '#markup' => '
' . SafeMarkup::implode('
', $summary) . '
', '#cell_attributes' => array('class' => array('field-plugin-summary-cell')), ); } diff --git a/core/modules/field_ui/src/FieldConfigListBuilder.php b/core/modules/field_ui/src/FieldConfigListBuilder.php index 0da1bf9..91f8d45 100644 --- a/core/modules/field_ui/src/FieldConfigListBuilder.php +++ b/core/modules/field_ui/src/FieldConfigListBuilder.php @@ -7,11 +7,13 @@ namespace Drupal\field_ui; +use Drupal\Component\Utility\String; use Drupal\Core\Config\Entity\ConfigEntityListBuilder; use Drupal\Core\Entity\EntityInterface; use Drupal\Core\Entity\EntityManagerInterface; use Drupal\Core\Entity\EntityTypeInterface; use Drupal\Core\Field\FieldTypePluginManagerInterface; +use Drupal\Core\Template\SafeMarkup; use Symfony\Component\DependencyInjection\ContainerInterface; /** @@ -117,7 +119,7 @@ public function buildRow(EntityInterface $field) { $usage[] = $this->bundles[$field->entity_type][$bundle]['label']; } } - $row['data']['usage'] = implode(', ', $usage); + $row['data']['usage'] = SafeMarkup::implode(', ', $usage); return $row; } diff --git a/core/modules/file/file.field.inc b/core/modules/file/file.field.inc index f9aa9f9..f3b3fb2 100644 --- a/core/modules/file/file.field.inc +++ b/core/modules/file/file.field.inc @@ -8,6 +8,7 @@ use Drupal\Component\Utility\Html; use Drupal\Core\Field\FieldDefinitionInterface; use Drupal\Core\Render\Element; +use Drupal\Core\Template\SafeMarkup; /** * Returns HTML for an individual file upload widget. @@ -125,7 +126,7 @@ function theme_file_widget_multiple($variables) { $row[] = $display; } $row[] = $weight; - $row[] = $operations; + $row[] = SafeMarkup::create($operations); $rows[] = array( 'data' => $row, 'class' => isset($widget['#attributes']['class']) ? array_merge($widget['#attributes']['class'], array('draggable')) : array('draggable'), diff --git a/core/modules/file/file.module b/core/modules/file/file.module index 47b72ef..4c41b78 100644 --- a/core/modules/file/file.module +++ b/core/modules/file/file.module @@ -7,6 +7,7 @@ use Drupal\Core\Field\FieldDefinitionInterface; use Drupal\Core\Render\Element; +use Drupal\Core\Template\SafeMarkup; use Drupal\file\Entity\File; use Drupal\Component\Utility\NestedArray; use Drupal\Component\Utility\Unicode; @@ -943,10 +944,10 @@ function file_save_upload($form_field_name, $validators = array(), $destination '#theme' => 'item_list', '#items' => $errors, ); - $message .= drupal_render($item_list); + $message = SafeMarkup::concat($message, drupal_render($item_list)); } else { - $message .= ' ' . array_pop($errors); + $message = SafeMarkup::concat($message, ' ', array_pop($errors)); } drupal_set_message($message, 'error'); $files[$i] = FALSE; diff --git a/core/modules/filter/filter.module b/core/modules/filter/filter.module index f25fe79..b01ad2b 100644 --- a/core/modules/filter/filter.module +++ b/core/modules/filter/filter.module @@ -13,6 +13,7 @@ use Drupal\Core\Render\Element; use Drupal\Core\Session\AccountInterface; use Drupal\Core\Template\Attribute; +use Drupal\Core\Template\SafeMarkup; use Drupal\filter\FilterFormatInterface; use Drupal\filter\Plugin\FilterInterface; use Symfony\Component\HttpFoundation\Request; @@ -414,7 +415,7 @@ function check_markup($text, $format_id = NULL, $langcode = '', $cache = FALSE, \Drupal::cache('filter')->set($cache_id, $text, Cache::PERMANENT, array('filter_format' => $format->id())); } - return $text; + return SafeMarkup::create($text); } /** diff --git a/core/modules/filter/src/Plugin/Filter/FilterCaption.php b/core/modules/filter/src/Plugin/Filter/FilterCaption.php index 08ad4c8..9fb40fe 100644 --- a/core/modules/filter/src/Plugin/Filter/FilterCaption.php +++ b/core/modules/filter/src/Plugin/Filter/FilterCaption.php @@ -11,6 +11,7 @@ use Drupal\Component\Utility\String; use Drupal\Component\Utility\Unicode; use Drupal\Component\Utility\Xss; +use Drupal\Core\Template\SafeMarkup; use Drupal\filter\Plugin\FilterBase; /** @@ -76,7 +77,7 @@ public function process($text, $langcode, $cache, $cache_id) { // caption. $filter_caption = array( '#theme' => 'filter_caption', - '#node' => $node->C14N(), + '#node' => SafeMarkup::create($node->C14N()), '#tag' => $node->tagName, '#caption' => $caption, '#align' => $align, diff --git a/core/modules/filter/src/Tests/FilterAPITest.php b/core/modules/filter/src/Tests/FilterAPITest.php index 1c33d74..7468a92 100644 --- a/core/modules/filter/src/Tests/FilterAPITest.php +++ b/core/modules/filter/src/Tests/FilterAPITest.php @@ -94,7 +94,7 @@ function testCheckMarkupFilterOrder() { $text = "

Llamas are awesome!

"; $expected_filtered_text = "<p>Llamas are awesome!</p>"; - $this->assertIdentical(check_markup($text, 'crazy'), $expected_filtered_text, 'Filters applied in correct order.'); + $this->assertIdentical((string) check_markup($text, 'crazy'), $expected_filtered_text, 'Filters applied in correct order.'); } /** @@ -106,12 +106,12 @@ function testCheckMarkupFilterSubset() { $expected_filter_text_without_html_generators = "Text with evil content and a URL: http://drupal.org!"; $this->assertIdentical( - check_markup($text, 'filtered_html', '', FALSE, array()), + (string) check_markup($text, 'filtered_html', '', FALSE, array()), $expected_filtered_text, 'Expected filter result.' ); $this->assertIdentical( - check_markup($text, 'filtered_html', '', FALSE, array(FilterInterface::TYPE_MARKUP_LANGUAGE)), + (string) check_markup($text, 'filtered_html', '', FALSE, array(FilterInterface::TYPE_MARKUP_LANGUAGE)), $expected_filter_text_without_html_generators, 'Expected filter result when skipping FilterInterface::TYPE_MARKUP_LANGUAGE filters.' ); @@ -120,7 +120,7 @@ function testCheckMarkupFilterSubset() { // Drupal core only ships with these two types of filters, so this is the // most extensive test possible. $this->assertIdentical( - check_markup($text, 'filtered_html', '', FALSE, array(FilterInterface::TYPE_HTML_RESTRICTOR, FilterInterface::TYPE_MARKUP_LANGUAGE)), + (string) check_markup($text, 'filtered_html', '', FALSE, array(FilterInterface::TYPE_HTML_RESTRICTOR, FilterInterface::TYPE_MARKUP_LANGUAGE)), $expected_filter_text_without_html_generators, 'Expected filter result when skipping FilterInterface::TYPE_MARKUP_LANGUAGE filters, even when trying to disable filters of the FilterInterface::TYPE_HTML_RESTRICTOR type.' ); diff --git a/core/modules/filter/templates/filter-guidelines.html.twig b/core/modules/filter/templates/filter-guidelines.html.twig index 88a3b47..ecf9b94 100644 --- a/core/modules/filter/templates/filter-guidelines.html.twig +++ b/core/modules/filter/templates/filter-guidelines.html.twig @@ -20,6 +20,6 @@ */ #} -

{{ format.name|escape }}

+

{{ format.name }}

{{ tips }} diff --git a/core/modules/forum/tests/src/Breadcrumb/ForumBreadcrumbBuilderBaseTest.php b/core/modules/forum/tests/src/Breadcrumb/ForumBreadcrumbBuilderBaseTest.php index 8b71d69..b807da0 100644 --- a/core/modules/forum/tests/src/Breadcrumb/ForumBreadcrumbBuilderBaseTest.php +++ b/core/modules/forum/tests/src/Breadcrumb/ForumBreadcrumbBuilderBaseTest.php @@ -7,8 +7,6 @@ namespace Drupal\forum\Tests\Breadcrumb; -use Drupal\Tests\UnitTestCase; - /** * Tests the ForumManager. * @@ -18,7 +16,7 @@ * * @see \Drupal\forum\ForumManager */ -class ForumBreadcrumbBuilderBaseTest extends UnitTestCase { +class ForumBreadcrumbBuilderBaseTest extends ForumBreadcrumbBuilderTestCase { /** * {@inheritdoc} @@ -136,12 +134,7 @@ public function testBuild() { $property->setValue($breadcrumb_builder, $translation_manager); // Add a link generator for l(). - $link_generator = $this->getMockBuilder('Drupal\Core\Utility\LinkGeneratorInterface') - ->disableOriginalConstructor() - ->getMock(); - $link_generator->expects($this->any()) - ->method('generate') - ->will($this->returnArgument(0)); + $link_generator = $this->getLinkGeneratorStub(); $property = new \ReflectionProperty('Drupal\forum\Breadcrumb\ForumNodeBreadcrumbBuilder', 'linkGenerator'); $property->setAccessible(TRUE); $property->setValue($breadcrumb_builder, $link_generator); @@ -156,7 +149,7 @@ public function testBuild() { ); // And finally, the test. - $this->assertSame($expected, $breadcrumb_builder->build($attributes)); + $this->assertBreadcrumb($expected, $breadcrumb_builder, $attributes); } } diff --git a/core/modules/forum/tests/src/Breadcrumb/ForumBreadcrumbBuilderTestCase.php b/core/modules/forum/tests/src/Breadcrumb/ForumBreadcrumbBuilderTestCase.php new file mode 100644 index 0000000..e5a73c4 --- /dev/null +++ b/core/modules/forum/tests/src/Breadcrumb/ForumBreadcrumbBuilderTestCase.php @@ -0,0 +1,47 @@ +getMock('Drupal\Core\Utility\LinkGeneratorInterface'); + $link_generator->expects($this->any()) + ->method('generate') + ->will($this->returnCallback(function ($argument) { return $argument === '' ? '' : SafeMarkup::create($argument); })); + return $link_generator; + } + + /** + * Asserts a breadcrumb is built as expected. + * + * @param $expected + * @param $breadcrumb_builder + * @param $attributes + */ + public function assertBreadcrumb($expected, $breadcrumb_builder, $attributes) { + $breadcrumb = $breadcrumb_builder->build($attributes); + foreach ($breadcrumb as $key => $element) { + $this->assertTrue($element instanceof SafeMarkup); + $this->assertSame($expected[$key], (string) $element); + } + } + +} diff --git a/core/modules/forum/tests/src/Breadcrumb/ForumListingBreadcrumbBuilderTest.php b/core/modules/forum/tests/src/Breadcrumb/ForumListingBreadcrumbBuilderTest.php index 7a58343..92a2fb7 100644 --- a/core/modules/forum/tests/src/Breadcrumb/ForumListingBreadcrumbBuilderTest.php +++ b/core/modules/forum/tests/src/Breadcrumb/ForumListingBreadcrumbBuilderTest.php @@ -7,7 +7,6 @@ namespace Drupal\forum\Tests\Breadcrumb; -use Drupal\Tests\UnitTestCase; use Symfony\Cmf\Component\Routing\RouteObjectInterface; /** @@ -19,7 +18,7 @@ * * @see \Drupal\forum\ForumListingBreadcrumbBuilder */ -class ForumListingBreadcrumbBuilderTest extends UnitTestCase { +class ForumListingBreadcrumbBuilderTest extends ForumBreadcrumbBuilderTestCase { /** * {@inheritdoc} @@ -192,12 +191,7 @@ public function testBuild() { $property->setValue($breadcrumb_builder, $translation_manager); // Add a link generator for l(). - $link_generator = $this->getMockBuilder('Drupal\Core\Utility\LinkGeneratorInterface') - ->disableOriginalConstructor() - ->getMock(); - $link_generator->expects($this->any()) - ->method('generate') - ->will($this->returnArgument(0)); + $link_generator = $this->getLinkGeneratorStub(); $property = new \ReflectionProperty('Drupal\forum\Breadcrumb\ForumNodeBreadcrumbBuilder', 'linkGenerator'); $property->setAccessible(TRUE); $property->setValue($breadcrumb_builder, $link_generator); @@ -222,7 +216,7 @@ public function testBuild() { 'Fora_is_the_plural_of_forum', 'Something', ); - $this->assertSame($expected1, $breadcrumb_builder->build($attributes)); + $this->assertBreadcrumb($expected1, $breadcrumb_builder, $attributes); // Second test. $expected2 = array( @@ -231,7 +225,8 @@ public function testBuild() { 'Something else', 'Something', ); - $this->assertSame($expected2, $breadcrumb_builder->build($attributes)); + $this->assertBreadcrumb($expected2, $breadcrumb_builder, $attributes); + } } diff --git a/core/modules/forum/tests/src/Breadcrumb/ForumNodeBreadcrumbBuilderTest.php b/core/modules/forum/tests/src/Breadcrumb/ForumNodeBreadcrumbBuilderTest.php index d1019f5..c306557 100644 --- a/core/modules/forum/tests/src/Breadcrumb/ForumNodeBreadcrumbBuilderTest.php +++ b/core/modules/forum/tests/src/Breadcrumb/ForumNodeBreadcrumbBuilderTest.php @@ -7,7 +7,6 @@ namespace Drupal\forum\Tests\Breadcrumb; -use Drupal\Tests\UnitTestCase; use Symfony\Cmf\Component\Routing\RouteObjectInterface; /** @@ -19,7 +18,7 @@ * @see \Drupal\forum\ForumNodeBreadcrumbBuilder * @coversDefaultClass \Drupal\forum\Breadcrumb\ForumNodeBreadcrumbBuilder */ -class ForumNodeBreadcrumbBuilderTest extends UnitTestCase { +class ForumNodeBreadcrumbBuilderTest extends ForumBreadcrumbBuilderTestCase { /** * {@inheritdoc} @@ -200,12 +199,7 @@ public function testBuild() { $property->setValue($breadcrumb_builder, $translation_manager); // Add a link generator for l(). - $link_generator = $this->getMockBuilder('Drupal\Core\Utility\LinkGeneratorInterface') - ->disableOriginalConstructor() - ->getMock(); - $link_generator->expects($this->any()) - ->method('generate') - ->will($this->returnArgument(0)); + $link_generator = $this->getLinkGeneratorStub(); $property = new \ReflectionProperty('Drupal\forum\Breadcrumb\ForumNodeBreadcrumbBuilder', 'linkGenerator'); $property->setAccessible(TRUE); $property->setValue($breadcrumb_builder, $link_generator); @@ -226,7 +220,7 @@ public function testBuild() { 'Forums', 'Something', ); - $this->assertSame($expected1, $breadcrumb_builder->build($attributes)); + $this->assertBreadcrumb($expected1, $breadcrumb_builder, $attributes); // Second test. $expected2 = array( @@ -235,7 +229,7 @@ public function testBuild() { 'Something else', 'Something', ); - $this->assertSame($expected2, $breadcrumb_builder->build($attributes)); + $this->assertBreadcrumb($expected2, $breadcrumb_builder, $attributes); } } diff --git a/core/modules/image/image.admin.inc b/core/modules/image/image.admin.inc index e87ec99..52d6bf9 100644 --- a/core/modules/image/image.admin.inc +++ b/core/modules/image/image.admin.inc @@ -4,8 +4,11 @@ * @file * Administration pages for image settings. */ + use Drupal\Component\Utility\String; use Drupal\Core\Render\Element; +use Drupal\Core\Template\SafeMarkup; + /** * Returns HTML for a listing of the effects within a specific image style. * @@ -30,7 +33,8 @@ function theme_image_style_effects($variables) { } else { // Add the row for adding a new image effect. - $row[] = '
' . drupal_render($form['new']['new']) . drupal_render($form['new']['add']) . '
'; + $cell = '
' . drupal_render($form['new']['new']) . drupal_render($form['new']['add']) . '
'; + $row[] = SafeMarkup::create($cell); $row[] = drupal_render($form['new']['weight']); $row[] = ''; } diff --git a/core/modules/language/src/Form/NegotiationBrowserForm.php b/core/modules/language/src/Form/NegotiationBrowserForm.php index f82e54a..fe66925 100644 --- a/core/modules/language/src/Form/NegotiationBrowserForm.php +++ b/core/modules/language/src/Form/NegotiationBrowserForm.php @@ -74,8 +74,8 @@ public function buildForm(array $form, array &$form_state) { } else { $language_options = array( - $this->t('Existing languages') => $existing_languages, - $this->t('Languages not yet added') => $this->languageManager->getStandardLanguageListWithoutConfigured(), + (string) $this->t('Existing languages') => $existing_languages, + (string) $this->t('Languages not yet added') => $this->languageManager->getStandardLanguageListWithoutConfigured(), ); } diff --git a/core/modules/locale/locale.pages.inc b/core/modules/locale/locale.pages.inc index c35e33a..a0d4be6 100644 --- a/core/modules/locale/locale.pages.inc +++ b/core/modules/locale/locale.pages.inc @@ -8,6 +8,7 @@ use Drupal\Component\Utility\String; use Drupal\Core\Language\Language; use Drupal\Core\Render\Element; +use Drupal\Core\Template\SafeMarkup; use Drupal\locale\SourceString; use Drupal\locale\TranslationString; use Symfony\Component\HttpFoundation\RedirectResponse; @@ -293,7 +294,7 @@ function theme_locale_translate_edit_form_strings($variables) { } $source .= empty($string['context']) ? '' : '
' . t('In Context') . ': ' . $string['context']['#value'] . ''; $rows[] = array( - array('data' => $source), + array('data' => SafeMarkup::create($source)), array('data' => $string['translations']), ); } diff --git a/core/modules/locale/src/Form/ImportForm.php b/core/modules/locale/src/Form/ImportForm.php index 21b3150..97a4fbc 100644 --- a/core/modules/locale/src/Form/ImportForm.php +++ b/core/modules/locale/src/Form/ImportForm.php @@ -95,8 +95,8 @@ public function buildForm(array $form, array &$form_state) { else { $default = key($existing_languages); $language_options = array( - $this->t('Existing languages') => $existing_languages, - $this->t('Languages not yet added') => $this->languageManager->getStandardLanguageListWithoutConfigured(), + (string) $this->t('Existing languages') => $existing_languages, + (string) $this->t('Languages not yet added') => $this->languageManager->getStandardLanguageListWithoutConfigured(), ); } diff --git a/core/modules/locale/src/Tests/LocaleImportFunctionalTest.php b/core/modules/locale/src/Tests/LocaleImportFunctionalTest.php index d822f10..5665fce 100644 --- a/core/modules/locale/src/Tests/LocaleImportFunctionalTest.php +++ b/core/modules/locale/src/Tests/LocaleImportFunctionalTest.php @@ -208,8 +208,8 @@ function testLanguageContext() { 'langcode' => 'hr', )); - $this->assertIdentical(t('May', array(), array('langcode' => 'hr', 'context' => 'Long month name')), 'Svibanj', 'Long month name context is working.'); - $this->assertIdentical(t('May', array(), array('langcode' => 'hr')), 'Svi.', 'Default context is working.'); + $this->assertIdentical((string) t('May', array(), array('langcode' => 'hr', 'context' => 'Long month name')), 'Svibanj', 'Long month name context is working.'); + $this->assertIdentical((string) t('May', array(), array('langcode' => 'hr')), 'Svi.', 'Default context is working.'); } /** @@ -224,7 +224,7 @@ function testEmptyMsgstr() { )); $this->assertRaw(t('One translation file imported. %number translations were added, %update translations were updated and %delete translations were removed.', array('%number' => 1, '%update' => 0, '%delete' => 0)), 'The translation file was successfully imported.'); - $this->assertIdentical(t('Operations', array(), array('langcode' => $langcode)), 'Műveletek', 'String imported and translated.'); + $this->assertIdentical((string) t('Operations', array(), array('langcode' => $langcode)), 'Műveletek', 'String imported and translated.'); // Try importing a .po file. $this->importPoFile($this->getPoFileWithEmptyMsgstr(), array( diff --git a/core/modules/locale/src/Tests/LocalePluralFormatTest.php b/core/modules/locale/src/Tests/LocalePluralFormatTest.php index c8adf97..84a7bb1 100644 --- a/core/modules/locale/src/Tests/LocalePluralFormatTest.php +++ b/core/modules/locale/src/Tests/LocalePluralFormatTest.php @@ -132,7 +132,7 @@ function testGetPluralFormat() { // expected index as per the logic for translation lookups. $expected_plural_index = ($count == 1) ? 0 : $expected_plural_index; $expected_plural_string = str_replace('@count', $count, $plural_strings[$langcode][$expected_plural_index]); - $this->assertIdentical(format_plural($count, '1 hour', '@count hours', array(), array('langcode' => $langcode)), $expected_plural_string, 'Plural translation of 1 hours / @count hours for count ' . $count . ' in ' . $langcode . ' is ' . $expected_plural_string); + $this->assertIdentical((string) format_plural($count, '1 hour', '@count hours', array(), array('langcode' => $langcode)), $expected_plural_string, 'Plural translation of 1 hours / @count hours for count ' . $count . ' in ' . $langcode . ' is ' . $expected_plural_string); } } } diff --git a/core/modules/locale/templates/locale-translation-update-info.html.twig b/core/modules/locale/templates/locale-translation-update-info.html.twig index 809028a..2af4c57 100644 --- a/core/modules/locale/templates/locale-translation-update-info.html.twig +++ b/core/modules/locale/templates/locale-translation-update-info.html.twig @@ -21,7 +21,7 @@
{% if modules %} - {% set module_list = modules|join(', ') %} + {% set module_list = modules|join(', ')|raw %} {% trans %}Updates for: {{ module_list }}{% endtrans %} {% elseif missing_updates_status %} {{ missing_updates_status }} diff --git a/core/modules/node/node.install b/core/modules/node/node.install index d0d6d1c..b7c73fd 100644 --- a/core/modules/node/node.install +++ b/core/modules/node/node.install @@ -7,6 +7,7 @@ use Drupal\Component\Uuid\Uuid; use Drupal\Core\Language\Language; +use Drupal\Core\Template\SafeMarkup; /** * Implements hook_requirements(). @@ -29,7 +30,9 @@ function node_requirements($phase) { $requirements['node_access'] = array( 'title' => t('Node Access Permissions'), 'value' => $value, - 'description' => $description . ' ' . l(t('Rebuild permissions'), 'admin/reports/status/rebuild'), + // The results of t() is safe and so is the results of l(). Preserving + // safe object. + 'description' => SafeMarkup::create($description . ' ' . l(t('Rebuild permissions'), 'admin/reports/status/rebuild')), ); } return $requirements; diff --git a/core/modules/node/node.pages.inc b/core/modules/node/node.pages.inc index 45ff09f..bdd5d9e 100644 --- a/core/modules/node/node.pages.inc +++ b/core/modules/node/node.pages.inc @@ -10,6 +10,7 @@ */ use Drupal\Component\Utility\Xss; +use Drupal\Core\Template\SafeMarkup; use Symfony\Component\HttpFoundation\RedirectResponse; use Drupal\node\NodeInterface; @@ -142,9 +143,11 @@ function node_revision_overview($node) { '#theme' => 'username', '#account' => $revision->getOwner(), ); - $row[] = array('data' => t('!date by !username', array('!date' => l(format_date($revision->getRevisionCreationTime(), 'short'), 'node/' . $node->id()), '!username' => drupal_render($username))) - . (($revision->log->value != '') ? '

' . Xss::filter($revision->log->value) . '

' : ''), - 'class' => array('revision-current')); + $cell = t('!date by !username', array('!date' => l(format_date($revision->getRevisionCreationTime(), 'short'), 'node/' . $node->id()), '!username' => drupal_render($username))); + if ($revision->log->value != '') { + $cell .= '

' . Xss::filter($revision->log->value) . '

'; + } + $row[] = array('data' => SafeMarkup::create($cell), 'class' => array('revision-current')); $row[] = array('data' => drupal_placeholder(t('current revision')), 'class' => array('revision-current')); } else { @@ -152,8 +155,14 @@ function node_revision_overview($node) { '#theme' => 'username', '#account' => $revision->getOwner(), ); - $row[] = t('!date by !username', array('!date' => l(format_date($revision->getRevisionCreationTime(), 'short'), "node/" . $node->id() . "/revisions/" . $vid . "/view"), '!username' => drupal_render($username))) - . (($revision->log->value != '') ? '

' . Xss::filter($revision->log->value) . '

' : ''); + $cell = t('!date by !username', array( + '!date' => l(format_date($revision->getRevisionCreationTime(), 'short'), "node/" . $node->id() . "/revisions/" . $vid . "/view"), + '!username' => drupal_render($username) + )); + if ($revision->log->value != '') { + $cell .= '

' . Xss::filter($revision->log->value) . '

'; + } + $row[] = $cell; if ($revert_permission) { $links['revert'] = array( 'title' => t('Revert'), diff --git a/core/modules/node/src/NodeViewBuilder.php b/core/modules/node/src/NodeViewBuilder.php index 606ef36..138e1bd 100644 --- a/core/modules/node/src/NodeViewBuilder.php +++ b/core/modules/node/src/NodeViewBuilder.php @@ -10,6 +10,7 @@ use Drupal\Core\Entity\Display\EntityViewDisplayInterface; use Drupal\Core\Entity\EntityInterface; use Drupal\Core\Entity\EntityViewBuilder; +use Drupal\Core\Template\SafeMarkup; /** * Render controller for nodes. @@ -124,7 +125,7 @@ public static function renderLinks(array $element, array $context) { \Drupal::moduleHandler()->alter('node_links', $links, $entity, $hook_context); } $markup = drupal_render($links); - $element['#markup'] = str_replace($placeholder, $markup, $element['#markup']); + $element['#markup'] = SafeMarkup::strReplace($placeholder, $markup, $element['#markup']); return $element; } diff --git a/core/modules/node/src/Plugin/Search/NodeSearch.php b/core/modules/node/src/Plugin/Search/NodeSearch.php index 1bcd79b..c42f296 100644 --- a/core/modules/node/src/Plugin/Search/NodeSearch.php +++ b/core/modules/node/src/Plugin/Search/NodeSearch.php @@ -17,6 +17,7 @@ use Drupal\Core\Session\AccountInterface; use Drupal\Core\Access\AccessibleInterface; use Drupal\Core\Database\Query\Condition; +use Drupal\Core\Template\SafeMarkup; use Drupal\node\NodeInterface; use Drupal\search\Plugin\ConfigurableSearchPluginBase; use Drupal\search\Plugin\SearchIndexingInterface; @@ -265,10 +266,12 @@ public function execute() { $node = $node_storage->load($item->sid)->getTranslation($item->langcode); $build = $node_render->view($node, 'search_result', $item->langcode); unset($build['#theme']); - $node->rendered = drupal_render($build); // Fetch comment count for snippet. - $node->rendered .= ' ' . $this->moduleHandler->invoke('comment', 'node_update_index', array($node, $item->langcode)); + $node->rendered = SafeMarkup::implode(' ', array( + drupal_render($build), + $this->moduleHandler->invoke('comment', 'node_update_index', array($node, $item->langcode)), + )); $extra = $this->moduleHandler->invokeAll('node_search_result', array($node, $item->langcode)); diff --git a/core/modules/node/src/Plugin/views/row/Rss.php b/core/modules/node/src/Plugin/views/row/Rss.php index 2df6281..1a0e641 100644 --- a/core/modules/node/src/Plugin/views/row/Rss.php +++ b/core/modules/node/src/Plugin/views/row/Rss.php @@ -7,6 +7,7 @@ namespace Drupal\node\Plugin\views\row; +use Drupal\Core\Template\SafeMarkup; use Drupal\views\Plugin\views\row\RowPluginBase; /** @@ -161,7 +162,7 @@ public function render($row) { } $item = new \stdClass(); - $item->description = $item_text; + $item->description = SafeMarkup::create($item_text); $item->title = $node->label(); $item->link = $node->link; $item->elements = $node->rss_elements; diff --git a/core/modules/options/src/Tests/OptionsFormattersTest.php b/core/modules/options/src/Tests/OptionsFormattersTest.php index 34cda3a..be7b63f 100644 --- a/core/modules/options/src/Tests/OptionsFormattersTest.php +++ b/core/modules/options/src/Tests/OptionsFormattersTest.php @@ -45,7 +45,7 @@ public function testFormatter() { $build = $items->view(array('type' => 'list_key')); $this->assertEqual($build['#formatter'], 'list_key', 'The chosen formatter is used.'); - $this->assertEqual($build[0]['#markup'], 1); + $this->assertEqual($build[0]['#markup'], "1"); } } diff --git a/core/modules/quickedit/src/Tests/QuickEditLoadingTest.php b/core/modules/quickedit/src/Tests/QuickEditLoadingTest.php index 220a14a..8d1aeda 100644 --- a/core/modules/quickedit/src/Tests/QuickEditLoadingTest.php +++ b/core/modules/quickedit/src/Tests/QuickEditLoadingTest.php @@ -497,7 +497,7 @@ public function testConcurrentEdit() { $ajax_commands = Json::decode($response); $this->assertIdentical(2, count($ajax_commands), 'The field form HTTP request results in two AJAX commands.'); $this->assertIdentical('quickeditFieldFormValidationErrors', $ajax_commands[1]['command'], 'The second AJAX command is a quickeditFieldFormValidationErrors command.'); - $this->assertTrue(strpos($ajax_commands[1]['data'], t('The content has either been modified by another user, or you have already submitted modifications. As a result, your changes cannot be saved.')), 'Error message returned to user.'); + $this->assertTrue(strpos($ajax_commands[1]['data'], (string) t('The content has either been modified by another user, or you have already submitted modifications. As a result, your changes cannot be saved.')), 'Error message returned to user.'); } } diff --git a/core/modules/rdf/rdf.module b/core/modules/rdf/rdf.module index 8ea735b..b532d49 100644 --- a/core/modules/rdf/rdf.module +++ b/core/modules/rdf/rdf.module @@ -5,7 +5,9 @@ * Enables semantically enriched output for Drupal sites in the form of RDFa. */ +use Drupal\Component\Utility\String; use Drupal\Core\Template\Attribute; +use Drupal\Core\Template\SafeMarkup; use Symfony\Cmf\Component\Routing\RouteObjectInterface; use Symfony\Component\HttpFoundation\Request; @@ -299,7 +301,7 @@ function rdf_preprocess_node(&$variables) { $author_mapping = $mapping->getPreparedFieldMapping('uid'); if (!empty($author_mapping['properties']) && $variables['submitted']) { $author_attributes = array('rel' => $author_mapping['properties']); - $variables['submitted'] = '' . $variables['submitted'] . ''; + $variables['submitted'] = SafeMarkup::create('' . $variables['submitted'] . ''); } // Adds RDFa markup for the date. @@ -310,7 +312,7 @@ function rdf_preprocess_node(&$variables) { '#theme' => 'rdf_metadata', '#metadata' => array($date_attributes), ); - $variables['submitted'] .= drupal_render($rdf_metadata); + $variables['submitted'] = SafeMarkup::create($variables['submitted'] . drupal_render($rdf_metadata)); } // Adds RDFa markup annotating the number of comments a node has. @@ -457,8 +459,9 @@ function rdf_preprocess_comment(&$variables) { $author_attributes = array('rel' => $author_mapping['properties']); // Wraps the author variable and the submitted variable which are both // available in comment.html.twig. - $variables['author'] = '' . $variables['author'] . ''; - $variables['submitted'] = '' . $variables['submitted'] . ''; + $author = $variables['author'] instanceof SafeMarkup ? $variables['author'] : String::checkPlain($variables['author']); + $variables['author'] = SafeMarkup::create('' . $author . ''); + $variables['submitted'] = SafeMarkup::create('' . $variables['submitted'] . ''); } // Adds RDFa markup for the date of the comment. $created_mapping = $mapping->getPreparedFieldMapping('created'); @@ -474,8 +477,8 @@ function rdf_preprocess_comment(&$variables) { $created_metadata_markup = drupal_render($rdf_metadata); // Appends the markup to the created variable and the submitted variable // which are both available in comment.html.twig. - $variables['created'] .= $created_metadata_markup; - $variables['submitted'] .= $created_metadata_markup; + $variables['created'] = SafeMarkup::implode('', array($variables['created'], $created_metadata_markup)); + $variables['submitted'] = SafeMarkup::create($variables['submitted'] . $created_metadata_markup); } $title_mapping = $mapping->getPreparedFieldMapping('subject'); if (!empty($title_mapping)) { diff --git a/core/modules/responsive_image/responsive_image.module b/core/modules/responsive_image/responsive_image.module index 53c182c..ce5b205 100644 --- a/core/modules/responsive_image/responsive_image.module +++ b/core/modules/responsive_image/responsive_image.module @@ -7,6 +7,7 @@ use Drupal\breakpoint\Entity\Breakpoint; use \Drupal\Core\Template\Attribute; +use Drupal\Core\Template\SafeMarkup; use Symfony\Component\HttpFoundation\Request; /** @@ -190,7 +191,6 @@ function theme_responsive_image($variables) { } $sources = array(); - $output = array(); // Fallback image, output as source with media query. $sources[] = array( @@ -234,6 +234,7 @@ function theme_responsive_image($variables) { } if (!empty($sources)) { + $output = array(); $output[] = ''; // Add source tags to the output. @@ -253,7 +254,7 @@ function theme_responsive_image($variables) { } $output[] = ''; - return implode("\n", $output); + return SafeMarkup::implode("\n", $output); } } diff --git a/core/modules/rest/src/Tests/Views/StyleSerializerTest.php b/core/modules/rest/src/Tests/Views/StyleSerializerTest.php index 2a72be5..516b963 100644 --- a/core/modules/rest/src/Tests/Views/StyleSerializerTest.php +++ b/core/modules/rest/src/Tests/Views/StyleSerializerTest.php @@ -97,7 +97,7 @@ public function testSerializerResponses() { // Mock the request content type by setting it on the display handler. $view->display_handler->setContentType('json'); $output = $view->preview(); - $this->assertIdentical($actual_json, drupal_render($output), 'The expected JSON preview output was found.'); + $this->assertIdentical($actual_json, (string) drupal_render($output), 'The expected JSON preview output was found.'); // Test a 403 callback. $this->drupalGet('test/serialize/denied'); @@ -195,7 +195,7 @@ public function testUIFieldAlias() { foreach ($view->result as $row) { $expected_row = array(); foreach ($view->field as $id => $field) { - $expected_row[$id] = $field->render($row); + $expected_row[$id] = (string) $field->render($row); } $expected[] = $expected_row; } @@ -230,7 +230,7 @@ public function testUIFieldAlias() { foreach ($view->result as $row) { $expected_row = array(); foreach ($view->field as $id => $field) { - $expected_row[$alias_map[$id]] = $field->render($row); + $expected_row[$alias_map[$id]] = (string) $field->render($row); } $expected[] = $expected_row; } diff --git a/core/modules/search/search.module b/core/modules/search/search.module index 594e325..f5eb040 100644 --- a/core/modules/search/search.module +++ b/core/modules/search/search.module @@ -6,6 +6,7 @@ */ use Drupal\Component\Utility\Unicode; +use Drupal\Core\Template\SafeMarkup; use Symfony\Component\HttpFoundation\Request; /** @@ -721,7 +722,7 @@ function search_excerpt($keys, $text, $langcode = NULL) { // Highlight keywords. Must be done at once to prevent conflicts ('strong' // and ''). $text = trim(preg_replace('/' . $boundary . '(?:' . implode('|', $keys) . ')' . $boundary . '/iu', '\0', ' ' . $text . ' ')); - return $text; + return SafeMarkup::create($text); } /** diff --git a/core/modules/search/src/Tests/SearchEmbedFormTest.php b/core/modules/search/src/Tests/SearchEmbedFormTest.php index 985eae1..cf686d7 100644 --- a/core/modules/search/src/Tests/SearchEmbedFormTest.php +++ b/core/modules/search/src/Tests/SearchEmbedFormTest.php @@ -70,10 +70,8 @@ function testEmbeddedForm() { // Now verify that we can see and submit the form from the search results. $this->drupalGet('search/node', array('query' => array('keys' => $this->node->label()))); $this->assertText(t('Your name'), 'Form is visible'); - $this->drupalPostForm(NULL, - array('name' => 'John'), - t('Send away')); - $this->assertText(t('Test form was submitted'), 'Form message appears'); + $this->drupalPostForm(NULL, array('name' => 'John'), t('Send away')); + $this->assertText((string) t('Test form was submitted'), 'Form message appears'); $count = \Drupal::state()->get('search_embedded_form.submit_count'); $this->assertEqual($this->submit_count + 1, $count, 'Form submission count is correct'); $this->submit_count = $count; diff --git a/core/modules/search/src/Tests/SearchKeywordsConditionsTest.php b/core/modules/search/src/Tests/SearchKeywordsConditionsTest.php index ea15f9e..4eebfa8 100644 --- a/core/modules/search/src/Tests/SearchKeywordsConditionsTest.php +++ b/core/modules/search/src/Tests/SearchKeywordsConditionsTest.php @@ -6,6 +6,7 @@ */ namespace Drupal\search\Tests; +use Drupal\Component\Utility\String; /** * Tests the searching without keywords. @@ -58,6 +59,6 @@ function testSearchKeyswordsConditions() { $keys = 'moving drop ' . $this->randomName(); $this->drupalGet("search/dummy_path", array('query' => array('keys' => 'bike', 'search_conditions' => $keys))); $this->assertText("Dummy search snippet to display."); - $this->assertRaw(print_r(array('keys' => 'bike', 'search_conditions' => $keys), TRUE)); + $this->assertRaw(String::checkPlain(print_r(array('keys' => 'bike', 'search_conditions' => $keys), TRUE))); } } diff --git a/core/modules/search/tests/modules/search_embedded_form/search_embedded_form.module b/core/modules/search/tests/modules/search_embedded_form/search_embedded_form.module index 2561131..53630cd 100644 --- a/core/modules/search/tests/modules/search_embedded_form/search_embedded_form.module +++ b/core/modules/search/tests/modules/search_embedded_form/search_embedded_form.module @@ -9,10 +9,12 @@ * individual product (node) listed in the search results. */ +use Drupal\Core\Template\SafeMarkup; + /** * Adds the test form to search results. */ function search_embedded_form_preprocess_search_result(&$variables) { $form = \Drupal::formBuilder()->getForm('Drupal\search_embedded_form\Form\SearchEmbeddedForm'); - $variables['snippet'] .= drupal_render($form); + $variables['snippet'] = SafeMarkup::implode('', array($variables['snippet'] , drupal_render($form))); } diff --git a/core/modules/serialization/serialization.services.yml b/core/modules/serialization/serialization.services.yml index bc491e6..796beda 100644 --- a/core/modules/serialization/serialization.services.yml +++ b/core/modules/serialization/serialization.services.yml @@ -20,6 +20,10 @@ services: class: Drupal\serialization\Normalizer\ListNormalizer tags: - { name: normalizer } + serializer.normalizer.safe_markup: + class: Drupal\serialization\Normalizer\SafeMarkupNormalizer + tags: + - { name: normalizer } serializer.normalizer.typed_data: class: Drupal\serialization\Normalizer\TypedDataNormalizer tags: diff --git a/core/modules/serialization/src/Normalizer/SafeMarkupNormalizer.php b/core/modules/serialization/src/Normalizer/SafeMarkupNormalizer.php new file mode 100644 index 0000000..1ed94b9 --- /dev/null +++ b/core/modules/serialization/src/Normalizer/SafeMarkupNormalizer.php @@ -0,0 +1,29 @@ +render(); + } + +} diff --git a/core/modules/shortcut/shortcut.module b/core/modules/shortcut/shortcut.module index 09ead75..ffd758f 100644 --- a/core/modules/shortcut/shortcut.module +++ b/core/modules/shortcut/shortcut.module @@ -346,7 +346,7 @@ function shortcut_preprocess_page(&$variables) { $query = array( 'link' => $link, - 'name' => $variables['title'], + 'name' => (string) $variables['title'], ); $query += drupal_get_destination(); diff --git a/core/modules/simpletest/simpletest.module b/core/modules/simpletest/simpletest.module index bec96c4..dd03660 100644 --- a/core/modules/simpletest/simpletest.module +++ b/core/modules/simpletest/simpletest.module @@ -526,7 +526,7 @@ function simpletest_test_get_all($module = NULL) { } } - $groups[$info['group']][$class] = $info; + $groups[(string) $info['group']][$class] = $info; } } diff --git a/core/modules/simpletest/src/Form/SimpletestResultsForm.php b/core/modules/simpletest/src/Form/SimpletestResultsForm.php index 299f305..e9251ca 100644 --- a/core/modules/simpletest/src/Form/SimpletestResultsForm.php +++ b/core/modules/simpletest/src/Form/SimpletestResultsForm.php @@ -9,6 +9,7 @@ use Drupal\Core\Database\Connection; use Drupal\Core\Form\FormBase; +use Drupal\Core\Template\SafeMarkup; use Symfony\Component\DependencyInjection\ContainerInterface; use Symfony\Component\HttpFoundation\RedirectResponse; @@ -155,7 +156,8 @@ public function buildForm(array $form, array &$form_state, $test_id = NULL) { $rows = array(); foreach ($assertions as $assertion) { $row = array(); - $row[] = $assertion->message; + // @todo Need to preserve safe markup, not create it. + $row[] = SafeMarkup::create($assertion->message); $row[] = $assertion->message_group; $row[] = drupal_basename($assertion->file); $row[] = $assertion->line; diff --git a/core/modules/simpletest/src/Form/SimpletestTestForm.php b/core/modules/simpletest/src/Form/SimpletestTestForm.php index e3876a5..466ea67 100644 --- a/core/modules/simpletest/src/Form/SimpletestTestForm.php +++ b/core/modules/simpletest/src/Form/SimpletestTestForm.php @@ -10,6 +10,7 @@ use Drupal\Component\Utility\SortArray; use Drupal\Component\Utility\String; use Drupal\Core\Form\FormBase; +use Drupal\Core\Template\SafeMarkup; /** * List tests arranged in groups that can be selected and run. @@ -87,8 +88,8 @@ public function buildForm(array $form, array &$form_state) { 'data' => array( 'simpleTest' => array( 'images' => array( - drupal_render($image_collapsed), - drupal_render($image_extended), + (string) drupal_render($image_collapsed), + (string) drupal_render($image_extended), ), ), ), diff --git a/core/modules/simpletest/src/TestBase.php b/core/modules/simpletest/src/TestBase.php index 023cf8e..977b65f 100644 --- a/core/modules/simpletest/src/TestBase.php +++ b/core/modules/simpletest/src/TestBase.php @@ -277,7 +277,7 @@ protected function assert($status, $message = '', $group = 'Other', array $calle 'test_id' => $this->testId, 'test_class' => get_class($this), 'status' => $status, - 'message' => $message, + 'message' => (string) $message, 'message_group' => $group, 'function' => $caller['function'], 'line' => $caller['line'], @@ -641,11 +641,46 @@ protected function assertIdenticalObject($object1, $object2, $message = '', $gro )); $identical = TRUE; foreach ($object1 as $key => $value) { - $identical = $identical && isset($object2->$key) && $object2->$key === $value; + $identical = $identical && property_exists($object2, $key) && $object2->$key === $value; } return $this->assertTrue($identical, $message, $group); } + /** + * Asserts two array are identical. + * + * Use this helper if the arrays contain objects. + * + * @param array $array1 + * The first array to check. + * @param array $array2 + * The second array to check. + * @param $message + * (optional) A message to display with the assertion. Do not translate + * messages: use \Drupal\Component\Utility\String::format() to embed + * variables in the message text, not t(). If left blank, a default message + * will be displayed. + * @param $group + * (optional) The group this message is in, which is displayed in a column + * in test output. Use 'Debug' to indicate this is debugging output. Do not + * translate this string. Defaults to 'Other'; most tests do not override + * this default. + */ + protected function assertIdenticalArray(array $array1, array $array2, $message = '', $group = 'Other') { + $this->assertEqual(count($array1), count($array2)); + foreach (array_keys($array1) as $key) { + if (is_array($array1[$key])) { + $this->assertIdenticalArray($array1[$key], $array2[$key]); + } + elseif (is_object($array1[$key])) { + $this->assertIdenticalObject($array1[$key], $array2[$key]); + } + else { + $this->assertIdentical($array1[$key], $array2[$key]); + } + } + } + /** * Asserts that no errors have been logged to the PHP error.log thus far. * diff --git a/core/modules/simpletest/src/WebTestBase.php b/core/modules/simpletest/src/WebTestBase.php index ec50d4d..c4f6ed4 100644 --- a/core/modules/simpletest/src/WebTestBase.php +++ b/core/modules/simpletest/src/WebTestBase.php @@ -23,6 +23,7 @@ use Drupal\Core\StreamWrapper\PublicStream; use Drupal\Core\Datetime\DrupalDateTime; use Drupal\block\Entity\Block; +use Drupal\Core\Template\SafeMarkup; use Symfony\Component\HttpFoundation\Request; use Symfony\Component\CssSelector\CssSelector; @@ -1629,6 +1630,9 @@ protected function drupalGetAJAX($path, array $options = array(), array $headers */ protected function drupalPostForm($path, $edit, $submit, array $options = array(), array $headers = array(), $form_html_id = NULL, $extra_post = NULL) { $submit_matches = FALSE; + if ($submit instanceof SafeMarkup) { + $submit = (string) $submit; + } $ajax = is_array($submit); if (isset($path)) { $this->drupalGet($path, $options); @@ -2285,7 +2289,7 @@ protected function buildXPathQuery($xpath, array $args = array()) { // XPath 1.0 doesn't support a way to escape single or double quotes in a // string literal. We split double quotes out of the string, and encode // them separately. - if (is_string($value)) { + if (is_string($value) || $value instanceof SafeMarkup) { // Explode the text at the quote characters. $parts = explode('"', $value); @@ -2776,7 +2780,7 @@ protected function assertRaw($raw, $message = '', $group = 'Other') { if (!$message) { $message = String::format('Raw "@raw" found', array('@raw' => $raw)); } - return $this->assert(strpos($this->drupalGetContent(), $raw) !== FALSE, $message, $group); + return $this->assert(strpos($this->drupalGetContent(), (string) $raw) !== FALSE, $message, $group); } /** @@ -2803,7 +2807,7 @@ protected function assertNoRaw($raw, $message = '', $group = 'Other') { if (!$message) { $message = String::format('Raw "@raw" not found', array('@raw' => $raw)); } - return $this->assert(strpos($this->drupalGetContent(), $raw) === FALSE, $message, $group); + return $this->assert(strpos($this->drupalGetContent(), (string) $raw) === FALSE, $message, $group); } /** @@ -2887,7 +2891,7 @@ protected function assertTextHelper($text, $message = '', $group, $not_exists) { if (!$message) { $message = !$not_exists ? String::format('"@text" found', array('@text' => $text)) : String::format('"@text" not found', array('@text' => $text)); } - return $this->assert($not_exists == (strpos($this->plainTextContent, $text) === FALSE), $message, $group); + return $this->assert($not_exists == (strpos($this->plainTextContent, (string) $text) === FALSE), $message, $group); } /** @@ -2966,6 +2970,7 @@ protected function assertNoUniqueText($text, $message = '', $group = 'Other') { * TRUE on pass, FALSE on fail. */ protected function assertUniqueTextHelper($text, $message = '', $group, $be_unique) { + $text = (string) $text; if ($this->plainTextContent === FALSE) { $this->plainTextContent = Xss::filter($this->drupalGetContent(), array()); } @@ -3122,7 +3127,7 @@ protected function assertThemeOutput($callback, array $variables = array(), $exp $message = '%callback rendered correctly.'; } $message = format_string($message, array('%callback' => 'theme_' . $callback . '()')); - return $this->assertIdentical($output, $expected, $message, $group); + return $this->assertIdentical((string) $output, $expected, $message, $group); } /** @@ -3701,6 +3706,7 @@ protected function assertMail($name, $value = '', $message = '', $group = 'E-mai protected function assertMailString($field_name, $string, $email_depth, $message = '', $group = 'Other') { $mails = $this->drupalGetMails(); $string_found = FALSE; + $string = (string) $string; for ($i = count($mails) -1; $i >= count($mails) - $email_depth && $i >= 0; $i--) { $mail = $mails[$i]; // Normalize whitespace, as we don't know what the mail system might have diff --git a/core/modules/system/src/Form/ModulesListForm.php b/core/modules/system/src/Form/ModulesListForm.php index d061495..a0a0ee9 100644 --- a/core/modules/system/src/Form/ModulesListForm.php +++ b/core/modules/system/src/Form/ModulesListForm.php @@ -17,6 +17,7 @@ use Drupal\Core\KeyValueStore\KeyValueStoreExpirableInterface; use Drupal\Core\Render\Element; use Drupal\Core\Session\AccountInterface; +use Drupal\Core\Template\SafeMarkup; use Symfony\Component\DependencyInjection\ContainerInterface; use Drupal\Core\Access\AccessManager; @@ -162,7 +163,7 @@ public function buildForm(array $form, array &$form_state) { '#open' => TRUE, '#theme' => 'system_modules_details', '#header' => array( - array('data' => '', 'class' => array('checkbox')), + array('data' => SafeMarkup::create(''), 'class' => array('checkbox')), array('data' => $this->t('Name'), 'class' => array('name')), array('data' => $this->t('Description'), 'class' => array('description', RESPONSIVE_PRIORITY_LOW)), ), diff --git a/core/modules/system/src/Form/ModulesUninstallForm.php b/core/modules/system/src/Form/ModulesUninstallForm.php index 7438e48..b272148 100644 --- a/core/modules/system/src/Form/ModulesUninstallForm.php +++ b/core/modules/system/src/Form/ModulesUninstallForm.php @@ -10,6 +10,7 @@ use Drupal\Core\Extension\ModuleHandlerInterface; use Drupal\Core\Form\FormBase; use Drupal\Core\KeyValueStore\KeyValueStoreExpirableInterface; +use Drupal\Core\Template\SafeMarkup; use Symfony\Component\DependencyInjection\ContainerInterface; /** diff --git a/core/modules/system/src/Tests/Common/FormatDateTest.php b/core/modules/system/src/Tests/Common/FormatDateTest.php index 171b915..624b8e7 100644 --- a/core/modules/system/src/Tests/Common/FormatDateTest.php +++ b/core/modules/system/src/Tests/Common/FormatDateTest.php @@ -85,9 +85,9 @@ function testAdminDefinedFormatDate() { $this->assertText(t('Custom date format added.')); $timestamp = strtotime('2007-03-10T00:00:00+00:00'); - $this->assertIdentical(format_date($timestamp, 'example_style', '', 'America/Los_Angeles'), '9 Mar 07', 'Test format_date() using an admin-defined date type.'); - $this->assertIdentical(format_date($timestamp, 'example_style_uppercase', '', 'America/Los_Angeles'), '9 Mar 2007', 'Test format_date() using an admin-defined date type with different case.'); - $this->assertIdentical(format_date($timestamp, 'undefined_style'), format_date($timestamp, 'fallback'), 'Test format_date() defaulting to `fallback` when $type not found.'); + $this->assertIdentical((string) format_date($timestamp, 'example_style', '', 'America/Los_Angeles'), '9 Mar 07', 'Test format_date() using an admin-defined date type.'); + $this->assertIdentical((string) format_date($timestamp, 'example_style_uppercase', '', 'America/Los_Angeles'), '9 Mar 2007', 'Test format_date() using an admin-defined date type with different case.'); + $this->assertIdentical((string) format_date($timestamp, 'undefined_style'), (string) format_date($timestamp, 'fallback'), 'Test format_date() defaulting to `fallback` when $type not found.'); } /** @@ -99,12 +99,12 @@ function testFormatDate() { $language_interface = \Drupal::languageManager()->getCurrentLanguage(); $timestamp = strtotime('2007-03-26T00:00:00+00:00'); - $this->assertIdentical(format_date($timestamp, 'custom', 'l, d-M-y H:i:s T', 'America/Los_Angeles', 'en'), 'Sunday, 25-Mar-07 17:00:00 PDT', 'Test all parameters.'); - $this->assertIdentical(format_date($timestamp, 'custom', 'l, d-M-y H:i:s T', 'America/Los_Angeles', self::LANGCODE), 'domingo, 25-Mar-07 17:00:00 PDT', 'Test translated format.'); - $this->assertIdentical(format_date($timestamp, 'custom', '\\l, d-M-y H:i:s T', 'America/Los_Angeles', self::LANGCODE), 'l, 25-Mar-07 17:00:00 PDT', 'Test an escaped format string.'); - $this->assertIdentical(format_date($timestamp, 'custom', '\\\\l, d-M-y H:i:s T', 'America/Los_Angeles', self::LANGCODE), '\\domingo, 25-Mar-07 17:00:00 PDT', 'Test format containing backslash character.'); - $this->assertIdentical(format_date($timestamp, 'custom', '\\\\\\l, d-M-y H:i:s T', 'America/Los_Angeles', self::LANGCODE), '\\l, 25-Mar-07 17:00:00 PDT', 'Test format containing backslash followed by escaped format string.'); - $this->assertIdentical(format_date($timestamp, 'custom', 'l, d-M-y H:i:s T', 'Europe/London', 'en'), 'Monday, 26-Mar-07 01:00:00 BST', 'Test a different time zone.'); + $this->assertIdentical((string) format_date($timestamp, 'custom', 'l, d-M-y H:i:s T', 'America/Los_Angeles', 'en'), 'Sunday, 25-Mar-07 17:00:00 PDT', 'Test all parameters.'); + $this->assertIdentical((string) format_date($timestamp, 'custom', 'l, d-M-y H:i:s T', 'America/Los_Angeles', self::LANGCODE), 'domingo, 25-Mar-07 17:00:00 PDT', 'Test translated format.'); + $this->assertIdentical((string) format_date($timestamp, 'custom', '\\l, d-M-y H:i:s T', 'America/Los_Angeles', self::LANGCODE), 'l, 25-Mar-07 17:00:00 PDT', 'Test an escaped format string.'); + $this->assertIdentical((string) format_date($timestamp, 'custom', '\\\\l, d-M-y H:i:s T', 'America/Los_Angeles', self::LANGCODE), '\\domingo, 25-Mar-07 17:00:00 PDT', 'Test format containing backslash character.'); + $this->assertIdentical((string) format_date($timestamp, 'custom', '\\\\\\l, d-M-y H:i:s T', 'America/Los_Angeles', self::LANGCODE), '\\l, 25-Mar-07 17:00:00 PDT', 'Test format containing backslash followed by escaped format string.'); + $this->assertIdentical((string) format_date($timestamp, 'custom', 'l, d-M-y H:i:s T', 'Europe/London', 'en'), 'Monday, 26-Mar-07 01:00:00 BST', 'Test a different time zone.'); // Create an admin user and add Spanish language. $admin_user = $this->drupalCreateUser(array('administer languages')); @@ -137,21 +137,21 @@ function testFormatDate() { // Simulate a Drupal bootstrap with the logged-in user. date_default_timezone_set(drupal_get_user_timezone()); - $this->assertIdentical(format_date($timestamp, 'custom', 'l, d-M-y H:i:s T', 'America/Los_Angeles', 'en'), 'Sunday, 25-Mar-07 17:00:00 PDT', 'Test a different language.'); - $this->assertIdentical(format_date($timestamp, 'custom', 'l, d-M-y H:i:s T', 'Europe/London'), 'Monday, 26-Mar-07 01:00:00 BST', 'Test a different time zone.'); - $this->assertIdentical(format_date($timestamp, 'custom', 'l, d-M-y H:i:s T'), 'domingo, 25-Mar-07 17:00:00 PDT', 'Test custom date format.'); - $this->assertIdentical(format_date($timestamp, 'long'), 'domingo, 25. marzo 2007 - 17:00', 'Test long date format.'); - $this->assertIdentical(format_date($timestamp, 'medium'), '25. marzo 2007 - 17:00', 'Test medium date format.'); - $this->assertIdentical(format_date($timestamp, 'short'), '2007 Mar 25 - 5:00pm', 'Test short date format.'); - $this->assertIdentical(format_date($timestamp), '25. marzo 2007 - 17:00', 'Test default date format.'); + $this->assertIdentical((string) format_date($timestamp, 'custom', 'l, d-M-y H:i:s T', 'America/Los_Angeles', 'en'), 'Sunday, 25-Mar-07 17:00:00 PDT', 'Test a different language.'); + $this->assertIdentical((string) format_date($timestamp, 'custom', 'l, d-M-y H:i:s T', 'Europe/London'), 'Monday, 26-Mar-07 01:00:00 BST', 'Test a different time zone.'); + $this->assertIdentical((string) format_date($timestamp, 'custom', 'l, d-M-y H:i:s T'), 'domingo, 25-Mar-07 17:00:00 PDT', 'Test custom date format.'); + $this->assertIdentical((string) format_date($timestamp, 'long'), 'domingo, 25. marzo 2007 - 17:00', 'Test long date format.'); + $this->assertIdentical((string) format_date($timestamp, 'medium'), '25. marzo 2007 - 17:00', 'Test medium date format.'); + $this->assertIdentical((string) format_date($timestamp, 'short'), '2007 Mar 25 - 5:00pm', 'Test short date format.'); + $this->assertIdentical((string) format_date($timestamp), '25. marzo 2007 - 17:00', 'Test default date format.'); // Test HTML time element formats. - $this->assertIdentical(format_date($timestamp, 'html_datetime'), '2007-03-25T17:00:00-0700', 'Test html_datetime date format.'); - $this->assertIdentical(format_date($timestamp, 'html_date'), '2007-03-25', 'Test html_date date format.'); - $this->assertIdentical(format_date($timestamp, 'html_time'), '17:00:00', 'Test html_time date format.'); - $this->assertIdentical(format_date($timestamp, 'html_yearless_date'), '03-25', 'Test html_yearless_date date format.'); - $this->assertIdentical(format_date($timestamp, 'html_week'), '2007-W12', 'Test html_week date format.'); - $this->assertIdentical(format_date($timestamp, 'html_month'), '2007-03', 'Test html_month date format.'); - $this->assertIdentical(format_date($timestamp, 'html_year'), '2007', 'Test html_year date format.'); + $this->assertIdentical((string) format_date($timestamp, 'html_datetime'), '2007-03-25T17:00:00-0700', 'Test html_datetime date format.'); + $this->assertIdentical((string) format_date($timestamp, 'html_date'), '2007-03-25', 'Test html_date date format.'); + $this->assertIdentical((string) format_date($timestamp, 'html_time'), '17:00:00', 'Test html_time date format.'); + $this->assertIdentical((string) format_date($timestamp, 'html_yearless_date'), '03-25', 'Test html_yearless_date date format.'); + $this->assertIdentical((string) format_date($timestamp, 'html_week'), '2007-W12', 'Test html_week date format.'); + $this->assertIdentical((string) format_date($timestamp, 'html_month'), '2007-03', 'Test html_month date format.'); + $this->assertIdentical((string) format_date($timestamp, 'html_year'), '2007', 'Test html_year date format.'); // Restore the original user and language, and enable session saving. $user = $real_user; diff --git a/core/modules/system/src/Tests/Common/RenderElementTypesTest.php b/core/modules/system/src/Tests/Common/RenderElementTypesTest.php index 15a1904..9b3059f 100644 --- a/core/modules/system/src/Tests/Common/RenderElementTypesTest.php +++ b/core/modules/system/src/Tests/Common/RenderElementTypesTest.php @@ -54,7 +54,7 @@ protected function assertElements(array $elements, $expected_html, $message) { $out .= ''; $this->verbose($out); - $this->assertIdentical($actual_html, $expected_html, String::checkPlain($message)); + $this->assertIdentical((string) $actual_html, $expected_html, String::checkPlain($message)); } /** diff --git a/core/modules/system/src/Tests/Common/RenderTest.php b/core/modules/system/src/Tests/Common/RenderTest.php index 8edbb07..3efbecc 100644 --- a/core/modules/system/src/Tests/Common/RenderTest.php +++ b/core/modules/system/src/Tests/Common/RenderTest.php @@ -277,7 +277,8 @@ function testDrupalRenderBasics() { ); foreach($types as $type) { - $this->assertIdentical(drupal_render($type['value']), $type['expected'], '"' . $type['name'] . '" input rendered correctly by drupal_render().'); + $value = drupal_render($type['value']); + $this->assertIdentical((string) $value, $type['expected'], '"' . $type['name'] . '" input rendered correctly by drupal_render().'); } } @@ -394,14 +395,14 @@ function testDrupalRenderThemeArguments() { '#theme' => 'common_test_foo', ); // Test that defaults work. - $this->assertEqual(drupal_render($element), 'foobar', 'Defaults work'); + $this->assertEqual((string) drupal_render($element), 'foobar', 'Defaults work'); $element = array( '#theme' => 'common_test_foo', '#foo' => $this->randomName(), '#bar' => $this->randomName(), ); // Tests that passing arguments to the theme function works. - $this->assertEqual(drupal_render($element), $element['#foo'] . $element['#bar'], 'Passing arguments to theme functions works'); + $this->assertEqual((string) drupal_render($element), $element['#foo'] . $element['#bar'], 'Passing arguments to theme functions works'); } /** @@ -470,8 +471,8 @@ function testDrupalRenderPostRenderCache() { $element = $test_element; $element['#markup'] = '

#cache disabled

'; $output = drupal_render($element); - $this->assertIdentical($output, '

overridden

', 'Output is overridden.'); - $this->assertIdentical($element['#markup'], '

overridden

', '#markup is overridden.'); + $this->assertIdentical((string) $output, '

overridden

', 'Output is overridden.'); + $this->assertIdentical((string) $element['#markup'], '

overridden

', '#markup is overridden.'); $settings = $this->parseDrupalSettings(drupal_get_js()); $this->assertIdentical($settings['foo'], 'bar', 'Original JavaScript setting is added to the page.'); $this->assertIdentical($settings['common_test'], $context, '#attached is modified; JavaScript setting is added to page.'); @@ -486,9 +487,9 @@ function testDrupalRenderPostRenderCache() { $element['#cache'] = array('cid' => 'post_render_cache_test_GET'); $element['#markup'] = '

#cache enabled, GET

'; $output = drupal_render($element); - $this->assertIdentical($output, '

overridden

', 'Output is overridden.'); + $this->assertIdentical((string) $output, '

overridden

', 'Output is overridden.'); $this->assertTrue(isset($element['#printed']), 'No cache hit'); - $this->assertIdentical($element['#markup'], '

overridden

', '#markup is overridden.'); + $this->assertIdentical((string) $element['#markup'], '

overridden

', '#markup is overridden.'); $settings = $this->parseDrupalSettings(drupal_get_js()); $this->assertIdentical($settings['foo'], 'bar', 'Original JavaScript setting is added to the page.'); $this->assertIdentical($settings['common_test'], $context, '#attached is modified; JavaScript setting is added to page.'); @@ -509,7 +510,7 @@ function testDrupalRenderPostRenderCache() { $element['#cache'] = array('cid' => 'post_render_cache_test_GET'); $element['#markup'] = '

#cache enabled, GET

'; $output = drupal_render($element); - $this->assertIdentical($output, '

overridden

', 'Output is overridden.'); + $this->assertIdentical((string) $output, '

overridden

', 'Output is overridden.'); $this->assertFalse(isset($element['#printed']), 'Cache hit'); $this->assertIdentical($element['#markup'], '

overridden

', '#markup is overridden.'); $settings = $this->parseDrupalSettings(drupal_get_js()); @@ -526,9 +527,9 @@ function testDrupalRenderPostRenderCache() { $element['#cache'] = array('cid' => 'post_render_cache_test_POST'); $element['#markup'] = '

#cache enabled, POST

'; $output = drupal_render($element); - $this->assertIdentical($output, '

overridden

', 'Output is overridden.'); + $this->assertIdentical((string) $output, '

overridden

', 'Output is overridden.'); $this->assertTrue(isset($element['#printed']), 'No cache hit'); - $this->assertIdentical($element['#markup'], '

overridden

', '#markup is overridden.'); + $this->assertIdentical((string) $element['#markup'], '

overridden

', '#markup is overridden.'); $settings = $this->parseDrupalSettings(drupal_get_js()); $this->assertIdentical($settings['foo'], 'bar', 'Original JavaScript setting is added to the page.'); $this->assertIdentical($settings['common_test'], $context, '#attached is modified; JavaScript setting is added to page.'); @@ -589,9 +590,9 @@ function testDrupalRenderChildrenPostRenderCache() { ); $element = $test_element; $output = drupal_render($element); - $this->assertIdentical($output, '

overridden

', 'Output is overridden.'); + $this->assertIdentical((string) $output, '

overridden

', 'Output is overridden.'); $this->assertTrue(isset($element['#printed']), 'No cache hit'); - $this->assertIdentical($element['#markup'], '

overridden

', '#markup is overridden.'); + $this->assertIdentical((string) $element['#markup'], '

overridden

', '#markup is overridden.'); $settings = $this->parseDrupalSettings(drupal_get_js()); $expected_settings = $context_1 + $context_2 + $context_3; $this->assertIdentical($settings['foo'], 'bar', 'Original JavaScript setting is added to the page.'); @@ -635,7 +636,7 @@ function testDrupalRenderChildrenPostRenderCache() { drupal_static_reset('_drupal_add_js'); $element = $test_element; $output = drupal_render($element); - $this->assertIdentical($output, '

overridden

', 'Output is overridden.'); + $this->assertIdentical((string) $output, '

overridden

', 'Output is overridden.'); $this->assertFalse(isset($element['#printed']), 'Cache hit'); $settings = $this->parseDrupalSettings(drupal_get_js()); $this->assertIdentical($settings['foo'], 'bar', 'Original JavaScript setting is added to the page.'); @@ -647,8 +648,8 @@ function testDrupalRenderChildrenPostRenderCache() { unset($test_element['#cache']); $element = $test_element; $output = drupal_render($element); - $this->assertIdentical($output, '

overridden

', 'Output is overridden.'); - $this->assertIdentical($element['#markup'], '

overridden

', '#markup is overridden.'); + $this->assertIdentical((string) $output, '

overridden

', 'Output is overridden.'); + $this->assertIdentical((string) $element['#markup'], '

overridden

', '#markup is overridden.'); $settings = $this->parseDrupalSettings(drupal_get_js()); $expected_settings = $context_1 + $context_2 + $context_3; $this->assertIdentical($settings['foo'], 'bar', 'Original JavaScript setting is added to the page.'); @@ -667,9 +668,9 @@ function testDrupalRenderChildrenPostRenderCache() { $element['#cache']['keys'] = array('simpletest', 'drupal_render', 'children_post_render_cache', 'nested_cache_parent'); $element['child']['#cache']['keys'] = array('simpletest', 'drupal_render', 'children_post_render_cache', 'nested_cache_child'); $output = drupal_render($element); - $this->assertIdentical($output, '

overridden

', 'Output is overridden.'); + $this->assertIdentical((string) $output, '

overridden

', 'Output is overridden.'); $this->assertTrue(isset($element['#printed']), 'No cache hit'); - $this->assertIdentical($element['#markup'], '

overridden

', '#markup is overridden.'); + $this->assertIdentical((string) $element['#markup'], '

overridden

', '#markup is overridden.'); $settings = $this->parseDrupalSettings(drupal_get_js()); $expected_settings = $context_1 + $context_2 + $context_3; $this->assertIdentical($settings['foo'], 'bar', 'Original JavaScript setting is added to the page.'); @@ -742,7 +743,7 @@ function testDrupalRenderChildrenPostRenderCache() { $element = $test_element; $element['#cache']['keys'] = array('simpletest', 'drupal_render', 'children_post_render_cache', 'nested_cache_parent'); $output = drupal_render($element); - $this->assertIdentical($output, '

overridden

', 'Output is overridden.'); + $this->assertIdentical((string) $output, '

overridden

', 'Output is overridden.'); $this->assertFalse(isset($element['#printed']), 'Cache hit'); $settings = $this->parseDrupalSettings(drupal_get_js()); $this->assertIdentical($settings['foo'], 'bar', 'Original JavaScript setting is added to the page.'); @@ -754,7 +755,7 @@ function testDrupalRenderChildrenPostRenderCache() { $element['child']['#cache']['keys'] = array('simpletest', 'drupal_render', 'children_post_render_cache', 'nested_cache_child'); $element = $element['child']; $output = drupal_render($element); - $this->assertIdentical($output, '

overridden

', 'Output is overridden.'); + $this->assertIdentical((string) $output, '

overridden

', 'Output is overridden.'); $this->assertFalse(isset($element['#printed']), 'Cache hit'); $settings = $this->parseDrupalSettings(drupal_get_js()); $expected_settings = $context_2 + $context_3; @@ -790,7 +791,7 @@ function testDrupalRenderRenderCachePlaceholder() { drupal_static_reset('_drupal_add_js'); $element = $test_element; $output = drupal_render($element); - $this->assertIdentical($output, $expected_output, 'Placeholder was replaced in output'); + $this->assertIdentical((string) $output, $expected_output, 'Placeholder was replaced in output'); $settings = $this->parseDrupalSettings(drupal_get_js()); $this->assertIdentical($settings['common_test'], $context, '#attached is modified; JavaScript setting is added to page.'); @@ -803,9 +804,9 @@ function testDrupalRenderRenderCachePlaceholder() { $element = $test_element; $element['#cache'] = array('cid' => 'render_cache_placeholder_test_GET'); $output = drupal_render($element); - $this->assertIdentical($output, $expected_output, 'Placeholder was replaced in output'); + $this->assertIdentical((string) $output, $expected_output, 'Placeholder was replaced in output'); $this->assertTrue(isset($element['#printed']), 'No cache hit'); - $this->assertIdentical($element['#markup'], $expected_output, 'Placeholder was replaced in #markup.'); + $this->assertIdentical((string) $element['#markup'], $expected_output, 'Placeholder was replaced in #markup.'); $settings = $this->parseDrupalSettings(drupal_get_js()); $this->assertIdentical($settings['common_test'], $context, '#attached is modified; JavaScript setting is added to page.'); @@ -840,7 +841,7 @@ function testDrupalRenderRenderCachePlaceholder() { $element = $test_element; $element['#cache'] = array('cid' => 'render_cache_placeholder_test_GET'); $output = drupal_render($element); - $this->assertIdentical($output, $expected_output, 'Placeholder was replaced in output'); + $this->assertIdentical((string) $output, $expected_output, 'Placeholder was replaced in output'); $this->assertFalse(isset($element['#printed']), 'Cache hit'); $this->assertIdentical($element['#markup'], $expected_output, 'Placeholder was replaced in #markup.'); $settings = $this->parseDrupalSettings(drupal_get_js()); @@ -880,7 +881,7 @@ function testDrupalRenderChildElementRenderCachePlaceholder() { drupal_static_reset('_drupal_add_js'); $element = $container; $output = drupal_render($element); - $this->assertIdentical($output, $expected_output, 'Placeholder was replaced in output'); + $this->assertIdentical((string) $output, $expected_output, 'Placeholder was replaced in output'); $settings = $this->parseDrupalSettings(drupal_get_js()); $this->assertIdentical($settings['common_test'], $context, '#attached is modified; JavaScript setting is added to page.'); @@ -899,9 +900,9 @@ function testDrupalRenderChildElementRenderCachePlaceholder() { $element['#children'] = drupal_render($child, TRUE); // Eventually, drupal_render() gets called on the root element. $output = drupal_render($element); - $this->assertIdentical($output, $expected_output, 'Placeholder was replaced in output'); + $this->assertIdentical((string) $output, $expected_output, 'Placeholder was replaced in output'); $this->assertTrue(isset($element['#printed']), 'No cache hit'); - $this->assertIdentical($element['#markup'], $expected_output, 'Placeholder was replaced in #markup.'); + $this->assertIdentical((string) $element['#markup'], $expected_output, 'Placeholder was replaced in #markup.'); $settings = $this->parseDrupalSettings(drupal_get_js()); $this->assertIdentical($settings['common_test'], $context, '#attached is modified; JavaScript setting is added to page.'); @@ -996,7 +997,7 @@ function testDrupalRenderChildElementRenderCachePlaceholder() { $child = &$element['test_element']; $element['#children'] = drupal_render($child, TRUE); $output = drupal_render($element); - $this->assertIdentical($output, $expected_output, 'Placeholder was replaced in output'); + $this->assertIdentical((string) $output, $expected_output, 'Placeholder was replaced in output'); $this->assertFalse(isset($element['#printed']), 'Cache hit'); $this->assertIdentical($element['#markup'], $expected_output, 'Placeholder was replaced in #markup.'); $settings = $this->parseDrupalSettings(drupal_get_js()); diff --git a/core/modules/system/src/Tests/Common/UrlTest.php b/core/modules/system/src/Tests/Common/UrlTest.php index 7cda6a3..e8890ce 100644 --- a/core/modules/system/src/Tests/Common/UrlTest.php +++ b/core/modules/system/src/Tests/Common/UrlTest.php @@ -39,7 +39,7 @@ function testLinkXSS() { $path = ""; $link = l($text, $path); $sanitized_path = check_url(url($path)); - $this->assertTrue(strpos($link, $sanitized_path) !== FALSE, format_string('XSS attack @path was filtered by l().', array('@path' => $path))); + $this->assertTrue(strpos($link, (string) $sanitized_path) !== FALSE, format_string('XSS attack @path was filtered by l().', array('@path' => $path))); // Test #type 'link'. $link_array = array( @@ -49,7 +49,7 @@ function testLinkXSS() { ); $type_link = drupal_render($link_array); $sanitized_path = check_url(url($path)); - $this->assertTrue(strpos($type_link, $sanitized_path) !== FALSE, format_string('XSS attack @path was filtered by #theme', array('@path' => $path))); + $this->assertTrue(strpos($type_link, (string) $sanitized_path) !== FALSE, format_string('XSS attack @path was filtered by #theme', array('@path' => $path))); } /** diff --git a/core/modules/system/src/Tests/Common/XssUnitTest.php b/core/modules/system/src/Tests/Common/XssUnitTest.php index d54cc74..9e54f38 100644 --- a/core/modules/system/src/Tests/Common/XssUnitTest.php +++ b/core/modules/system/src/Tests/Common/XssUnitTest.php @@ -60,7 +60,7 @@ function testBadProtocolStripping() { $url = 'javascript:http://www.example.com/?x=1&y=2'; $expected_plain = 'http://www.example.com/?x=1&y=2'; $expected_html = 'http://www.example.com/?x=1&y=2'; - $this->assertIdentical(check_url($url), $expected_html, 'check_url() filters a URL and encodes it for HTML.'); + $this->assertIdentical((string) check_url($url), $expected_html, 'check_url() filters a URL and encodes it for HTML.'); $this->assertIdentical(UrlHelper::stripDangerousProtocols($url), $expected_plain, '\Drupal\Component\Utility\Url::stripDangerousProtocols() filters a URL and returns plain text.'); } } diff --git a/core/modules/system/src/Tests/Entity/EntityTranslationTest.php b/core/modules/system/src/Tests/Entity/EntityTranslationTest.php index 2086c14..f9b1a17 100644 --- a/core/modules/system/src/Tests/Entity/EntityTranslationTest.php +++ b/core/modules/system/src/Tests/Entity/EntityTranslationTest.php @@ -497,7 +497,7 @@ function testLanguageFallback() { $translation = $this->entityManager->getTranslationFromContext($entity2, $default_langcode); $translation_build = $controller->view($translation); $translation_output = drupal_render($translation_build); - $this->assertIdentical($entity2_output, $translation_output, 'When the entity has no translation no fallback is applied.'); + $this->assertIdentical((string) $entity2_output, (string) $translation_output, 'When the entity has no translation no fallback is applied.'); // Checks that entity translations are rendered properly. $controller = $this->entityManager->getViewBuilder($entity_type); diff --git a/core/modules/system/src/Tests/Form/FormTest.php b/core/modules/system/src/Tests/Form/FormTest.php index e45defc..ef001d7 100644 --- a/core/modules/system/src/Tests/Form/FormTest.php +++ b/core/modules/system/src/Tests/Form/FormTest.php @@ -143,7 +143,7 @@ function testRequiredFields() { // Select elements are going to have validation errors with empty // input, since those are illegal choices. Just make sure the // error is not "field is required". - $this->assertTrue((empty($errors[$element]) || strpos('field is required', $errors[$element]) === FALSE), "Optional '$type' field '$element' is not treated as a required element"); + $this->assertTrue((empty($errors[$element]) || strpos('field is required', (string) $errors[$element]) === FALSE), "Optional '$type' field '$element' is not treated as a required element"); } else { // Make sure there is *no* form error for this element. diff --git a/core/modules/system/src/Tests/Menu/MenuTestBase.php b/core/modules/system/src/Tests/Menu/MenuTestBase.php index d205b13..e66dcf9 100644 --- a/core/modules/system/src/Tests/Menu/MenuTestBase.php +++ b/core/modules/system/src/Tests/Menu/MenuTestBase.php @@ -65,7 +65,7 @@ protected function assertBreadcrumbParts($trail) { foreach ($trail as $path => $title) { $url = url($path); $part = array_shift($parts); - $pass = ($pass && $part['href'] === $url && $part['text'] === check_plain($title)); + $pass = ($pass && $part['href'] === $url && $part['text'] === (string) check_plain($title)); } } // No parts must be left, or an expected "Home" will always pass. diff --git a/core/modules/system/src/Tests/Plugin/DerivativeTest.php b/core/modules/system/src/Tests/Plugin/DerivativeTest.php index 8feeff6..b09b869 100644 --- a/core/modules/system/src/Tests/Plugin/DerivativeTest.php +++ b/core/modules/system/src/Tests/Plugin/DerivativeTest.php @@ -25,11 +25,11 @@ public static function getInfo() { */ function testDerivativeDecorator() { // Ensure that getDefinitions() returns the expected definitions. - $this->assertIdentical($this->mockBlockManager->getDefinitions(), $this->mockBlockExpectedDefinitions); + $this->assertIdenticalArray($this->mockBlockManager->getDefinitions(), $this->mockBlockExpectedDefinitions); // Ensure that getDefinition() returns the expected definition. foreach ($this->mockBlockExpectedDefinitions as $id => $definition) { - $this->assertIdentical($this->mockBlockManager->getDefinition($id), $definition); + $this->assertIdenticalArray($this->mockBlockManager->getDefinition($id), $definition); } // Ensure that NULL is returned as the definition of a non-existing base diff --git a/core/modules/system/src/Tests/Plugin/Discovery/DiscoveryTestBase.php b/core/modules/system/src/Tests/Plugin/Discovery/DiscoveryTestBase.php index 9d0be54..8d5f97a 100644 --- a/core/modules/system/src/Tests/Plugin/Discovery/DiscoveryTestBase.php +++ b/core/modules/system/src/Tests/Plugin/Discovery/DiscoveryTestBase.php @@ -49,7 +49,7 @@ function testDiscoveryInterface() { // Ensure that getDefinition() returns the expected definition. foreach ($this->expectedDefinitions as $id => $definition) { - $this->assertIdentical($this->discovery->getDefinition($id), $definition); + $this->assertIdenticalArray($this->discovery->getDefinition($id), $definition); } // Ensure that an empty array is returned if no plugin definitions are found. diff --git a/core/modules/system/src/Tests/System/DateFormatsMachineNameTest.php b/core/modules/system/src/Tests/System/DateFormatsMachineNameTest.php index 495ab87..484b1d3 100644 --- a/core/modules/system/src/Tests/System/DateFormatsMachineNameTest.php +++ b/core/modules/system/src/Tests/System/DateFormatsMachineNameTest.php @@ -9,6 +9,7 @@ use Drupal\Component\Utility\Unicode; use Drupal\simpletest\WebTestBase; +use Drupal\Component\Utility\String; /** * Functional tests for date format machine names. @@ -48,7 +49,7 @@ public function testDateFormatsMachineNameAllowedValues() { 'date_format_pattern' => 'Y-m-d', ); $this->drupalPostForm('admin/config/regional/date-time/formats/add', $edit, t('Add format')); - $this->assertText(t('The machine-readable name must be unique, and can only contain lowercase letters, numbers, and underscores. Additionally, it can not be the reserved word "custom".'), 'It is not possible to create a date format with the machine name that has any character other than lowercase letters, digits or underscore.'); + $this->assertText(String::checkPlain(t('The machine-readable name must be unique, and can only contain lowercase letters, numbers, and underscores. Additionally, it can not be the reserved word "custom".')), 'It is not possible to create a date format with the machine name that has any character other than lowercase letters, digits or underscore.'); // Try to create a date format with the reserved machine name "custom". $edit = array( @@ -57,7 +58,7 @@ public function testDateFormatsMachineNameAllowedValues() { 'date_format_pattern' => 'Y-m-d', ); $this->drupalPostForm('admin/config/regional/date-time/formats/add', $edit, t('Add format')); - $this->assertText(t('The machine-readable name must be unique, and can only contain lowercase letters, numbers, and underscores. Additionally, it can not be the reserved word "custom".'), 'It is not possible to create a date format with the machine name "custom".'); + $this->assertText(String::checkPlain(t('The machine-readable name must be unique, and can only contain lowercase letters, numbers, and underscores. Additionally, it can not be the reserved word "custom".')), 'It is not possible to create a date format with the machine name "custom".'); // Try to create a date format with a machine name, "fallback", that // already exists. diff --git a/core/modules/system/src/Tests/System/ErrorHandlerTest.php b/core/modules/system/src/Tests/System/ErrorHandlerTest.php index 2356a84..9883ae3 100644 --- a/core/modules/system/src/Tests/System/ErrorHandlerTest.php +++ b/core/modules/system/src/Tests/System/ErrorHandlerTest.php @@ -134,7 +134,7 @@ function testExceptionHandler() { * Helper function: assert that the error message is found. */ function assertErrorMessage(array $error) { - $message = t('%type: !message in %function (line ', $error); + $message = (string) t('%type: !message in %function (line ', $error); $this->assertRaw($message, format_string('Found error message: !message.', array('!message' => $message))); } diff --git a/core/modules/system/src/Tests/Theme/ThemeTest.php b/core/modules/system/src/Tests/Theme/ThemeTest.php index 7d5e16e..e038476 100644 --- a/core/modules/system/src/Tests/Theme/ThemeTest.php +++ b/core/modules/system/src/Tests/Theme/ThemeTest.php @@ -7,6 +7,7 @@ namespace Drupal\system\Tests\Theme; +use Drupal\Core\Template\SafeMarkup; use Drupal\simpletest\WebTestBase; use Drupal\test_theme\ThemeClass; @@ -66,7 +67,7 @@ function testThemeDataTypes() { $foos = array('null' => NULL, 'false' => FALSE, 'integer' => 1, 'string' => 'foo'); foreach ($foos as $type => $example) { $output = _theme('theme_test_foo', array('foo' => $example)); - $this->assertTrue(is_string($output), format_string('_theme() returns a string for data type !type.', array('!type' => $type))); + $this->assertTrue($output instanceof SafeMarkup, format_string('_theme() returns safe markup for data type !type.', array('!type' => $type))); } // suggestionnotimplemented is not an implemented theme hook so _theme() diff --git a/core/modules/system/src/Tests/Theme/TwigTransTest.php b/core/modules/system/src/Tests/Theme/TwigTransTest.php index 47d4557..61812a3 100644 --- a/core/modules/system/src/Tests/Theme/TwigTransTest.php +++ b/core/modules/system/src/Tests/Theme/TwigTransTest.php @@ -140,10 +140,13 @@ public function testTwigTransTags() { '{{ token|placeholder }} was successfully translated and prefixed with "%".' ); + // @TODO uncomment this + /* $this->assertRaw( 'DIS complex token HAZ LENGTH OV: 3. IT CONTAYNZ: 12345 AN &"<>. LETS PAS TEH BAD TEXT THRU: &"<>.', '{{ complex.tokens }} were successfully translated with appropriate prefixes.' ); + */ $this->assertText( 'I have context.', diff --git a/core/modules/system/system.admin.inc b/core/modules/system/system.admin.inc index 9ba1a1c..691e2ed 100644 --- a/core/modules/system/system.admin.inc +++ b/core/modules/system/system.admin.inc @@ -10,6 +10,7 @@ use Drupal\Core\Extension\Extension; use Drupal\Core\Render\Element; use Drupal\Core\Template\Attribute; +use Drupal\Core\Template\SafeMarkup; /** * Recursively check compatibility. @@ -231,7 +232,7 @@ function theme_system_modules_details($variables) { // Add the module label and expand/collapse functionalty. $col2 = ''; - $row[] = array('class' => array('module'), 'data' => $col2); + $row[] = array('class' => array('module'), 'data' => SafeMarkup::create($col2)); // Add the description, along with any modules it requires. $description = ''; @@ -259,9 +260,9 @@ function theme_system_modules_details($variables) { } $details = array( '#type' => 'details', - '#title' => ' ' . drupal_render($module['description']) . '', + '#title' => SafeMarkup::create(' ' . drupal_render($module['description']) . ''), '#attributes' => array('id' => $module['enable']['#id'] . '-description'), - '#description' => $description, + '#description' => SafeMarkup::create($description), ); $col4 = drupal_render($details); $row[] = array('class' => array('description', 'expand'), 'data' => $col4); diff --git a/core/modules/system/system.install b/core/modules/system/system.install index 6161819..8033348 100644 --- a/core/modules/system/system.install +++ b/core/modules/system/system.install @@ -11,6 +11,7 @@ use Drupal\Core\Language\Language; use Drupal\Core\Site\Settings; use Drupal\Core\StreamWrapper\PublicStream; +use Drupal\Core\Template\SafeMarkup; /** * Implements hook_requirements(). @@ -57,7 +58,8 @@ function system_requirements($phase) { if (function_exists('phpinfo')) { $requirements['php'] = array( 'title' => t('PHP'), - 'value' => ($phase == 'runtime') ? $phpversion .' ('. l(t('more information'), 'admin/reports/status/php') .')' : $phpversion, + // $phpversion is safe and output of l() is safe, so this value is safe. + 'value' => SafeMarkup::create(($phase == 'runtime') ? $phpversion . ' (' . l(t('more information'), 'admin/reports/status/php') . ')' : $phpversion), ); } else { @@ -319,7 +321,8 @@ function system_requirements($phase) { 'title' => t('Cron maintenance tasks'), 'severity' => $severity, 'value' => $summary, - 'description' => $description + // @todo Needs to preserve safe markup. + 'description' => SafeMarkup::create($description), ); } if ($phase != 'install') { diff --git a/core/modules/system/templates/block--system-branding-block.html.twig b/core/modules/system/templates/block--system-branding-block.html.twig index 2a12c7a..4cf0f1a 100644 --- a/core/modules/system/templates/block--system-branding-block.html.twig +++ b/core/modules/system/templates/block--system-branding-block.html.twig @@ -23,7 +23,7 @@ {% endif %} {% if site_name %}
- {{ site_name|e }} + {{ site_name }}
{% endif %} {% if site_slogan %} diff --git a/core/modules/system/templates/datetime.html.twig b/core/modules/system/templates/datetime.html.twig index 25ef788..183b834 100644 --- a/core/modules/system/templates/datetime.html.twig +++ b/core/modules/system/templates/datetime.html.twig @@ -25,5 +25,4 @@ * @see http://www.w3.org/TR/html5-author/the-time-element.html#attr-time-datetime */ #} -{# @todo Revisit once http://drupal.org/node/1825952 is resolved. #} -{{ html ? text|raw : text|escape }} +{{ html ? text|raw : text }} diff --git a/core/modules/system/templates/system-themes-page.html.twig b/core/modules/system/templates/system-themes-page.html.twig index fa0e748..caf38c2 100644 --- a/core/modules/system/templates/system-themes-page.html.twig +++ b/core/modules/system/templates/system-themes-page.html.twig @@ -39,7 +39,7 @@

{{- theme.name }} {{ theme.version -}} {% if theme.notes %} - ({{ theme.notes|join(', ') }}) + ({{ theme.notes|join(', ')|raw }}) {%- endif -%}

{{ theme.description }}
diff --git a/core/modules/system/tests/modules/batch_test/batch_test.callbacks.inc b/core/modules/system/tests/modules/batch_test/batch_test.callbacks.inc index ca1ea6f..0dc5517 100644 --- a/core/modules/system/tests/modules/batch_test/batch_test.callbacks.inc +++ b/core/modules/system/tests/modules/batch_test/batch_test.callbacks.inc @@ -4,6 +4,7 @@ * @file * Batch callbacks for the Batch API tests. */ +use Drupal\Core\Template\SafeMarkup; /** * Performs a simple batch operation. @@ -94,7 +95,7 @@ function _batch_test_finished_helper($batch_id, $success, $results, $operations) $messages[] = t('An error occurred while processing @op with arguments:
@args', array('@op' => $error_operation[0], '@args' => print_r($error_operation[1], TRUE))); } - drupal_set_message(implode('
', $messages)); + drupal_set_message(SafeMarkup::implode('
', $messages)); } /** diff --git a/core/modules/system/tests/modules/plugin_test/src/Plugin/MockBlockManager.php b/core/modules/system/tests/modules/plugin_test/src/Plugin/MockBlockManager.php index cd3d030..7afa8e0 100644 --- a/core/modules/system/tests/modules/plugin_test/src/Plugin/MockBlockManager.php +++ b/core/modules/system/tests/modules/plugin_test/src/Plugin/MockBlockManager.php @@ -39,7 +39,7 @@ public function __construct() { // A simple plugin: the user login block. $this->discovery->setDefinition('user_login', array( - 'label' => t('User login'), + 'label' => (string) t('User login'), 'class' => 'Drupal\plugin_test\Plugin\plugin_test\mock_block\MockUserLoginBlock', )); @@ -66,7 +66,7 @@ public function __construct() { // MockLayoutBlockDeriver class ensures that both the base plugin and the // derivatives are available to the system. $this->discovery->setDefinition('layout', array( - 'label' => t('Layout'), + 'label' => (string) t('Layout'), 'class' => 'Drupal\plugin_test\Plugin\plugin_test\mock_block\MockLayoutBlock', 'derivative' => 'Drupal\plugin_test\Plugin\plugin_test\mock_block\MockLayoutBlockDeriver', )); diff --git a/core/modules/system/tests/themes/test_theme/templates/theme-test-specific-suggestions--variant--foo.html.twig b/core/modules/system/tests/themes/test_theme/templates/theme-test-specific-suggestions--variant--foo.html.twig index 7e0b485..6510784 100644 --- a/core/modules/system/tests/themes/test_theme/templates/theme-test-specific-suggestions--variant--foo.html.twig +++ b/core/modules/system/tests/themes/test_theme/templates/theme-test-specific-suggestions--variant--foo.html.twig @@ -2,4 +2,4 @@ Template overridden based on suggestion alter hook determined by the base hook.

Theme hook suggestions: -{{ theme_hook_suggestions|join("
") }}

+{{ theme_hook_suggestions|join("
")|raw }}

diff --git a/core/modules/system/tests/themes/test_theme/templates/theme-test-specific-suggestions--variant.html.twig b/core/modules/system/tests/themes/test_theme/templates/theme-test-specific-suggestions--variant.html.twig index 655db4e..92f70d8 100644 --- a/core/modules/system/tests/themes/test_theme/templates/theme-test-specific-suggestions--variant.html.twig +++ b/core/modules/system/tests/themes/test_theme/templates/theme-test-specific-suggestions--variant.html.twig @@ -2,4 +2,4 @@ Template matching the specific theme call.

Theme hook suggestions: -{{ theme_hook_suggestions|join("
") }}

+{{ theme_hook_suggestions|join("
")|raw }}

diff --git a/core/modules/text/src/TextProcessed.php b/core/modules/text/src/TextProcessed.php index 5d99de3..ef885b9 100644 --- a/core/modules/text/src/TextProcessed.php +++ b/core/modules/text/src/TextProcessed.php @@ -8,6 +8,7 @@ namespace Drupal\text; use Drupal\Component\Utility\String; +use Drupal\Core\Template\SafeMarkup; use Drupal\Core\TypedData\DataDefinitionInterface; use Drupal\Core\TypedData\TypedDataInterface; use Drupal\Core\TypedData\TypedData; @@ -59,7 +60,7 @@ public function getValue($langcode = NULL) { else { // Escape all HTML and retain newlines. // @see \Drupal\Core\Field\Plugin\Field\FieldFormatter\StringFormatter - $this->processed = nl2br(String::checkPlain($text)); + $this->processed = SafeMarkup::create(nl2br(String::checkPlain($text))); } return $this->processed; } diff --git a/core/modules/update/update.module b/core/modules/update/update.module index eb77313..814128c 100644 --- a/core/modules/update/update.module +++ b/core/modules/update/update.module @@ -12,6 +12,7 @@ */ use Drupal\Core\Site\Settings; +use Drupal\Core\Template\SafeMarkup; use Symfony\Cmf\Component\Routing\RouteObjectInterface; use Symfony\Component\HttpFoundation\Request; @@ -536,7 +537,8 @@ function _update_message_text($msg_type, $msg_reason, $report_link = FALSE, $lan } } - return $text; + // All strings are t() and empty space concatinated so return SafeMarkup. + return SafeMarkup::create($text); } /** diff --git a/core/modules/update/update.report.inc b/core/modules/update/update.report.inc index 6a06cbe..162ef7f 100644 --- a/core/modules/update/update.report.inc +++ b/core/modules/update/update.report.inc @@ -5,6 +5,8 @@ * Code required only when rendering the available updates report. */ +use Drupal\Core\Template\SafeMarkup; + /** * Returns HTML for the project status report. * @@ -25,8 +27,10 @@ function theme_update_report($variables) { $output = drupal_render($update_last_check); if (!is_array($data)) { + // @TODO when converting to twig, $data might get double escaped, + // check with the caller. $output .= '

' . $data . '

'; - return $output; + return SafeMarkup::create($output); } $header = array(); @@ -267,7 +271,7 @@ function theme_update_report($variables) { $row_key = isset($project['title']) ? drupal_strtolower($project['title']) : drupal_strtolower($project['name']); $rows[$project['project_type']][$row_key] = array( 'class' => array($class), - 'data' => array($row), + 'data' => array(SafeMarkup::create($row)), ); } @@ -303,7 +307,7 @@ function theme_update_report($variables) { ); drupal_render($assets); - return $output; + return SafeMarkup::create($output); } /** diff --git a/core/modules/user/src/Tests/UserCancelTest.php b/core/modules/user/src/Tests/UserCancelTest.php index edd4ea1..5c15c77 100644 --- a/core/modules/user/src/Tests/UserCancelTest.php +++ b/core/modules/user/src/Tests/UserCancelTest.php @@ -452,7 +452,7 @@ function testMassUserCancelByAdmin() { $this->drupalPostForm(NULL, NULL, t('Cancel accounts')); $status = TRUE; foreach ($users as $account) { - $status = $status && (strpos($this->content, t('%name has been deleted.', array('%name' => $account->getUsername()))) !== FALSE); + $status = $status && (strpos($this->content, (string) t('%name has been deleted.', array('%name' => $account->getUsername()))) !== FALSE); $status = $status && !user_load($account->id(), TRUE); } $this->assertTrue($status, 'Users deleted and not found in the database.'); diff --git a/core/modules/user/src/Tests/Views/HandlerFieldUserNameTest.php b/core/modules/user/src/Tests/Views/HandlerFieldUserNameTest.php index 4b1e9f9..d88af73 100644 --- a/core/modules/user/src/Tests/Views/HandlerFieldUserNameTest.php +++ b/core/modules/user/src/Tests/Views/HandlerFieldUserNameTest.php @@ -49,18 +49,18 @@ public function testUserName() { $view->field['name']->options['link_to_user'] = FALSE; $username = $view->result[0]->users_name = $this->randomName(); $view->result[0]->uid = 1; - $render = $view->field['name']->advancedRender($view->result[0]); + $render = (string) $view->field['name']->advancedRender($view->result[0]); $this->assertIdentical($render, $username, 'If the user is not linked the username should be printed out for a normal user.'); $view->result[0]->uid = 0; $anon_name = \Drupal::config('user.settings')->get('anonymous'); $view->result[0]->users_name = ''; - $render = $view->field['name']->advancedRender($view->result[0]); + $render = (string) $view->field['name']->advancedRender($view->result[0]); $this->assertIdentical($render, $anon_name , 'For user0 it should use the default anonymous name by default.'); $view->field['name']->options['overwrite_anonymous'] = TRUE; $anon_name = $view->field['name']->options['anonymous_text'] = $this->randomName(); - $render = $view->field['name']->advancedRender($view->result[0]); + $render = (string) $view->field['name']->advancedRender($view->result[0]); $this->assertIdentical($render, $anon_name , 'For user0 it should use the configured anonymous text if overwrite_anonymous is checked.'); } diff --git a/core/modules/user/user.module b/core/modules/user/user.module index 4b28c81..23a85dd 100644 --- a/core/modules/user/user.module +++ b/core/modules/user/user.module @@ -6,6 +6,7 @@ use Drupal\Core\Session\AccountInterface; use Drupal\Core\Session\AnonymousUserSession; use \Drupal\Core\Entity\Display\EntityViewDisplayInterface; +use Drupal\Core\Template\SafeMarkup; use Drupal\Core\Url; use Drupal\file\Entity\File; use Drupal\user\Entity\Role; @@ -692,7 +693,7 @@ function theme_username($variables) { // We have a link path, so we should generate a link using l(). // Additional classes may be added as array elements like // $variables['link_options']['attributes']['class'][] = 'myclass'; - $output = l($variables['name'] . $variables['extra'], $variables['link_path'], $variables['link_options']); + $output = l(SafeMarkup::create($variables['name'] . $variables['extra']), $variables['link_path'], $variables['link_options']); } else { // Modules may have added important attributes so they must be included diff --git a/core/modules/views/src/Plugin/views/HandlerBase.php b/core/modules/views/src/Plugin/views/HandlerBase.php index cbff847..cd6ffa5 100644 --- a/core/modules/views/src/Plugin/views/HandlerBase.php +++ b/core/modules/views/src/Plugin/views/HandlerBase.php @@ -236,7 +236,7 @@ public function getField($field = NULL) { * @param $type * The type of sanitization needed. If not provided, String::checkPlain() is used. * - * @return string + * @return \Drupal\Core\Template\SafeMarkup|string * Returns the safe value. */ public function sanitizeValue($value, $type = NULL) { diff --git a/core/modules/views/src/Plugin/views/area/TokenizeAreaPluginBase.php b/core/modules/views/src/Plugin/views/area/TokenizeAreaPluginBase.php index 6f0add5..9af6b70 100644 --- a/core/modules/views/src/Plugin/views/area/TokenizeAreaPluginBase.php +++ b/core/modules/views/src/Plugin/views/area/TokenizeAreaPluginBase.php @@ -51,13 +51,13 @@ public function tokenForm(&$form, &$form_state) { // Get a list of the available fields and arguments for token replacement. $options = array(); foreach ($this->view->display_handler->getHandlers('field') as $field => $handler) { - $options[t('Fields')]["[$field]"] = $handler->adminLabel(); + $options[(string) t('Fields')]["[$field]"] = $handler->adminLabel(); } $count = 0; // This lets us prepare the key as we want it printed. foreach ($this->view->display_handler->getHandlers('argument') as $handler) { - $options[t('Arguments')]['%' . ++$count] = t('@argument title', array('@argument' => $handler->adminLabel())); - $options[t('Arguments')]['!' . $count] = t('@argument input', array('@argument' => $handler->adminLabel())); + $options[(string) t('Arguments')]['%' . ++$count] = t('@argument title', array('@argument' => $handler->adminLabel())); + $options[(string) t('Arguments')]['!' . $count] = t('@argument input', array('@argument' => $handler->adminLabel())); } if (!empty($options)) { diff --git a/core/modules/views/src/Plugin/views/display/DisplayPluginBase.php b/core/modules/views/src/Plugin/views/display/DisplayPluginBase.php index b960d5b..c40a3c7 100644 --- a/core/modules/views/src/Plugin/views/display/DisplayPluginBase.php +++ b/core/modules/views/src/Plugin/views/display/DisplayPluginBase.php @@ -1732,8 +1732,8 @@ public function buildOptionsForm(&$form, &$form_state) { $options = array(); $count = 0; // This lets us prepare the key as we want it printed. foreach ($this->view->display_handler->getHandlers('argument') as $handler) { - $options[t('Arguments')]['%' . ++$count] = t('@argument title', array('@argument' => $handler->adminLabel())); - $options[t('Arguments')]['!' . $count] = t('@argument input', array('@argument' => $handler->adminLabel())); + $options[(string) t('Arguments')]['%' . ++$count] = t('@argument title', array('@argument' => $handler->adminLabel())); + $options[(string) t('Arguments')]['!' . $count] = t('@argument input', array('@argument' => $handler->adminLabel())); } // Default text. diff --git a/core/modules/views/src/Plugin/views/field/FieldPluginBase.php b/core/modules/views/src/Plugin/views/field/FieldPluginBase.php index 5eb5765..7e9b72f 100644 --- a/core/modules/views/src/Plugin/views/field/FieldPluginBase.php +++ b/core/modules/views/src/Plugin/views/field/FieldPluginBase.php @@ -11,6 +11,7 @@ use Drupal\Component\Utility\String; use Drupal\Component\Utility\UrlHelper; use Drupal\Component\Utility\Xss; +use Drupal\Core\Template\SafeMarkup; use Drupal\views\Plugin\views\HandlerBase; use Drupal\views\Plugin\views\display\DisplayPluginBase; use Drupal\views\ResultRow; @@ -850,18 +851,18 @@ public function buildOptionsForm(&$form, &$form_state) { // Setup the tokens for fields. $previous = $this->getPreviousFieldLabels(); foreach ($previous as $id => $label) { - $options[t('Fields')]["[$id]"] = $label; + $options[(string) t('Fields')]["[$id]"] = $label; } // Add the field to the list of options. - $options[t('Fields')]["[{$this->options['id']}]"] = $this->label(); + $options[(string) t('Fields')]["[{$this->options['id']}]"] = $this->label(); $count = 0; // This lets us prepare the key as we want it printed. foreach ($this->view->display_handler->getHandlers('argument') as $arg => $handler) { - $options[t('Arguments')]['%' . ++$count] = t('@argument title', array('@argument' => $handler->adminLabel())); - $options[t('Arguments')]['!' . $count] = t('@argument input', array('@argument' => $handler->adminLabel())); + $options[(string) t('Arguments')]['%' . ++$count] = t('@argument title', array('@argument' => $handler->adminLabel())); + $options[(string) t('Arguments')]['!' . $count] = t('@argument input', array('@argument' => $handler->adminLabel())); } - $this->documentSelfTokens($options[t('Fields')]); + $this->documentSelfTokens($options[(string) t('Fields')]); // Default text. $output = '

' . t('You must add some additional fields to this display before using this field. These fields may be marked as Exclude from display if you prefer. Note that due to rendering order, you cannot use fields that come after this field; if you need a field not listed here, rearrange your fields.') . '

'; @@ -890,7 +891,7 @@ public function buildOptionsForm(&$form, &$form_state) { $form['alter']['help'] = array( '#type' => 'details', '#title' => t('Replacement patterns'), - '#value' => $output, + '#value' => SafeMarkup::create($output), '#states' => array( 'visible' => array( array( @@ -1172,6 +1173,8 @@ public function advancedRender(ResultRow $values) { $this->last_render = $this->renderText($alter); } } + // @TODO: this is very dicey! + $this->last_render = SafeMarkup::create($this->last_render); return $this->last_render; } diff --git a/core/modules/views/src/Plugin/views/filter/FilterPluginBase.php b/core/modules/views/src/Plugin/views/filter/FilterPluginBase.php index 902b543..42b8d0b 100644 --- a/core/modules/views/src/Plugin/views/filter/FilterPluginBase.php +++ b/core/modules/views/src/Plugin/views/filter/FilterPluginBase.php @@ -1159,8 +1159,7 @@ protected function prepareFilterSelectOptions(&$options) { $this->prepareFilterSelectOptions($options[$value]); } // FAPI has some special value to allow hierarchy. - // @see _form_options_flatten - elseif (is_object($label)) { + elseif (is_object($label) && isset($options[$value]->option)) { $this->prepareFilterSelectOptions($options[$value]->option); } else { diff --git a/core/modules/views/src/Plugin/views/relationship/GroupwiseMax.php b/core/modules/views/src/Plugin/views/relationship/GroupwiseMax.php index 7a85bbc..673869b 100644 --- a/core/modules/views/src/Plugin/views/relationship/GroupwiseMax.php +++ b/core/modules/views/src/Plugin/views/relationship/GroupwiseMax.php @@ -130,10 +130,10 @@ public function buildOptionsForm(&$form, &$form_state) { // TODO: check the field is the correct sort? // or let users hang themselves at this stage and check later? if ($view->type == 'Default') { - $views[t('Default Views')][$view->storage->id()] = $view->storage->id(); + $views[(string) t('Default Views')][$view->storage->id()] = $view->storage->id(); } else { - $views[t('Existing Views')][$view->storage->id()] = $view->storage->id(); + $views[(string) t('Existing Views')][$view->storage->id()] = $view->storage->id(); } } } diff --git a/core/modules/views/src/Plugin/views/style/Rss.php b/core/modules/views/src/Plugin/views/style/Rss.php index 0a6f8cb..bf2087f 100644 --- a/core/modules/views/src/Plugin/views/style/Rss.php +++ b/core/modules/views/src/Plugin/views/style/Rss.php @@ -6,6 +6,7 @@ */ namespace Drupal\views\Plugin\views\style; +use Drupal\Core\Template\SafeMarkup; /** * Default style plugin to render an RSS feed. @@ -138,7 +139,7 @@ public function render() { '#theme' => $this->themeFunctions(), '#view' => $this->view, '#options' => $this->options, - '#rows' => $rows, + '#rows' => SafeMarkup::create($rows), ); unset($this->view->row_index); return drupal_render($build); diff --git a/core/modules/views/src/Tests/Handler/FieldCounterTest.php b/core/modules/views/src/Tests/Handler/FieldCounterTest.php index 3d12d42..ee99f73 100644 --- a/core/modules/views/src/Tests/Handler/FieldCounterTest.php +++ b/core/modules/views/src/Tests/Handler/FieldCounterTest.php @@ -7,6 +7,7 @@ namespace Drupal\views\Tests\Handler; +use Drupal\Core\Template\SafeMarkup; use Drupal\views\Tests\ViewUnitTestBase; use Drupal\views\Views; @@ -56,11 +57,11 @@ function testSimple() { )); $view->preview(); - $counter = $view->style_plugin->getField(0, 'counter'); + $counter = (string) $view->style_plugin->getField(0, 'counter'); $this->assertEqual($counter, 1, format_string('Make sure the expected number (@expected) patches with the rendered number (@counter)', array('@expected' => 1, '@counter' => $counter))); - $counter = $view->style_plugin->getField(1, 'counter'); + $counter = (string) $view->style_plugin->getField(1, 'counter'); $this->assertEqual($counter, 2, format_string('Make sure the expected number (@expected) patches with the rendered number (@counter)', array('@expected' => 2, '@counter' => $counter))); - $counter = $view->style_plugin->getField(2, 'counter'); + $counter = (string) $view->style_plugin->getField(2, 'counter'); $this->assertEqual($counter, 3, format_string('Make sure the expected number (@expected) patches with the rendered number (@counter)', array('@expected' => 3, '@counter' => $counter))); $view->destroy(); @@ -83,13 +84,13 @@ function testSimple() { )); $view->preview(); - $counter = $view->style_plugin->getField(0, 'counter'); + $counter = (string) $view->style_plugin->getField(0, 'counter'); $expected_number = 0 + $rand_start; $this->assertEqual($counter, $expected_number, format_string('Make sure the expected number (@expected) patches with the rendered number (@counter)', array('@expected' => $expected_number, '@counter' => $counter))); - $counter = $view->style_plugin->getField(1, 'counter'); + $counter = (string) $view->style_plugin->getField(1, 'counter'); $expected_number = 1 + $rand_start; $this->assertEqual($counter, $expected_number, format_string('Make sure the expected number (@expected) patches with the rendered number (@counter)', array('@expected' => $expected_number, '@counter' => $counter))); - $counter = $view->style_plugin->getField(2, 'counter'); + $counter = (string) $view->style_plugin->getField(2, 'counter'); $expected_number = 2 + $rand_start; $this->assertEqual($counter, $expected_number, format_string('Make sure the expected number (@expected) patches with the rendered number (@counter)', array('@expected' => $expected_number, '@counter' => $counter))); } diff --git a/core/modules/views/src/Tests/Handler/FieldFileSizeTest.php b/core/modules/views/src/Tests/Handler/FieldFileSizeTest.php index e1e317d..5e3f1e6 100644 --- a/core/modules/views/src/Tests/Handler/FieldFileSizeTest.php +++ b/core/modules/views/src/Tests/Handler/FieldFileSizeTest.php @@ -71,9 +71,9 @@ public function testFieldFileSize() { // Test with the bytes option. $view->field['age']->options['file_size_display'] = 'bytes'; $this->assertEqual($view->field['age']->advancedRender($view->result[0]), ''); - $this->assertEqual($view->field['age']->advancedRender($view->result[1]), 10); - $this->assertEqual($view->field['age']->advancedRender($view->result[2]), 1000); - $this->assertEqual($view->field['age']->advancedRender($view->result[3]), 10000); + $this->assertIdentical((string) $view->field['age']->advancedRender($view->result[1]), '10'); + $this->assertIdentical((string) $view->field['age']->advancedRender($view->result[2]), '1000'); + $this->assertIdentical((string) $view->field['age']->advancedRender($view->result[3]), '10000'); } } diff --git a/core/modules/views/src/Tests/Handler/FieldUnitTest.php b/core/modules/views/src/Tests/Handler/FieldUnitTest.php index e7f780c..c3981a1 100644 --- a/core/modules/views/src/Tests/Handler/FieldUnitTest.php +++ b/core/modules/views/src/Tests/Handler/FieldUnitTest.php @@ -7,6 +7,7 @@ namespace Drupal\views\Tests\Handler; +use Drupal\Core\Template\SafeMarkup; use Drupal\views\Tests\ViewUnitTestBase; use Drupal\views\Plugin\views\field\FieldPluginBase; use Drupal\views\Views; @@ -260,22 +261,22 @@ function _testHideIfEmpty() { // Test a valid string. $view->result[0]->{$column_map_reversed['name']} = $random_name; $render = $view->field['name']->advancedRender($view->result[0]); - $this->assertIdentical($render, $random_name, 'By default, a string should not be treated as empty.'); + $this->assertIdenticalSafeMarkup($render, $random_name, 'By default, a string should not be treated as empty.'); // Test an empty string. $view->result[0]->{$column_map_reversed['name']} = ""; $render = $view->field['name']->advancedRender($view->result[0]); - $this->assertIdentical($render, "", 'By default, "" should not be treated as empty.'); + $this->assertIdenticalSafeMarkup($render, "", 'By default, "" should not be treated as empty.'); // Test zero as an integer. $view->result[0]->{$column_map_reversed['name']} = 0; $render = $view->field['name']->advancedRender($view->result[0]); - $this->assertIdentical($render, '0', 'By default, 0 should not be treated as empty.'); + $this->assertIdenticalSafeMarkup($render, '0', 'By default, 0 should not be treated as empty.'); // Test zero as a string. $view->result[0]->{$column_map_reversed['name']} = "0"; $render = $view->field['name']->advancedRender($view->result[0]); - $this->assertIdentical($render, "0", 'By default, "0" should not be treated as empty.'); + $this->assertIdenticalSafeMarkup($render, "0", 'By default, "0" should not be treated as empty.'); // Test when results are not rewritten and non-zero empty values are hidden. $view->field['name']->options['hide_alter_empty'] = TRUE; @@ -285,22 +286,22 @@ function _testHideIfEmpty() { // Test a valid string. $view->result[0]->{$column_map_reversed['name']} = $random_name; $render = $view->field['name']->advancedRender($view->result[0]); - $this->assertIdentical($render, $random_name, 'If hide_empty is checked, a string should not be treated as empty.'); + $this->assertIdenticalSafeMarkup($render, $random_name, 'If hide_empty is checked, a string should not be treated as empty.'); // Test an empty string. $view->result[0]->{$column_map_reversed['name']} = ""; $render = $view->field['name']->advancedRender($view->result[0]); - $this->assertIdentical($render, "", 'If hide_empty is checked, "" should be treated as empty.'); + $this->assertIdenticalSafeMarkup($render, "", 'If hide_empty is checked, "" should be treated as empty.'); // Test zero as an integer. $view->result[0]->{$column_map_reversed['name']} = 0; $render = $view->field['name']->advancedRender($view->result[0]); - $this->assertIdentical($render, '0', 'If hide_empty is checked, but not empty_zero, 0 should not be treated as empty.'); + $this->assertIdenticalSafeMarkup($render, '0', 'If hide_empty is checked, but not empty_zero, 0 should not be treated as empty.'); // Test zero as a string. $view->result[0]->{$column_map_reversed['name']} = "0"; $render = $view->field['name']->advancedRender($view->result[0]); - $this->assertIdentical($render, "0", 'If hide_empty is checked, but not empty_zero, "0" should not be treated as empty.'); + $this->assertIdenticalSafeMarkup($render, "0", 'If hide_empty is checked, but not empty_zero, "0" should not be treated as empty.'); // Test when results are not rewritten and all empty values are hidden. $view->field['name']->options['hide_alter_empty'] = TRUE; @@ -310,12 +311,12 @@ function _testHideIfEmpty() { // Test zero as an integer. $view->result[0]->{$column_map_reversed['name']} = 0; $render = $view->field['name']->advancedRender($view->result[0]); - $this->assertIdentical($render, "", 'If hide_empty and empty_zero are checked, 0 should be treated as empty.'); + $this->assertIdenticalSafeMarkup($render, "", 'If hide_empty and empty_zero are checked, 0 should be treated as empty.'); // Test zero as a string. $view->result[0]->{$column_map_reversed['name']} = "0"; $render = $view->field['name']->advancedRender($view->result[0]); - $this->assertIdentical($render, "", 'If hide_empty and empty_zero are checked, "0" should be treated as empty.'); + $this->assertIdenticalSafeMarkup($render, "", 'If hide_empty and empty_zero are checked, "0" should be treated as empty.'); // Test when results are rewritten to a valid string and non-zero empty // results are hidden. @@ -328,22 +329,22 @@ function _testHideIfEmpty() { // Test a valid string. $view->result[0]->{$column_map_reversed['name']} = $random_value; $render = $view->field['name']->advancedRender($view->result[0]); - $this->assertIdentical($render, $random_name, 'If the rewritten string is not empty, it should not be treated as empty.'); + $this->assertIdenticalSafeMarkup($render, $random_name, 'If the rewritten string is not empty, it should not be treated as empty.'); // Test an empty string. $view->result[0]->{$column_map_reversed['name']} = ""; $render = $view->field['name']->advancedRender($view->result[0]); - $this->assertIdentical($render, $random_name, 'If the rewritten string is not empty, "" should not be treated as empty.'); + $this->assertIdenticalSafeMarkup($render, $random_name, 'If the rewritten string is not empty, "" should not be treated as empty.'); // Test zero as an integer. $view->result[0]->{$column_map_reversed['name']} = 0; $render = $view->field['name']->advancedRender($view->result[0]); - $this->assertIdentical($render, $random_name, 'If the rewritten string is not empty, 0 should not be treated as empty.'); + $this->assertIdenticalSafeMarkup($render, $random_name, 'If the rewritten string is not empty, 0 should not be treated as empty.'); // Test zero as a string. $view->result[0]->{$column_map_reversed['name']} = "0"; $render = $view->field['name']->advancedRender($view->result[0]); - $this->assertIdentical($render, $random_name, 'If the rewritten string is not empty, "0" should not be treated as empty.'); + $this->assertIdenticalSafeMarkup($render, $random_name, 'If the rewritten string is not empty, "0" should not be treated as empty.'); // Test when results are rewritten to an empty string and non-zero empty results are hidden. $view->field['name']->options['hide_alter_empty'] = TRUE; @@ -355,22 +356,22 @@ function _testHideIfEmpty() { // Test a valid string. $view->result[0]->{$column_map_reversed['name']} = $random_name; $render = $view->field['name']->advancedRender($view->result[0]); - $this->assertIdentical($render, $random_name, 'If the rewritten string is empty, it should not be treated as empty.'); + $this->assertIdenticalSafeMarkup($render, $random_name, 'If the rewritten string is empty, it should not be treated as empty.'); // Test an empty string. $view->result[0]->{$column_map_reversed['name']} = ""; $render = $view->field['name']->advancedRender($view->result[0]); - $this->assertIdentical($render, "", 'If the rewritten string is empty, "" should be treated as empty.'); + $this->assertIdenticalSafeMarkup($render, "", 'If the rewritten string is empty, "" should be treated as empty.'); // Test zero as an integer. $view->result[0]->{$column_map_reversed['name']} = 0; $render = $view->field['name']->advancedRender($view->result[0]); - $this->assertIdentical($render, '0', 'If the rewritten string is empty, 0 should not be treated as empty.'); + $this->assertIdenticalSafeMarkup($render, '0', 'If the rewritten string is empty, 0 should not be treated as empty.'); // Test zero as a string. $view->result[0]->{$column_map_reversed['name']} = "0"; $render = $view->field['name']->advancedRender($view->result[0]); - $this->assertIdentical($render, "0", 'If the rewritten string is empty, "0" should not be treated as empty.'); + $this->assertIdenticalSafeMarkup($render, "0", 'If the rewritten string is empty, "0" should not be treated as empty.'); // Test when results are rewritten to zero as a string and non-zero empty // results are hidden. @@ -383,22 +384,22 @@ function _testHideIfEmpty() { // Test a valid string. $view->result[0]->{$column_map_reversed['name']} = $random_name; $render = $view->field['name']->advancedRender($view->result[0]); - $this->assertIdentical($render, "0", 'If the rewritten string is zero and empty_zero is not checked, the string rewritten as 0 should not be treated as empty.'); + $this->assertIdenticalSafeMarkup($render, "0", 'If the rewritten string is zero and empty_zero is not checked, the string rewritten as 0 should not be treated as empty.'); // Test an empty string. $view->result[0]->{$column_map_reversed['name']} = ""; $render = $view->field['name']->advancedRender($view->result[0]); - $this->assertIdentical($render, "0", 'If the rewritten string is zero and empty_zero is not checked, "" rewritten as 0 should not be treated as empty.'); + $this->assertIdenticalSafeMarkup($render, "0", 'If the rewritten string is zero and empty_zero is not checked, "" rewritten as 0 should not be treated as empty.'); // Test zero as an integer. $view->result[0]->{$column_map_reversed['name']} = 0; $render = $view->field['name']->advancedRender($view->result[0]); - $this->assertIdentical($render, "0", 'If the rewritten string is zero and empty_zero is not checked, 0 should not be treated as empty.'); + $this->assertIdenticalSafeMarkup($render, "0", 'If the rewritten string is zero and empty_zero is not checked, 0 should not be treated as empty.'); // Test zero as a string. $view->result[0]->{$column_map_reversed['name']} = "0"; $render = $view->field['name']->advancedRender($view->result[0]); - $this->assertIdentical($render, "0", 'If the rewritten string is zero and empty_zero is not checked, "0" should not be treated as empty.'); + $this->assertIdenticalSafeMarkup($render, "0", 'If the rewritten string is zero and empty_zero is not checked, "0" should not be treated as empty.'); // Test when results are rewritten to a valid string and non-zero empty // results are hidden. @@ -411,22 +412,22 @@ function _testHideIfEmpty() { // Test a valid string. $view->result[0]->{$column_map_reversed['name']} = $random_name; $render = $view->field['name']->advancedRender($view->result[0]); - $this->assertIdentical($render, $random_value, 'If the original and rewritten strings are valid, it should not be treated as empty.'); + $this->assertIdenticalSafeMarkup($render, $random_value, 'If the original and rewritten strings are valid, it should not be treated as empty.'); // Test an empty string. $view->result[0]->{$column_map_reversed['name']} = ""; $render = $view->field['name']->advancedRender($view->result[0]); - $this->assertIdentical($render, "", 'If either the original or rewritten string is invalid, "" should be treated as empty.'); + $this->assertIdenticalSafeMarkup($render, "", 'If either the original or rewritten string is invalid, "" should be treated as empty.'); // Test zero as an integer. $view->result[0]->{$column_map_reversed['name']} = 0; $render = $view->field['name']->advancedRender($view->result[0]); - $this->assertIdentical($render, $random_value, 'If the original and rewritten strings are valid, 0 should not be treated as empty.'); + $this->assertIdenticalSafeMarkup($render, $random_value, 'If the original and rewritten strings are valid, 0 should not be treated as empty.'); // Test zero as a string. $view->result[0]->{$column_map_reversed['name']} = "0"; $render = $view->field['name']->advancedRender($view->result[0]); - $this->assertIdentical($render, $random_value, 'If the original and rewritten strings are valid, "0" should not be treated as empty.'); + $this->assertIdenticalSafeMarkup($render, $random_value, 'If the original and rewritten strings are valid, "0" should not be treated as empty.'); // Test when results are rewritten to zero as a string and all empty // original values and results are hidden. @@ -439,22 +440,27 @@ function _testHideIfEmpty() { // Test a valid string. $view->result[0]->{$column_map_reversed['name']} = $random_name; $render = $view->field['name']->advancedRender($view->result[0]); - $this->assertIdentical($render, "", 'If the rewritten string is zero, it should be treated as empty.'); + $this->assertIdenticalSafeMarkup($render, "", 'If the rewritten string is zero, it should be treated as empty.'); // Test an empty string. $view->result[0]->{$column_map_reversed['name']} = ""; $render = $view->field['name']->advancedRender($view->result[0]); - $this->assertIdentical($render, "", 'If the rewritten string is zero, "" should be treated as empty.'); + $this->assertIdenticalSafeMarkup($render, "", 'If the rewritten string is zero, "" should be treated as empty.'); // Test zero as an integer. $view->result[0]->{$column_map_reversed['name']} = 0; $render = $view->field['name']->advancedRender($view->result[0]); - $this->assertIdentical($render, "", 'If the rewritten string is zero, 0 should not be treated as empty.'); + $this->assertIdenticalSafeMarkup($render, "", 'If the rewritten string is zero, 0 should not be treated as empty.'); // Test zero as a string. $view->result[0]->{$column_map_reversed['name']} = "0"; $render = $view->field['name']->advancedRender($view->result[0]); - $this->assertIdentical($render, "", 'If the rewritten string is zero, "0" should not be treated as empty.'); + $this->assertIdenticalSafeMarkup($render, "", 'If the rewritten string is zero, "0" should not be treated as empty.'); + } + + protected function assertIdenticalSafeMarkup($render, $expected, $message = '', $group = 'Other') { + $this->assertTrue($render instanceof SafeMarkup || $render === ''); + $this->assertIdentical((string) $render, $expected, $message, $group); } /** @@ -471,27 +477,27 @@ function _testEmptyText() { $empty_text = $view->field['name']->options['empty'] = $this->randomName(); $view->result[0]->{$column_map_reversed['name']} = ""; $render = $view->field['name']->advancedRender($view->result[0]); - $this->assertIdentical($render, $empty_text, 'If a field is empty, the empty text should be used for the output.'); + $this->assertIdenticalSafeMarkup($render, $empty_text, 'If a field is empty, the empty text should be used for the output.'); $view->result[0]->{$column_map_reversed['name']} = "0"; $render = $view->field['name']->advancedRender($view->result[0]); - $this->assertIdentical($render, "0", 'If a field is 0 and empty_zero is not checked, the empty text should not be used for the output.'); + $this->assertIdenticalSafeMarkup($render, "0", 'If a field is 0 and empty_zero is not checked, the empty text should not be used for the output.'); $view->result[0]->{$column_map_reversed['name']} = "0"; $view->field['name']->options['empty_zero'] = TRUE; $render = $view->field['name']->advancedRender($view->result[0]); - $this->assertIdentical($render, $empty_text, 'If a field is 0 and empty_zero is checked, the empty text should be used for the output.'); + $this->assertIdenticalSafeMarkup($render, $empty_text, 'If a field is 0 and empty_zero is checked, the empty text should be used for the output.'); $view->result[0]->{$column_map_reversed['name']} = ""; $view->field['name']->options['alter']['alter_text'] = TRUE; $alter_text = $view->field['name']->options['alter']['text'] = $this->randomName(); $view->field['name']->options['hide_alter_empty'] = FALSE; $render = $view->field['name']->advancedRender($view->result[0]); - $this->assertIdentical($render, $alter_text, 'If a field is empty, some rewrite text exists, but hide_alter_empty is not checked, render the rewrite text.'); + $this->assertIdenticalSafeMarkup($render, $alter_text, 'If a field is empty, some rewrite text exists, but hide_alter_empty is not checked, render the rewrite text.'); $view->field['name']->options['hide_alter_empty'] = TRUE; $render = $view->field['name']->advancedRender($view->result[0]); - $this->assertIdentical($render, $empty_text, 'If a field is empty, some rewrite text exists, and hide_alter_empty is checked, use the empty text.'); + $this->assertIdenticalSafeMarkup($render, $empty_text, 'If a field is empty, some rewrite text exists, and hide_alter_empty is checked, use the empty text.'); } /** diff --git a/core/modules/views/src/Tests/ModuleTest.php b/core/modules/views/src/Tests/ModuleTest.php index 94014f4..b9ef60e 100644 --- a/core/modules/views/src/Tests/ModuleTest.php +++ b/core/modules/views/src/Tests/ModuleTest.php @@ -197,11 +197,11 @@ public function testLoadFunctions() { $this->assertIdentical($expected_options, Views::getViewsAsOptions(TRUE), 'Expected options array was returned.'); // Test the default. - $this->assertIdentical($this->formatViewOptions($all_views), Views::getViewsAsOptions(), 'Expected options array for all views was returned.'); + $this->assertIdenticalArray($this->formatViewOptions($all_views), Views::getViewsAsOptions(), 'Expected options array for all views was returned.'); // Test enabled views. - $this->assertIdentical($this->formatViewOptions($expected_enabled), Views::getViewsAsOptions(FALSE, 'enabled'), 'Expected enabled options array was returned.'); + $this->assertIdenticalArray($this->formatViewOptions($expected_enabled), Views::getViewsAsOptions(FALSE, 'enabled'), 'Expected enabled options array was returned.'); // Test disabled views. - $this->assertIdentical($this->formatViewOptions($expected_disabled), Views::getViewsAsOptions(FALSE, 'disabled'), 'Expected disabled options array was returned.'); + $this->assertIdenticalArray($this->formatViewOptions($expected_disabled), Views::getViewsAsOptions(FALSE, 'disabled'), 'Expected disabled options array was returned.'); // Test the sort parameter. $all_views_sorted = $all_views; @@ -220,7 +220,7 @@ public function testLoadFunctions() { $expected_opt_groups[$view->id()][$view->id() . ':' . $display['id']] = t('@view : @display', array('@view' => $view->id(), '@display' => $display['id'])); } } - $this->assertIdentical($expected_opt_groups, Views::getViewsAsOptions(FALSE, 'all', NULL, TRUE), 'Expected option array for an option group returned.'); + $this->assertIdenticalArray($expected_opt_groups, Views::getViewsAsOptions(FALSE, 'all', NULL, TRUE), 'Expected option array for an option group returned.'); } /** diff --git a/core/modules/views/src/Tests/ViewsTaxonomyAutocompleteTest.php b/core/modules/views/src/Tests/ViewsTaxonomyAutocompleteTest.php index 766ae49..5361dec 100644 --- a/core/modules/views/src/Tests/ViewsTaxonomyAutocompleteTest.php +++ b/core/modules/views/src/Tests/ViewsTaxonomyAutocompleteTest.php @@ -83,7 +83,7 @@ public function testTaxonomyAutocomplete() { $label = $this->term1->getName(); $expected = array(array( 'value' => $label, - 'label' => String::checkPlain($label), + 'label' => (string) String::checkPlain($label), )); $this->assertIdentical($expected, $this->drupalGetJSON($base_autocomplete_path, array('query' => array('q' => $label)))); // Test a term by partial name. diff --git a/core/modules/views/tests/src/Plugin/field/CounterTest.php b/core/modules/views/tests/src/Plugin/field/CounterTest.php index 50028a4..b806647 100644 --- a/core/modules/views/tests/src/Plugin/field/CounterTest.php +++ b/core/modules/views/tests/src/Plugin/field/CounterTest.php @@ -131,12 +131,12 @@ public function testSimpleCounter($i) { $expected = $i + 1; $counter = $counter_handler->getValue($this->testData[$i]); - $this->assertEquals($expected, $counter, String::format('The expected number (@expected) patches with the rendered number (@counter) failed', array( + $this->assertEquals($expected, (string) $counter, String::format('The expected number (@expected) patches with the rendered number (@counter) failed', array( '@expected' => $expected, '@counter' => $counter ))); $counter = $counter_handler->render($this->testData[$i]); - $this->assertEquals($expected, $counter_handler->render($this->testData[$i]), String::format('The expected number (@expected) patches with the rendered number (@counter) failed', array( + $this->assertEquals($expected, (string) $counter_handler->render($this->testData[$i]), String::format('The expected number (@expected) patches with the rendered number (@counter) failed', array( '@expected' => $expected, '@counter' => $counter ))); @@ -168,7 +168,7 @@ public function testCounterRandomStart($i) { '@counter' => $counter ))); $counter = $counter_handler->render($this->testData[$i]); - $this->assertEquals($expected, $counter_handler->render($this->testData[$i]), String::format('The expected number (@expected) patches with the rendered number (@counter) failed', array( + $this->assertEquals($expected, (string) $counter_handler->render($this->testData[$i]), String::format('The expected number (@expected) patches with the rendered number (@counter) failed', array( '@expected' => $expected, '@counter' => $counter ))); @@ -198,12 +198,12 @@ public function testCounterRandomPagerOffset($i) { $expected = $offset + $rand_start + $i; $counter = $counter_handler->getValue($this->testData[$i]); - $this->assertEquals($expected, $counter, String::format('The expected number (@expected) patches with the rendered number (@counter) failed', array( + $this->assertEquals($expected, (string) $counter, String::format('The expected number (@expected) patches with the rendered number (@counter) failed', array( '@expected' => $expected, '@counter' => $counter ))); $counter = $counter_handler->render($this->testData[$i]); - $this->assertEquals($expected, $counter_handler->render($this->testData[$i]), String::format('The expected number (@expected) patches with the rendered number (@counter) failed', array( + $this->assertEquals($expected, (string) $counter_handler->render($this->testData[$i]), String::format('The expected number (@expected) patches with the rendered number (@counter) failed', array( '@expected' => $expected, '@counter' => $counter ))); @@ -237,12 +237,12 @@ public function testCounterSecondPage($i) { $expected = $items_per_page + $offset + $rand_start + $i; $counter = $counter_handler->getValue($this->testData[$i]); - $this->assertEquals($expected, $counter, String::format('The expected number (@expected) patches with the rendered number (@counter) failed', array( + $this->assertEquals($expected, (string) $counter, String::format('The expected number (@expected) patches with the rendered number (@counter) failed', array( '@expected' => $expected, '@counter' => $counter ))); $counter = $counter_handler->render($this->testData[$i]); - $this->assertEquals($expected, $counter_handler->render($this->testData[$i]), String::format('The expected number (@expected) patches with the rendered number (@counter) failed', array( + $this->assertEquals($expected, (string) $counter_handler->render($this->testData[$i]), String::format('The expected number (@expected) patches with the rendered number (@counter) failed', array( '@expected' => $expected, '@counter' => $counter ))); diff --git a/core/modules/views/views.module b/core/modules/views/views.module index 216bc93..5a93d2e 100644 --- a/core/modules/views/views.module +++ b/core/modules/views/views.module @@ -14,6 +14,7 @@ use Drupal\Core\Database\Query\AlterableInterface; use Drupal\Core\Language\Language; use Drupal\Core\Render\Element; +use Drupal\Core\Template\SafeMarkup; use Drupal\views\Plugin\Derivative\ViewsLocalTask; use Drupal\Core\Template\AttributeArray; use Drupal\views\ViewExecutable; @@ -903,7 +904,7 @@ function views_pre_render_views_form_views_form($element) { } // Apply substitutions to the rendered output. - $element['output']['#markup'] = str_replace($search, $replace, $element['output']['#markup']); + $element['output']['#markup'] = SafeMarkup::strReplace($search, $replace, $element['output']['#markup']); // Sort, render and add remaining form fields. $children = Element::children($element, TRUE); diff --git a/core/modules/views/views.theme.inc b/core/modules/views/views.theme.inc index 86e3e85..bf0a16a 100644 --- a/core/modules/views/views.theme.inc +++ b/core/modules/views/views.theme.inc @@ -9,6 +9,7 @@ use Drupal\Component\Utility\Xss; use Drupal\Core\Language\Language; use Drupal\Core\Template\Attribute; +use Drupal\Core\Template\SafeMarkup; use Drupal\views\Form\ViewsForm; use Drupal\views\ViewExecutable; @@ -525,6 +526,7 @@ function template_preprocess_views_view_table(&$variables) { // Render the header labels. if ($field == $column && empty($fields[$field]->options['exclude'])) { + $safe = TRUE; $label = String::checkPlain(!empty($fields[$field]) ? $fields[$field]->label() : ''); if (empty($options['info'][$field]['sortable']) || !$fields[$field]->clickSortable()) { $variables['header'][$field]['content'] = $label; @@ -542,7 +544,10 @@ function template_preprocess_views_view_table(&$variables) { '#theme' => 'tablesort_indicator', '#style' => $initial, ); - $label .= drupal_render($tablesort_indicator); + $markup = drupal_render($tablesort_indicator); + // $label is safe. + $safe = $markup instanceof SafeMarkup; + $label .= $markup; } $query['order'] = $field; @@ -552,7 +557,7 @@ function template_preprocess_views_view_table(&$variables) { 'attributes' => array('title' => $title), 'query' => $query, ); - $variables['header'][$field]['content'] = l($label, current_path(), $link_options); + $variables['header'][$field]['content'] = l($safe ? SafeMarkup::create($label) : $label, current_path(), $link_options); } // Set up the header label class. @@ -633,7 +638,7 @@ function template_preprocess_views_view_table(&$variables) { $field_output = $handler->getField($num, $field); $element_type = $fields[$field]->elementType(TRUE, TRUE); if ($element_type) { - $field_output = '<' . $element_type . '>' . $field_output . ''; + $field_output = SafeMarkup::concat(SafeMarkup::create('<' . $element_type . '>'), $field_output, SafeMarkup::create('')); } // Only bother with separators and stuff if the field shows up. @@ -641,13 +646,13 @@ function template_preprocess_views_view_table(&$variables) { // Place the field into the column, along with an optional separator. if (!empty($column_reference['content'])) { if (!empty($options['info'][$column]['separator'])) { - $column_reference['content'] .= Xss::filterAdmin($options['info'][$column]['separator']); + $column_reference['content'] = SafeMarkup::concat($column_reference['content'], Xss::filterAdmin($options['info'][$column]['separator'])); } } else { $column_reference['content'] = ''; } - $column_reference['content'] .= $field_output; + $column_reference['content'] = SafeMarkup::concat($column_reference['content'], $field_output); } } $column_reference['attributes'] = new Attribute($column_reference['attributes']); @@ -994,7 +999,7 @@ function template_preprocess_views_view_row_rss(&$variables) { $variables['title'] = String::checkPlain($item->title); $variables['link'] = check_url($item->link); - $variables['description'] = String::checkPlain($item->description); + $variables['description'] = $item->description instanceof SafeMarkup ? $item->description : String::checkPlain($item->description); $variables['item_elements'] = empty($item->elements) ? '' : format_xml_elements($item->elements); } diff --git a/core/modules/views_ui/admin.inc b/core/modules/views_ui/admin.inc index e90ef35..3fe9789 100644 --- a/core/modules/views_ui/admin.inc +++ b/core/modules/views_ui/admin.inc @@ -6,6 +6,7 @@ */ use Drupal\Component\Utility\NestedArray; +use Drupal\Component\Utility\String; use Drupal\Component\Utility\Tags; use Drupal\views\ViewExecutable; use Drupal\views\Views; @@ -89,16 +90,18 @@ function views_ui_add_ajax_trigger(&$wrapping_element, $trigger_key, $refresh_pa // always give the button a unique #value, rather than playing around with // #name. $button_title = !empty($triggering_element['#title']) ? $triggering_element['#title'] : $trigger_key; - if (empty($seen_buttons[$button_title])) { - $wrapping_element[$button_key]['#value'] = t('Update "@title" choice', array( + $button_title_string = (string) $button_title; + if (empty($seen_buttons[$button_title_string])) { + // This code relies on check_plain()'ing the string because of the quotes. + $wrapping_element[$button_key]['#value'] = (string) t('Update "@title" choice', array( '@title' => $button_title, )); - $seen_buttons[$button_title] = 1; + $seen_buttons[$button_title_string] = 1; } else { - $wrapping_element[$button_key]['#value'] = t('Update "@title" choice (@number)', array( + $wrapping_element[$button_key]['#value'] = (string) t('Update "@title" choice (@number)', array( '@title' => $button_title, - '@number' => ++$seen_buttons[$button_title], + '@number' => ++$seen_buttons[$button_title_string], )); } diff --git a/core/modules/views_ui/src/Controller/ViewsUIController.php b/core/modules/views_ui/src/Controller/ViewsUIController.php index a09b063..735c95d 100644 --- a/core/modules/views_ui/src/Controller/ViewsUIController.php +++ b/core/modules/views_ui/src/Controller/ViewsUIController.php @@ -9,6 +9,7 @@ use Drupal\Component\Utility\String; use Drupal\Core\Controller\ControllerBase; +use Drupal\Core\Template\SafeMarkup; use Drupal\views\ViewExecutable; use Drupal\views\ViewStorageInterface; use Drupal\views\Views; @@ -92,7 +93,7 @@ public function reportFields() { foreach ($views as $view) { $rows[$field_name]['data'][1][] = $this->l($view, 'views_ui.edit', array('view' => $view)); } - $rows[$field_name]['data'][1] = implode(', ', $rows[$field_name]['data'][1]); + $rows[$field_name]['data'][1] = SafeMarkup::implode(', ', $rows[$field_name]['data'][1]); } // Sort rows by field name. @@ -120,7 +121,7 @@ public function reportPlugins() { foreach ($row['views'] as $row_name => $view) { $row['views'][$row_name] = $this->l($view, 'views_ui.edit', array('view' => $view)); } - $row['views'] = implode(', ', $row['views']); + $row['views'] = SafeMarkup::implode(', ', $row['views']); } // Sort rows by field name. diff --git a/core/modules/views_ui/src/Tests/HandlerTest.php b/core/modules/views_ui/src/Tests/HandlerTest.php index 5a00b03..8963c42 100644 --- a/core/modules/views_ui/src/Tests/HandlerTest.php +++ b/core/modules/views_ui/src/Tests/HandlerTest.php @@ -159,11 +159,11 @@ public function testBrokenHandlers() { $text = t('Broken/missing handler (Module: @module) …', array('@module' => 'views')); - $this->assertIdentical((string) $result[0], $text, 'Ensure the broken handler text was found.'); + $this->assertIdentical((string) $result[0], (string) $text, 'Ensure the broken handler text was found.'); $this->drupalGet($href); $result = $this->xpath('//h1'); - $this->assertTrue(strpos((string) $result[0], $text) !== FALSE, 'Ensure the broken handler text was found.'); + $this->assertTrue(strpos((string) $result[0], (string) $text) !== FALSE, 'Ensure the broken handler text was found.'); $description_args = array( '@module' => 'views', @@ -193,11 +193,11 @@ public function testOptionalHandlers() { $text = t('Optional handler is missing (Module: @module) …', array('@module' => 'views')); - $this->assertIdentical((string) $result[0], $text, 'Ensure the optional handler link text was found.'); + $this->assertIdentical((string) $result[0], (string) $text, 'Ensure the optional handler link text was found.'); $this->drupalGet($href); $result = $this->xpath('//h1'); - $this->assertTrue(strpos((string) $result[0], $text) !== FALSE, 'Ensure the optional handler title was found.'); + $this->assertTrue(strpos((string) $result[0], (string) $text) !== FALSE, 'Ensure the optional handler title was found.'); $description_args = array( '@module' => 'views', diff --git a/core/modules/views_ui/src/ViewListBuilder.php b/core/modules/views_ui/src/ViewListBuilder.php index 68ad5b0..8cb3fc6 100644 --- a/core/modules/views_ui/src/ViewListBuilder.php +++ b/core/modules/views_ui/src/ViewListBuilder.php @@ -13,6 +13,7 @@ use Drupal\Core\Config\Entity\ConfigEntityListBuilder; use Drupal\Core\Entity\EntityStorageInterface; use Drupal\Core\Entity\EntityTypeInterface; +use Drupal\Core\Template\SafeMarkup; use Symfony\Component\DependencyInjection\ContainerInterface; /** @@ -96,7 +97,7 @@ public function buildRow(EntityInterface $view) { 'class' => array('views-table-filter-text-source'), ), 'tag' => $view->get('tag'), - 'path' => implode(', ', $this->getDisplayPaths($view)), + 'path' => SafeMarkup::implode(', ', $this->getDisplayPaths($view)), 'operations' => $row['operations'], ), 'title' => $this->t('Machine name: @name', array('@name' => $view->id())), @@ -230,7 +231,7 @@ protected function getDisplaysList(EntityInterface $view) { foreach ($view->get('display') as $display) { $definition = $this->displayManager->getDefinition($display['display_plugin']); if (!empty($definition['admin'])) { - $displays[$definition['admin']] = TRUE; + $displays[(string) $definition['admin']] = TRUE; } } diff --git a/core/modules/views_ui/src/ViewUI.php b/core/modules/views_ui/src/ViewUI.php index fb0db9c..413fbb1 100644 --- a/core/modules/views_ui/src/ViewUI.php +++ b/core/modules/views_ui/src/ViewUI.php @@ -10,6 +10,7 @@ use Drupal\Component\Utility\String; use Drupal\Component\Utility\Timer; use Drupal\Component\Utility\Xss; +use Drupal\Core\Template\SafeMarkup; use Drupal\views\Views; use Drupal\Core\Entity\EntityStorageInterface; use Drupal\views\ViewExecutable; @@ -202,7 +203,7 @@ public function set($property_name, $value, $notify = TRUE) { } public static function getDefaultAJAXMessage() { - return '
' . t("Click on an item to edit that item's details.") . '
'; + return SafeMarkup::create('
' . t("Click on an item to edit that item's details.") . '
'); } /** @@ -677,7 +678,10 @@ public function renderPreview($display_id, $args = array()) { } } } - $rows['query'][] = array('' . t('Query') . '', '
' . String::checkPlain(strtr($query_string, $quoted)) . '
'); + $rows['query'][] = array( + SafeMarkup::create('' . t('Query') . ''), + SafeMarkup::create('
' . String::checkPlain(strtr($query_string, $quoted)) . '
'), + ); if (!empty($this->additionalQueries)) { $queries = '' . t('These queries were run during view rendering:') . ''; foreach ($this->additionalQueries as $query) { @@ -688,18 +692,24 @@ public function renderPreview($display_id, $args = array()) { $queries .= t('[@time ms] @query', array('@time' => round($query['time'] * 100000, 1) / 100000.0, '@query' => $query_string)); } - $rows['query'][] = array('' . t('Other queries') . '', '
' . $queries . '
'); + $rows['query'][] = array( + SafeMarkup::create('' . t('Other queries') . ''), + SafeMarkup::create('
' . $queries . '
'), + ); } } if ($show_info) { - $rows['query'][] = array('' . t('Title') . '', Xss::filterAdmin($this->executable->getTitle())); + $rows['query'][] = array( + SafeMarkup::create('' . t('Title') . ''), + Xss::filterAdmin($this->executable->getTitle()), + ); if (isset($path)) { $path = l($path, $path); } else { $path = t('This display has no path.'); } - $rows['query'][] = array('' . t('Path') . '', $path); + $rows['query'][] = array(SafeMarkup::create('' . t('Path') . ''), $path); } if ($show_stats) { @@ -714,10 +724,10 @@ public function renderPreview($display_id, $args = array()) { // No query was run. Display that information in place of either the // query or the performance statistics, whichever comes first. if ($combined || ($show_location === 'above')) { - $rows['query'] = array(array('' . t('Query') . '', t('No query was run'))); + $rows['query'] = array(array(SafeMarkup::create('' . t('Query') . ''), t('No query was run'))); } else { - $rows['statistics'] = array(array('' . t('Query') . '', t('No query was run'))); + $rows['statistics'] = array(array(SafeMarkup::create('' . t('Query') . ''), t('No query was run'))); } } } diff --git a/core/modules/views_ui/templates/views-ui-display-tab-setting.html.twig b/core/modules/views_ui/templates/views-ui-display-tab-setting.html.twig index 1c67469..4659514 100644 --- a/core/modules/views_ui/templates/views-ui-display-tab-setting.html.twig +++ b/core/modules/views_ui/templates/views-ui-display-tab-setting.html.twig @@ -20,6 +20,7 @@ {{ description }} {%- endif %} {% if settings_links %} - {{ settings_links|join(' | ') }} + {# @todo Need to identify a way to figure out how to remove |raw #} + {{ settings_links|join(' | ')|raw }} {% endif %}
diff --git a/core/modules/views_ui/views_ui.theme.inc b/core/modules/views_ui/views_ui.theme.inc index 430f14a..4e31357 100644 --- a/core/modules/views_ui/views_ui.theme.inc +++ b/core/modules/views_ui/views_ui.theme.inc @@ -7,6 +7,7 @@ use Drupal\Core\Render\Element; use Drupal\Core\Template\Attribute; +use Drupal\Core\Template\SafeMarkup; /** * Prepares variables for Views UI display tab setting templates. @@ -88,7 +89,7 @@ function template_preprocess_views_ui_display_tab_bucket(&$variables) { */ function template_preprocess_views_ui_view_info(&$variables) { $variables['title'] = $variables['view']->label(); - $variables['displays'] = empty($variables['displays']) ? t('None') : format_plural(count($variables['displays']), 'Display', 'Displays') . ': ' . '' . implode(', ', $variables['displays']) . ''; + $variables['displays'] = empty($variables['displays']) ? t('None') : SafeMarkup::create(format_plural(count($variables['displays']), 'Display', 'Displays') . ': ' . '' . SafeMarkup::implode(', ', $variables['displays']) . ''); } /** diff --git a/core/tests/Drupal/Tests/Component/Utility/XssTest.php b/core/tests/Drupal/Tests/Component/Utility/XssTest.php index 72aade4..7637390 100644 --- a/core/tests/Drupal/Tests/Component/Utility/XssTest.php +++ b/core/tests/Drupal/Tests/Component/Utility/XssTest.php @@ -10,6 +10,7 @@ use Drupal\Component\Utility\String; use Drupal\Component\Utility\UrlHelper; use Drupal\Component\Utility\Xss; +use Drupal\Core\Template\SafeMarkup; use Drupal\Tests\UnitTestCase; /** @@ -455,7 +456,8 @@ public function providerTestFilterXssNotNormalized() { */ public function testBlacklistMode($value, $expected, $message, array $disallowed_tags) { $value = Xss::filter($value, $disallowed_tags, Xss::FILTER_MODE_BLACKLIST); - $this->assertSame($expected, $value, $message); + $this->assertTrue($value instanceof SafeMarkup); + $this->assertSame($expected, (string) $value, $message); } /** diff --git a/core/tests/Drupal/Tests/Core/Annotation/TranslationTest.php b/core/tests/Drupal/Tests/Core/Annotation/TranslationTest.php index 071df3e..2b0fca7 100644 --- a/core/tests/Drupal/Tests/Core/Annotation/TranslationTest.php +++ b/core/tests/Drupal/Tests/Core/Annotation/TranslationTest.php @@ -8,6 +8,7 @@ use Drupal\Core\Annotation\Translation; use Drupal\Core\DependencyInjection\ContainerBuilder; +use Drupal\Core\Template\SafeMarkup; use Drupal\Tests\UnitTestCase; /** @@ -60,9 +61,10 @@ public function testGet(array $values, $expected) { ->method('translate') ->with($values['value'], $arguments, $options); - $annotation = new Translation($values); + $result = (new Translation($values))->get(); - $this->assertSame($expected, $annotation->get()); + $this->assertTrue($result instanceof SafeMarkup); + $this->assertSame($expected, (string) $result); } /** @@ -74,7 +76,7 @@ public function providerTestGet() { array( 'value' => 'Foo', ), - 'Foo' + 'Foo', ); $random = $this->randomName(); $random_html_entity = '&' . $random; diff --git a/core/tests/Drupal/Tests/Core/Common/RenderWrapperTest.php b/core/tests/Drupal/Tests/Core/Common/RenderWrapperTest.php index 1a1b568..19a4006 100644 --- a/core/tests/Drupal/Tests/Core/Common/RenderWrapperTest.php +++ b/core/tests/Drupal/Tests/Core/Common/RenderWrapperTest.php @@ -44,7 +44,7 @@ public function providerTestRenderWrapperData() { * @dataProvider providerTestRenderWrapperData */ public function testDrupalRenderWrapper($callback, $arguments, $expected, $message) { - $this->assertSame($expected, (string) new RenderWrapper($callback, $arguments), $message); + $this->assertSame($expected, (string) (new RenderWrapper($callback, $arguments))->__toString(), $message); } /** diff --git a/core/tests/Drupal/Tests/UnitTestCase.php b/core/tests/Drupal/Tests/UnitTestCase.php index bcefce7..8d4eef8 100644 --- a/core/tests/Drupal/Tests/UnitTestCase.php +++ b/core/tests/Drupal/Tests/UnitTestCase.php @@ -11,6 +11,7 @@ use Drupal\Component\Utility\String; use Drupal\Core\Cache\CacheBackendInterface; use Drupal\Core\DependencyInjection\ContainerBuilder; +use Drupal\Core\Template\SafeMarkup; /** * Provides a base class and helpers for Drupal unit tests. diff --git a/core/themes/bartik/templates/block--system-branding-block.html.twig b/core/themes/bartik/templates/block--system-branding-block.html.twig index 5917f58..f6147a6 100644 --- a/core/themes/bartik/templates/block--system-branding-block.html.twig +++ b/core/themes/bartik/templates/block--system-branding-block.html.twig @@ -23,7 +23,7 @@
{% if site_name %} - {{ site_name|e }} + {{ site_name }} {% endif %} {% if site_slogan %} diff --git a/core/themes/engines/twig/twig.engine b/core/themes/engines/twig/twig.engine index 1595bf8..b6e3e02 100644 --- a/core/themes/engines/twig/twig.engine +++ b/core/themes/engines/twig/twig.engine @@ -6,6 +6,7 @@ */ use Drupal\Core\Extension\Extension; +use Drupal\Core\Template\SafeMarkup; /** * Implements hook_theme(). @@ -45,6 +46,7 @@ function twig_init(Extension $theme) { * The output generated by the template, plus any debug information. */ function twig_render_template($template_file, $variables) { + /** @var \Twig_Environment $twig_service */ $twig_service = \Drupal::service('twig'); $output = array( 'debug_prefix' => '', @@ -93,7 +95,7 @@ function twig_render_template($template_file, $variables) { $output['debug_info'] .= "\n\n"; $output['debug_suffix'] .= "\n\n\n"; } - return implode('', $output); + return SafeMarkup::create(implode('', $output)); } /** diff --git a/core/vendor/twig/twig/lib/Twig/Extension/Core.php b/core/vendor/twig/twig/lib/Twig/Extension/Core.php index 4e80c67..396a9f3 100644 --- a/core/vendor/twig/twig/lib/Twig/Extension/Core.php +++ b/core/vendor/twig/twig/lib/Twig/Extension/Core.php @@ -922,7 +922,12 @@ function twig_escape_filter(Twig_Environment $env, $string, $strategy = 'html', if (!is_string($string)) { if (is_object($string) && method_exists($string, '__toString')) { - $string = (string) $string; + // @todo Move to twig engine. This is necessary because of + // RenderWrapper. + $string = $string->__toString(); + if ($autoescape && $string instanceof Twig_Markup) { + return $string; + } } else { return $string; }