diff --git a/core/includes/common.inc b/core/includes/common.inc index f30bcdf..75977c4 100644 --- a/core/includes/common.inc +++ b/core/includes/common.inc @@ -28,6 +28,7 @@ use Drupal\Core\EventSubscriber\HtmlViewSubscriber; use Drupal\Core\Routing\GeneratorNotInitializedException; use Drupal\Core\Template\Attribute; +use Drupal\Core\Template\SafeMarkup; use Drupal\Core\Render\Element; use Drupal\Core\Session\AnonymousUserSession; @@ -915,7 +916,11 @@ function l($text, $path, array $options = array()) { // Sanitize the link text if necessary. $text = $variables['options']['html'] ? $variables['text'] : String::checkPlain($variables['text']); - return '' . $text . ''; + // $attributes and $url are known to be safe. Inline the safe check instead + // of using String::Concat() for performance reasons. + $safe = $text instanceof SafeMarkup; + $link = '' . $text . ''; + return $safe ? new SafeMarkup($link) : $link; } /** @@ -1468,6 +1473,9 @@ function drupal_html_class($class) { // static instead of drupal_static(). static $classes = array(); + // @todo Needs safe makrup preservation or should be cast to string before + // arg is passed to this function? + $class = (string) $class; if (!isset($classes[$class])) { $classes[$class] = drupal_clean_css_identifier(drupal_strtolower($class)); } @@ -2857,6 +2865,7 @@ function drupal_pre_render_conditional_comments($elements) { * - meta: To provide meta information, such as a page refresh. * - link: To refer to stylesheets and other contextual information. * - script: To load JavaScript. + * This is not HTML escaped, do not pass in user input. * - #attributes: (optional) An array of HTML attributes to apply to the * tag. * - #value: (optional) A string containing tag content, such as inline @@ -2869,7 +2878,9 @@ function drupal_pre_render_conditional_comments($elements) { function drupal_pre_render_html_tag($element) { $attributes = isset($element['#attributes']) ? new Attribute($element['#attributes']) : ''; if (!isset($element['#value'])) { - $markup = '<' . $element['#tag'] . $attributes . " />\n"; + // Attributes are safe and we are assuming people don't use this function + // and second they don't pass unsafe variables to #tag. + $markup = new SafeMarkup('<' . $element['#tag'] . $attributes . " />\n"); } else { $markup = '<' . $element['#tag'] . $attributes . '>'; @@ -2881,6 +2892,8 @@ function drupal_pre_render_html_tag($element) { $markup .= $element['#value_suffix']; } $markup .= '\n"; + // @TODO Creating safe markup, avoid if possible! + $markup = new SafeMarkup($markup); } if (!empty($element['#noscript'])) { $element['#markup'] = ''; @@ -3380,12 +3393,29 @@ function drupal_render(&$elements, $is_recursive_call = FALSE) { $theme_is_implemented = ($elements['#children'] !== FALSE); } + // Assume still safe unless the element or it's __toString return value aren't + // instances of Twig_Markup. + $safe = TRUE; + $get_string = function ($element) use (&$safe) { + if (is_object($element) && method_exists($element, '__toString')) { + $markup = $element->__toString(); + } + else { + $markup = $element; + } + $safe = $safe && (!$markup || $element instanceof \Twig_Markup || $markup instanceof \Twig_Markup); + return $markup; + }; + // If #theme is not implemented or #render_children is set and the element has // an empty #children attribute, render the children now. This is the same // process as drupal_render_children() but is inlined for speed. if ((!$theme_is_implemented || isset($elements['#render_children'])) && empty($elements['#children'])) { foreach ($children as $key) { - $elements['#children'] .= drupal_render($elements[$key], TRUE); + $elements['#children'] .= $get_string(drupal_render($elements[$key], TRUE)); + } + if ($safe) { + $elements['#children'] = new SafeMarkup($elements['#children']); } } @@ -3397,7 +3427,10 @@ function drupal_render(&$elements, $is_recursive_call = FALSE) { // required. Eventually #theme_wrappers will expect both #markup and // #children to be a single string as #children. if (!$theme_is_implemented && isset($elements['#markup'])) { - $elements['#children'] = $elements['#markup'] . $elements['#children']; + $elements['#children'] = $get_string($elements['#markup']) . $get_string($elements['#children']); + if ($safe) { + $elements['#children'] = new SafeMarkup($elements['#children']); + } } // Let the theme functions in #theme_wrappers add markup around the rendered @@ -3481,7 +3514,7 @@ function drupal_render(&$elements, $is_recursive_call = FALSE) { } $elements['#printed'] = TRUE; - return $elements['#markup']; + return $safe ? new SafeMarkup($elements['#markup']) : $elements['#markup']; } /** @@ -3503,13 +3536,13 @@ function drupal_render_children(&$element, $children_keys = NULL) { if ($children_keys === NULL) { $children_keys = Element::children($element); } - $output = ''; + $markups = array(); foreach ($children_keys as $key) { if (!empty($element[$key])) { - $output .= drupal_render($element[$key]); + $markups[] = drupal_render($element[$key]); } } - return $output; + return String::implode('', $markups); } /** diff --git a/core/includes/form.inc b/core/includes/form.inc index 42206a4..8bc313c 100644 --- a/core/includes/form.inc +++ b/core/includes/form.inc @@ -15,6 +15,7 @@ use Drupal\Core\Language\Language; use Drupal\Core\Render\Element; use Drupal\Core\Template\Attribute; +use Drupal\Core\Template\SafeMarkup; use Drupal\Core\Utility\Color; use Symfony\Component\HttpFoundation\RedirectResponse; @@ -983,7 +984,7 @@ function form_select_options($element, $choices = NULL) { $options .= form_select_options($element, $choice); $options .= ''; } - elseif (is_object($choice)) { + elseif (is_object($choice) && isset($choice->option)) { $options .= form_select_options($element, $choice->option); } else { @@ -998,7 +999,7 @@ function form_select_options($element, $choices = NULL) { $options .= ''; } } - return $options; + return new SafeMarkup($options); } /** @@ -1659,7 +1660,7 @@ function theme_tableselect($variables) { foreach ($element['#header'] as $fieldname => $title) { // A row cell can span over multiple headers, which means less row cells // than headers could be present. - if (isset($element['#options'][$key][$fieldname])) { + if (isset($element['#options'][$key][$fieldname]) && is_array($element['#options'][$key][$fieldname])) { // A header can span over multiple cells and in this case the cells // are passed in an array. The order of this array determines the // order in which they are added. @@ -2348,7 +2349,10 @@ function template_preprocess_input(&$variables) { function theme_input($variables) { $element = $variables['element']; $attributes = $variables['attributes']; - return '' . drupal_render_children($element); + $children = drupal_render_children($element); + $safe = $children instanceof SafeMarkup; + $return = '' . $children; + return $safe ? new SafeMarkup($return) : $return; } /** @@ -2976,8 +2980,6 @@ function theme_form_element_label($variables) { return ''; } - $title = Xss::filterAdmin($element['#title']); - $attributes = array(); // Style the label as class option to display inline with the element. if ($element['#title_display'] == 'after') { @@ -3008,7 +3010,10 @@ function theme_form_element_label($variables) { $attributes['class'][] = 'form-required'; } - return '' . $title . ''; + $title = Xss::filterAdmin($element['#title']); + + // Attribute is always safe and title is too so mark this safe. + return new SafeMarkup('' . $title . ''); } /** diff --git a/core/includes/theme.inc b/core/includes/theme.inc index e44f13d..b4ebc20 100644 --- a/core/includes/theme.inc +++ b/core/includes/theme.inc @@ -21,6 +21,7 @@ use Drupal\Core\Page\MetaElement; use Drupal\Core\Template\Attribute; use Drupal\Core\Template\RenderWrapper; +use Drupal\Core\Template\SafeMarkup; use Drupal\Core\Theme\ThemeSettings; use Drupal\Component\Utility\NestedArray; use Drupal\Core\Render\Element; @@ -650,7 +651,7 @@ function _theme($hook, $variables = array()) { // restore path_to_theme() $theme_path = $temp; - return (string) $output; + return $output; } /** @@ -2052,7 +2053,10 @@ function template_preprocess_html(&$variables) { // Wrap function calls in an object so they can be called when printed. $variables['head'] = new RenderWrapper(function() use ($page) { - return implode("\n", $page->getMetaElements()) . implode("\n", $page->getLinkElements()); + // HeadElement itself is safe and MetaElement and LinkElement both extend + // it so each element are safe. The result of concatenating a lot of them + // together is also safe. + return new SafeMarkup(implode("\n", $page->getMetaElements()) . implode("\n", $page->getLinkElements())); }); $variables['styles'] = new RenderWrapper('drupal_get_css'); $variables['scripts'] = new RenderWrapper('drupal_get_js'); diff --git a/core/lib/Drupal/Component/Utility/String.php b/core/lib/Drupal/Component/Utility/String.php index 9796a5f..3cd6784 100644 --- a/core/lib/Drupal/Component/Utility/String.php +++ b/core/lib/Drupal/Component/Utility/String.php @@ -7,6 +7,8 @@ namespace Drupal\Component\Utility; +use Drupal\Core\Template\SafeMarkup; + /** * Provides helpers to operate on strings. * @@ -31,7 +33,7 @@ class String { * @see drupal_validate_utf8() */ public static function checkPlain($text) { - return htmlspecialchars($text, ENT_QUOTES, 'UTF-8'); + return $text instanceof SafeMarkup ? $text : new SafeMarkup(htmlspecialchars($text, ENT_QUOTES, 'UTF-8')); } /** @@ -65,7 +67,8 @@ public static function decodeEntities($text) { * addition to formatting it. * * @param $string - * A string containing placeholders. + * A string containing placeholders. The string itself is not escaped, any + * unsafe content must be in $args and inserted via placeholders. * @param $args * An associative array of replacements to make. Occurrences in $string of * any key in $args are replaced with the corresponding value, after @@ -108,7 +111,7 @@ public static function format($string, array $args = array()) { // Pass-through. } } - return strtr($string, $args); + return new SafeMarkup(strtr($string, $args)); } /** @@ -123,7 +126,34 @@ public static function format($string, array $args = array()) { * The formatted text (html). */ public static function placeholder($text) { - return '' . static::checkPlain($text) . ''; + return new SafeMarkup('' . static::checkPlain($text) . ''); } + /** + * @todo. + */ + public static function concat() { + return static::implode('', func_get_args()); + } + + /** + * @todo. + */ + public static function implode($delimiter, array $array) { + $real_delimiter = ''; + $safe = TRUE; + $imploded = ''; + foreach ($array as $string) { + $safe = $safe && (!$string || $string instanceof SafeMarkup); + $imploded .= $real_delimiter . $string; + $real_delimiter = $delimiter; + } + return $safe ? new SafeMarkup($imploded) : $imploded; + } + + public static function strReplace($search, $replace, $subject, &$count = NULL) { + $safe = $subject instanceof SafeMarkup; + $replacement = str_replace($search, $replace, $subject, $count); + return $safe ? new SafeMarkup($replacement) : $replacement; + } } diff --git a/core/lib/Drupal/Component/Utility/Xss.php b/core/lib/Drupal/Component/Utility/Xss.php index dc49913..dd0df76 100644 --- a/core/lib/Drupal/Component/Utility/Xss.php +++ b/core/lib/Drupal/Component/Utility/Xss.php @@ -7,6 +7,8 @@ namespace Drupal\Component\Utility; +use Drupal\Core\Template\SafeMarkup; + /** * Provides helper to filter for cross-site scripting. * @@ -90,7 +92,7 @@ public static function filter($string, $html_tags = array('a', 'em', 'strong', ' $splitter = function ($matches) use ($html_tags, $mode) { return static::split($matches[1], $html_tags, $mode); }; - return preg_replace_callback('% + return new SafeMarkup(preg_replace_callback('% ( <(?=[^a-zA-Z!/]) # a lone < | # or @@ -99,7 +101,7 @@ public static function filter($string, $html_tags = array('a', 'em', 'strong', ' <[^>]*(>|$) # a string that starts with a <, up until the > or the end of the string | # or > # just a > - )%x', $splitter, $string); + )%x', $splitter, $string)); } /** diff --git a/core/lib/Drupal/Core/Config/StorableConfigBase.php b/core/lib/Drupal/Core/Config/StorableConfigBase.php index 18c0f07..c45092b 100644 --- a/core/lib/Drupal/Core/Config/StorableConfigBase.php +++ b/core/lib/Drupal/Core/Config/StorableConfigBase.php @@ -9,6 +9,7 @@ use Drupal\Component\Utility\String; use Drupal\Core\Config\Schema\SchemaIncompleteException; +use Drupal\Core\Template\SafeMarkup; use Drupal\Core\TypedData\PrimitiveInterface; use Drupal\Core\TypedData\Type\FloatInterface; use Drupal\Core\TypedData\Type\IntegerInterface; @@ -167,6 +168,9 @@ protected function validateValue($key, $value) { * Exception on unsupported/undefined data type deducted. */ protected function castValue($key, $value) { + if ($value instanceof SafeMarkup) { + $value = $value->__toString(); + } if ($value === NULL) { $value = NULL; } diff --git a/core/lib/Drupal/Core/CoreServiceProvider.php b/core/lib/Drupal/Core/CoreServiceProvider.php index fe23fb6..99784f7 100644 --- a/core/lib/Drupal/Core/CoreServiceProvider.php +++ b/core/lib/Drupal/Core/CoreServiceProvider.php @@ -101,7 +101,7 @@ public static function registerTwig(ContainerBuilder $container) { 'cache' => drupal_installation_attempted() ? FALSE : Settings::get('twig_cache', TRUE), // @todo Remove in followup issue // @see http://drupal.org/node/1712444. - 'autoescape' => FALSE, + 'autoescape' => TRUE, 'debug' => Settings::get('twig_debug', FALSE), 'auto_reload' => Settings::get('twig_auto_reload', NULL), )) diff --git a/core/lib/Drupal/Core/Database/Install/Tasks.php b/core/lib/Drupal/Core/Database/Install/Tasks.php index c4d88d2..6d0dfe7 100644 --- a/core/lib/Drupal/Core/Database/Install/Tasks.php +++ b/core/lib/Drupal/Core/Database/Install/Tasks.php @@ -92,14 +92,14 @@ protected function hasPdoDriver() { * Assert test as failed. */ protected function fail($message) { - $this->results[$message] = FALSE; + $this->results[(string) $message] = FALSE; } /** * Assert test as a pass. */ protected function pass($message) { - $this->results[$message] = TRUE; + $this->results[(string) $message] = TRUE; } /** diff --git a/core/lib/Drupal/Core/Extension/ThemeHandler.php b/core/lib/Drupal/Core/Extension/ThemeHandler.php index dbe2c78..8354bea 100644 --- a/core/lib/Drupal/Core/Extension/ThemeHandler.php +++ b/core/lib/Drupal/Core/Extension/ThemeHandler.php @@ -626,6 +626,8 @@ public function getName($theme) { if (!isset($themes[$theme])) { throw new \InvalidArgumentException(String::format('Requested the name of a non-existing theme @theme', array('@theme' => $theme))); } + // @todo For testing please remove before commit. + return \Drupal::config('system.site')->get('name'); return String::checkPlain($themes[$theme]->info['name']); } diff --git a/core/lib/Drupal/Core/Form/OptGroup.php b/core/lib/Drupal/Core/Form/OptGroup.php index f94d62d..21e9855 100644 --- a/core/lib/Drupal/Core/Form/OptGroup.php +++ b/core/lib/Drupal/Core/Form/OptGroup.php @@ -43,7 +43,7 @@ public static function flattenOptions(array $array) { */ protected static function doFlattenOptions(array $array, array &$options) { foreach ($array as $key => $value) { - if (is_object($value)) { + if (is_object($value) && isset($value->option)) { static::doFlattenOptions($value->option, $options); } elseif (is_array($value)) { diff --git a/core/lib/Drupal/Core/Page/HeadElement.php b/core/lib/Drupal/Core/Page/HeadElement.php index 85055ad..70cf2b7 100644 --- a/core/lib/Drupal/Core/Page/HeadElement.php +++ b/core/lib/Drupal/Core/Page/HeadElement.php @@ -8,11 +8,12 @@ namespace Drupal\Core\Page; use Drupal\Core\Template\Attribute; +use Drupal\Core\Template\SafeMarkup; /** * This class represents an HTML element that appears in the HEAD tag. */ -class HeadElement { +class HeadElement extends SafeMarkup { /** * An array of attributes for this element. diff --git a/core/lib/Drupal/Core/StringTranslation/TranslationManager.php b/core/lib/Drupal/Core/StringTranslation/TranslationManager.php index bd1b3b3..68731c7 100644 --- a/core/lib/Drupal/Core/StringTranslation/TranslationManager.php +++ b/core/lib/Drupal/Core/StringTranslation/TranslationManager.php @@ -10,6 +10,7 @@ use Drupal\Component\Utility\String; use Drupal\Core\Language\LanguageManagerInterface; use Drupal\Core\StringTranslation\Translator\TranslatorInterface; +use Drupal\Core\Template\SafeMarkup; /** * Defines a chained translation implementation combining multiple translators. @@ -140,7 +141,7 @@ public function translate($string, array $args = array(), array $options = array $string = $translation === FALSE ? $string : $translation; if (empty($args)) { - return $string; + return new SafeMarkup($string); } else { return String::format($string, $args); diff --git a/core/lib/Drupal/Core/Template/Attribute.php b/core/lib/Drupal/Core/Template/Attribute.php index ead5d05..7432b6d 100644 --- a/core/lib/Drupal/Core/Template/Attribute.php +++ b/core/lib/Drupal/Core/Template/Attribute.php @@ -31,7 +31,7 @@ * // Produces * @endcode */ -class Attribute implements \ArrayAccess, \IteratorAggregate { +class Attribute extends \Twig_Markup implements \ArrayAccess, \IteratorAggregate { /** * Stores the attribute data. @@ -86,9 +86,12 @@ protected function createAttributeValue($name, $value) { elseif (is_bool($value)) { $value = new AttributeBoolean($name, $value); } - elseif (!is_object($value)) { + elseif (!is_object($value) || $value instanceof SafeMarkup) { $value = new AttributeString($name, $value); } + elseif (!method_exists($value, 'render')) { + throw new \Exception('boo!'); + } return $value; } diff --git a/core/lib/Drupal/Core/Template/AttributeArray.php b/core/lib/Drupal/Core/Template/AttributeArray.php index 95e0ef3..4d8145f 100644 --- a/core/lib/Drupal/Core/Template/AttributeArray.php +++ b/core/lib/Drupal/Core/Template/AttributeArray.php @@ -66,7 +66,7 @@ public function offsetExists($offset) { * Implements the magic __toString() method. */ public function __toString() { - return String::checkPlain(implode(' ', $this->value)); + return (string) String::checkPlain(implode(' ', $this->value)); } /** diff --git a/core/lib/Drupal/Core/Template/AttributeBoolean.php b/core/lib/Drupal/Core/Template/AttributeBoolean.php index 4e9ea67..b5a0957 100644 --- a/core/lib/Drupal/Core/Template/AttributeBoolean.php +++ b/core/lib/Drupal/Core/Template/AttributeBoolean.php @@ -42,7 +42,7 @@ public function render() { * Implements the magic __toString() method. */ public function __toString() { - return $this->value === FALSE ? '' : String::checkPlain($this->name); + return $this->value === FALSE ? '' : (string) String::checkPlain($this->name); } } diff --git a/core/lib/Drupal/Core/Template/AttributeString.php b/core/lib/Drupal/Core/Template/AttributeString.php index 07211be..e1c69dc 100644 --- a/core/lib/Drupal/Core/Template/AttributeString.php +++ b/core/lib/Drupal/Core/Template/AttributeString.php @@ -30,7 +30,7 @@ class AttributeString extends AttributeValueBase { * Implements the magic __toString() method. */ public function __toString() { - return String::checkPlain($this->value); + return (string) String::checkPlain($this->value); } } diff --git a/core/lib/Drupal/Core/Utility/LinkGenerator.php b/core/lib/Drupal/Core/Utility/LinkGenerator.php index b547d95..3e64c1a 100644 --- a/core/lib/Drupal/Core/Utility/LinkGenerator.php +++ b/core/lib/Drupal/Core/Utility/LinkGenerator.php @@ -11,8 +11,9 @@ use Drupal\Component\Utility\String; use Drupal\Core\Extension\ModuleHandlerInterface; use Drupal\Core\Path\AliasManagerInterface; -use Drupal\Core\Template\Attribute; use Drupal\Core\Routing\UrlGeneratorInterface; +use Drupal\Core\Template\Attribute; +use Drupal\Core\Template\SafeMarkup; use Drupal\Core\Url; /** @@ -123,7 +124,11 @@ public function generateFromUrl($text, Url $url) { // Sanitize the link text if necessary. $text = $variables['options']['html'] ? $variables['text'] : String::checkPlain($variables['text']); - return '' . $text . ''; + // $attributes and $url are known to be safe. Inline the safe check instead + // of using String::Concat() for performance reasons. + $safe = $text instanceof SafeMarkup; + $link = '' . $text . ''; + return $safe ? new SafeMarkup($link) : $link; } /** diff --git a/core/modules/contextual/lib/Drupal/contextual/ContextualController.php b/core/modules/contextual/lib/Drupal/contextual/ContextualController.php index aeee4a6..fcc47de 100644 --- a/core/modules/contextual/lib/Drupal/contextual/ContextualController.php +++ b/core/modules/contextual/lib/Drupal/contextual/ContextualController.php @@ -44,7 +44,10 @@ public function render(Request $request) { '#type' => 'contextual_links', '#contextual_links' => _contextual_id_to_links($id), ); - $rendered[$id] = drupal_render($element); + // Cast any returned safe markup to string so that it is created + // as correct JSON. + // @todo Maybe check safeness and checkplain the results? + $rendered[$id] = (string) drupal_render($element); } return new JsonResponse($rendered); diff --git a/core/modules/field/lib/Drupal/field/Plugin/views/field/Field.php b/core/modules/field/lib/Drupal/field/Plugin/views/field/Field.php index 84b587a..0963e34 100644 --- a/core/modules/field/lib/Drupal/field/Plugin/views/field/Field.php +++ b/core/modules/field/lib/Drupal/field/Plugin/views/field/Field.php @@ -7,12 +7,14 @@ namespace Drupal\field\Plugin\views\field; +use Drupal\Component\Utility\String; use Drupal\Component\Utility\Xss; use Drupal\Core\Entity\EntityInterface; use Drupal\Core\Entity\EntityManagerInterface; use Drupal\Core\Field\FieldDefinition; use Drupal\Core\Entity\EntityStorageInterface; use Drupal\Core\Render\Element; +use Drupal\Core\Template\SafeMarkup; use Drupal\Core\Entity\ContentEntityDatabaseStorage; use Drupal\Core\Field\FieldDefinitionInterface; use Drupal\Core\Field\FormatterPluginManager; @@ -686,11 +688,11 @@ public function submitGroupByForm(&$form, &$form_state) { protected function renderItems($items) { if (!empty($items)) { if (!$this->options['group_rows']) { - return implode('', $items); + return String::implode('', $items); } if ($this->options['multi_type'] == 'separator') { - return implode(Xss::filterAdmin($this->options['separator']), $items); + return String::implode(Xss::filterAdmin($this->options['separator']), $items); } else { $item_list = array( diff --git a/core/modules/field_ui/lib/Drupal/field_ui/FieldConfigListBuilder.php b/core/modules/field_ui/lib/Drupal/field_ui/FieldConfigListBuilder.php index e1d96c6..4fc313d 100644 --- a/core/modules/field_ui/lib/Drupal/field_ui/FieldConfigListBuilder.php +++ b/core/modules/field_ui/lib/Drupal/field_ui/FieldConfigListBuilder.php @@ -7,6 +7,7 @@ namespace Drupal\field_ui; +use Drupal\Component\Utility\String; use Drupal\Core\Config\Entity\ConfigEntityListBuilder; use Drupal\Core\Entity\EntityInterface; use Drupal\Core\Entity\EntityManagerInterface; @@ -117,7 +118,7 @@ public function buildRow(EntityInterface $field) { $usage[] = $this->bundles[$field->entity_type][$bundle]['label']; } } - $row['data']['usage'] = implode(', ', $usage); + $row['data']['usage'] = String::implode(', ', $usage); return $row; } diff --git a/core/modules/filter/filter.module b/core/modules/filter/filter.module index 3efe9ad..cd17f6a 100644 --- a/core/modules/filter/filter.module +++ b/core/modules/filter/filter.module @@ -13,6 +13,7 @@ use Drupal\Core\Render\Element; use Drupal\Core\Session\AccountInterface; use Drupal\Core\Template\Attribute; +use Drupal\Core\Template\SafeMarkup; use Drupal\filter\FilterFormatInterface; use Drupal\filter\Plugin\FilterInterface; use Symfony\Component\HttpFoundation\Request; @@ -419,7 +420,7 @@ function check_markup($text, $format_id = NULL, $langcode = '', $cache = FALSE, \Drupal::cache('filter')->set($cache_id, $text, Cache::PERMANENT, array('filter_format' => $format->id())); } - return $text; + return new SafeMarkup($text); } /** diff --git a/core/modules/filter/templates/filter-guidelines.html.twig b/core/modules/filter/templates/filter-guidelines.html.twig index 88a3b47..ecf9b94 100644 --- a/core/modules/filter/templates/filter-guidelines.html.twig +++ b/core/modules/filter/templates/filter-guidelines.html.twig @@ -20,6 +20,6 @@ */ #} -

{{ format.name|escape }}

+

{{ format.name }}

{{ tips }} diff --git a/core/modules/node/node.install b/core/modules/node/node.install index b075d93..7888e2b 100644 --- a/core/modules/node/node.install +++ b/core/modules/node/node.install @@ -7,6 +7,7 @@ use Drupal\Component\Uuid\Uuid; use Drupal\Core\Language\Language; +use Drupal\Core\Template\SafeMarkup; /** * Implements hook_requirements(). @@ -29,7 +30,9 @@ function node_requirements($phase) { $requirements['node_access'] = array( 'title' => t('Node Access Permissions'), 'value' => $value, - 'description' => $description . ' ' . l(t('Rebuild permissions'), 'admin/reports/status/rebuild'), + // The results of t() is safe and so is the results of l(). Preserving + // safe object. + 'description' => new SafeMarkup($description . ' ' . l(t('Rebuild permissions'), 'admin/reports/status/rebuild')), ); } return $requirements; diff --git a/core/modules/simpletest/lib/Drupal/simpletest/Form/SimpletestResultsForm.php b/core/modules/simpletest/lib/Drupal/simpletest/Form/SimpletestResultsForm.php index 299f305..2786a3a 100644 --- a/core/modules/simpletest/lib/Drupal/simpletest/Form/SimpletestResultsForm.php +++ b/core/modules/simpletest/lib/Drupal/simpletest/Form/SimpletestResultsForm.php @@ -9,6 +9,7 @@ use Drupal\Core\Database\Connection; use Drupal\Core\Form\FormBase; +use Drupal\Core\Template\SafeMarkup; use Symfony\Component\DependencyInjection\ContainerInterface; use Symfony\Component\HttpFoundation\RedirectResponse; @@ -155,7 +156,8 @@ public function buildForm(array $form, array &$form_state, $test_id = NULL) { $rows = array(); foreach ($assertions as $assertion) { $row = array(); - $row[] = $assertion->message; + // @todo Need to preserve safe markup, not create it. + $row[] = new SafeMarkup($assertion->message); $row[] = $assertion->message_group; $row[] = drupal_basename($assertion->file); $row[] = $assertion->line; diff --git a/core/modules/simpletest/lib/Drupal/simpletest/TestBase.php b/core/modules/simpletest/lib/Drupal/simpletest/TestBase.php index 19dd044..1ebeb39 100644 --- a/core/modules/simpletest/lib/Drupal/simpletest/TestBase.php +++ b/core/modules/simpletest/lib/Drupal/simpletest/TestBase.php @@ -277,7 +277,7 @@ protected function assert($status, $message = '', $group = 'Other', array $calle 'test_id' => $this->testId, 'test_class' => get_class($this), 'status' => $status, - 'message' => $message, + 'message' => (string) $message, 'message_group' => $group, 'function' => $caller['function'], 'line' => $caller['line'], diff --git a/core/modules/simpletest/lib/Drupal/simpletest/WebTestBase.php b/core/modules/simpletest/lib/Drupal/simpletest/WebTestBase.php index 340b555..b97f8f5 100644 --- a/core/modules/simpletest/lib/Drupal/simpletest/WebTestBase.php +++ b/core/modules/simpletest/lib/Drupal/simpletest/WebTestBase.php @@ -23,6 +23,7 @@ use Drupal\Core\StreamWrapper\PublicStream; use Drupal\Core\Datetime\DrupalDateTime; use Drupal\block\Entity\Block; +use Drupal\Core\Template\SafeMarkup; use Symfony\Component\HttpFoundation\Request; /** @@ -1628,6 +1629,9 @@ protected function drupalGetAJAX($path, array $options = array(), array $headers */ protected function drupalPostForm($path, $edit, $submit, array $options = array(), array $headers = array(), $form_html_id = NULL, $extra_post = NULL) { $submit_matches = FALSE; + if ($submit instanceof SafeMarkup) { + $submit = (string) $submit; + } $ajax = is_array($submit); if (isset($path)) { $this->drupalGet($path, $options); @@ -2759,7 +2763,7 @@ protected function assertRaw($raw, $message = '', $group = 'Other') { if (!$message) { $message = String::format('Raw "@raw" found', array('@raw' => $raw)); } - return $this->assert(strpos($this->drupalGetContent(), $raw) !== FALSE, $message, $group); + return $this->assert(strpos($this->drupalGetContent(), (string) $raw) !== FALSE, $message, $group); } /** @@ -2786,7 +2790,7 @@ protected function assertNoRaw($raw, $message = '', $group = 'Other') { if (!$message) { $message = String::format('Raw "@raw" not found', array('@raw' => $raw)); } - return $this->assert(strpos($this->drupalGetContent(), $raw) === FALSE, $message, $group); + return $this->assert(strpos($this->drupalGetContent(), (string) $raw) === FALSE, $message, $group); } /** @@ -2870,7 +2874,7 @@ protected function assertTextHelper($text, $message = '', $group, $not_exists) { if (!$message) { $message = !$not_exists ? String::format('"@text" found', array('@text' => $text)) : String::format('"@text" not found', array('@text' => $text)); } - return $this->assert($not_exists == (strpos($this->plainTextContent, $text) === FALSE), $message, $group); + return $this->assert($not_exists == (strpos($this->plainTextContent, (string) $text) === FALSE), $message, $group); } /** @@ -3684,6 +3688,7 @@ protected function assertMail($name, $value = '', $message = '', $group = 'E-mai protected function assertMailString($field_name, $string, $email_depth, $message = '', $group = 'Other') { $mails = $this->drupalGetMails(); $string_found = FALSE; + $string = (string) $string; for ($i = count($mails) -1; $i >= count($mails) - $email_depth && $i >= 0; $i--) { $mail = $mails[$i]; // Normalize whitespace, as we don't know what the mail system might have diff --git a/core/modules/system/lib/Drupal/system/Form/ModulesUninstallForm.php b/core/modules/system/lib/Drupal/system/Form/ModulesUninstallForm.php index 7438e48..23de0ba 100644 --- a/core/modules/system/lib/Drupal/system/Form/ModulesUninstallForm.php +++ b/core/modules/system/lib/Drupal/system/Form/ModulesUninstallForm.php @@ -10,6 +10,7 @@ use Drupal\Core\Extension\ModuleHandlerInterface; use Drupal\Core\Form\FormBase; use Drupal\Core\KeyValueStore\KeyValueStoreExpirableInterface; +use Drupal\Core\Template\SafeMarkup; use Symfony\Component\DependencyInjection\ContainerInterface; /** @@ -114,7 +115,7 @@ public function buildForm(array $form, array &$form_state) { foreach ($uninstallable as $module) { $name = $module->info['name'] ?: $module->getName(); $form['modules'][$module->getName()]['#module_name'] = $name; - $form['modules'][$module->getName()]['name']['#markup'] = $name; + $form['modules'][$module->getName()]['name']['#markup'] = new SafeMarkup($name); $form['modules'][$module->getName()]['description']['#markup'] = $this->t($module->info['description']); $form['uninstall'][$module->getName()] = array( diff --git a/core/modules/system/lib/Drupal/system/Tests/Common/RenderTest.php b/core/modules/system/lib/Drupal/system/Tests/Common/RenderTest.php index caa80a2..d3b21e3 100644 --- a/core/modules/system/lib/Drupal/system/Tests/Common/RenderTest.php +++ b/core/modules/system/lib/Drupal/system/Tests/Common/RenderTest.php @@ -277,7 +277,8 @@ function testDrupalRenderBasics() { ); foreach($types as $type) { - $this->assertIdentical(drupal_render($type['value']), $type['expected'], '"' . $type['name'] . '" input rendered correctly by drupal_render().'); + $value = drupal_render($type['value']); + $this->assertIdentical((string) $value, $type['expected'], '"' . $type['name'] . '" input rendered correctly by drupal_render().'); } } @@ -394,14 +395,14 @@ function testDrupalRenderThemeArguments() { '#theme' => 'common_test_foo', ); // Test that defaults work. - $this->assertEqual(drupal_render($element), 'foobar', 'Defaults work'); + $this->assertEqual((string) drupal_render($element), 'foobar', 'Defaults work'); $element = array( '#theme' => 'common_test_foo', '#foo' => $this->randomName(), '#bar' => $this->randomName(), ); // Tests that passing arguments to the theme function works. - $this->assertEqual(drupal_render($element), $element['#foo'] . $element['#bar'], 'Passing arguments to theme functions works'); + $this->assertEqual((string) drupal_render($element), $element['#foo'] . $element['#bar'], 'Passing arguments to theme functions works'); } /** @@ -470,7 +471,7 @@ function testDrupalRenderPostRenderCache() { $element = $test_element; $element['#markup'] = '

#cache disabled

'; $output = drupal_render($element); - $this->assertIdentical($output, '

overridden

', 'Output is overridden.'); + $this->assertIdentical((string) $output, '

overridden

', 'Output is overridden.'); $this->assertIdentical($element['#markup'], '

overridden

', '#markup is overridden.'); $settings = $this->parseDrupalSettings(drupal_get_js()); $this->assertIdentical($settings['foo'], 'bar', 'Original JavaScript setting is added to the page.'); @@ -486,7 +487,7 @@ function testDrupalRenderPostRenderCache() { $element['#cache'] = array('cid' => 'post_render_cache_test_GET'); $element['#markup'] = '

#cache enabled, GET

'; $output = drupal_render($element); - $this->assertIdentical($output, '

overridden

', 'Output is overridden.'); + $this->assertIdentical((string) $output, '

overridden

', 'Output is overridden.'); $this->assertTrue(isset($element['#printed']), 'No cache hit'); $this->assertIdentical($element['#markup'], '

overridden

', '#markup is overridden.'); $settings = $this->parseDrupalSettings(drupal_get_js()); @@ -509,7 +510,7 @@ function testDrupalRenderPostRenderCache() { $element['#cache'] = array('cid' => 'post_render_cache_test_GET'); $element['#markup'] = '

#cache enabled, GET

'; $output = drupal_render($element); - $this->assertIdentical($output, '

overridden

', 'Output is overridden.'); + $this->assertIdentical((string) $output, '

overridden

', 'Output is overridden.'); $this->assertFalse(isset($element['#printed']), 'Cache hit'); $this->assertIdentical($element['#markup'], '

overridden

', '#markup is overridden.'); $settings = $this->parseDrupalSettings(drupal_get_js()); @@ -526,7 +527,7 @@ function testDrupalRenderPostRenderCache() { $element['#cache'] = array('cid' => 'post_render_cache_test_POST'); $element['#markup'] = '

#cache enabled, POST

'; $output = drupal_render($element); - $this->assertIdentical($output, '

overridden

', 'Output is overridden.'); + $this->assertIdentical((string) $output, '

overridden

', 'Output is overridden.'); $this->assertTrue(isset($element['#printed']), 'No cache hit'); $this->assertIdentical($element['#markup'], '

overridden

', '#markup is overridden.'); $settings = $this->parseDrupalSettings(drupal_get_js()); @@ -589,7 +590,7 @@ function testDrupalRenderChildrenPostRenderCache() { ); $element = $test_element; $output = drupal_render($element); - $this->assertIdentical($output, '

overridden

', 'Output is overridden.'); + $this->assertIdentical((string) $output, '

overridden

', 'Output is overridden.'); $this->assertTrue(isset($element['#printed']), 'No cache hit'); $this->assertIdentical($element['#markup'], '

overridden

', '#markup is overridden.'); $settings = $this->parseDrupalSettings(drupal_get_js()); @@ -635,7 +636,7 @@ function testDrupalRenderChildrenPostRenderCache() { drupal_static_reset('_drupal_add_js'); $element = $test_element; $output = drupal_render($element); - $this->assertIdentical($output, '

overridden

', 'Output is overridden.'); + $this->assertIdentical((string) $output, '

overridden

', 'Output is overridden.'); $this->assertFalse(isset($element['#printed']), 'Cache hit'); $settings = $this->parseDrupalSettings(drupal_get_js()); $this->assertIdentical($settings['foo'], 'bar', 'Original JavaScript setting is added to the page.'); @@ -647,7 +648,7 @@ function testDrupalRenderChildrenPostRenderCache() { unset($test_element['#cache']); $element = $test_element; $output = drupal_render($element); - $this->assertIdentical($output, '

overridden

', 'Output is overridden.'); + $this->assertIdentical((string) $output, '

overridden

', 'Output is overridden.'); $this->assertIdentical($element['#markup'], '

overridden

', '#markup is overridden.'); $settings = $this->parseDrupalSettings(drupal_get_js()); $expected_settings = $context_1 + $context_2 + $context_3; @@ -667,7 +668,7 @@ function testDrupalRenderChildrenPostRenderCache() { $element['#cache']['keys'] = array('simpletest', 'drupal_render', 'children_post_render_cache', 'nested_cache_parent'); $element['child']['#cache']['keys'] = array('simpletest', 'drupal_render', 'children_post_render_cache', 'nested_cache_child'); $output = drupal_render($element); - $this->assertIdentical($output, '

overridden

', 'Output is overridden.'); + $this->assertIdentical((string) $output, '

overridden

', 'Output is overridden.'); $this->assertTrue(isset($element['#printed']), 'No cache hit'); $this->assertIdentical($element['#markup'], '

overridden

', '#markup is overridden.'); $settings = $this->parseDrupalSettings(drupal_get_js()); @@ -742,7 +743,7 @@ function testDrupalRenderChildrenPostRenderCache() { $element = $test_element; $element['#cache']['keys'] = array('simpletest', 'drupal_render', 'children_post_render_cache', 'nested_cache_parent'); $output = drupal_render($element); - $this->assertIdentical($output, '

overridden

', 'Output is overridden.'); + $this->assertIdentical((string) $output, '

overridden

', 'Output is overridden.'); $this->assertFalse(isset($element['#printed']), 'Cache hit'); $settings = $this->parseDrupalSettings(drupal_get_js()); $this->assertIdentical($settings['foo'], 'bar', 'Original JavaScript setting is added to the page.'); @@ -754,7 +755,7 @@ function testDrupalRenderChildrenPostRenderCache() { $element['child']['#cache']['keys'] = array('simpletest', 'drupal_render', 'children_post_render_cache', 'nested_cache_child'); $element = $element['child']; $output = drupal_render($element); - $this->assertIdentical($output, '

overridden

', 'Output is overridden.'); + $this->assertIdentical((string) $output, '

overridden

', 'Output is overridden.'); $this->assertFalse(isset($element['#printed']), 'Cache hit'); $settings = $this->parseDrupalSettings(drupal_get_js()); $expected_settings = $context_2 + $context_3; @@ -790,7 +791,7 @@ function testDrupalRenderRenderCachePlaceholder() { drupal_static_reset('_drupal_add_js'); $element = $test_element; $output = drupal_render($element); - $this->assertIdentical($output, $expected_output, 'Placeholder was replaced in output'); + $this->assertIdentical((string) $output, $expected_output, 'Placeholder was replaced in output'); $settings = $this->parseDrupalSettings(drupal_get_js()); $this->assertIdentical($settings['common_test'], $context, '#attached is modified; JavaScript setting is added to page.'); @@ -803,7 +804,7 @@ function testDrupalRenderRenderCachePlaceholder() { $element = $test_element; $element['#cache'] = array('cid' => 'render_cache_placeholder_test_GET'); $output = drupal_render($element); - $this->assertIdentical($output, $expected_output, 'Placeholder was replaced in output'); + $this->assertIdentical((string) $output, $expected_output, 'Placeholder was replaced in output'); $this->assertTrue(isset($element['#printed']), 'No cache hit'); $this->assertIdentical($element['#markup'], $expected_output, 'Placeholder was replaced in #markup.'); $settings = $this->parseDrupalSettings(drupal_get_js()); @@ -840,7 +841,7 @@ function testDrupalRenderRenderCachePlaceholder() { $element = $test_element; $element['#cache'] = array('cid' => 'render_cache_placeholder_test_GET'); $output = drupal_render($element); - $this->assertIdentical($output, $expected_output, 'Placeholder was replaced in output'); + $this->assertIdentical((string) $output, $expected_output, 'Placeholder was replaced in output'); $this->assertFalse(isset($element['#printed']), 'Cache hit'); $this->assertIdentical($element['#markup'], $expected_output, 'Placeholder was replaced in #markup.'); $settings = $this->parseDrupalSettings(drupal_get_js()); @@ -880,7 +881,7 @@ function testDrupalRenderChildElementRenderCachePlaceholder() { drupal_static_reset('_drupal_add_js'); $element = $container; $output = drupal_render($element); - $this->assertIdentical($output, $expected_output, 'Placeholder was replaced in output'); + $this->assertIdentical((string) $output, $expected_output, 'Placeholder was replaced in output'); $settings = $this->parseDrupalSettings(drupal_get_js()); $this->assertIdentical($settings['common_test'], $context, '#attached is modified; JavaScript setting is added to page.'); @@ -899,7 +900,7 @@ function testDrupalRenderChildElementRenderCachePlaceholder() { $element['#children'] = drupal_render($child, TRUE); // Eventually, drupal_render() gets called on the root element. $output = drupal_render($element); - $this->assertIdentical($output, $expected_output, 'Placeholder was replaced in output'); + $this->assertIdentical((string) $output, $expected_output, 'Placeholder was replaced in output'); $this->assertTrue(isset($element['#printed']), 'No cache hit'); $this->assertIdentical($element['#markup'], $expected_output, 'Placeholder was replaced in #markup.'); $settings = $this->parseDrupalSettings(drupal_get_js()); @@ -996,7 +997,7 @@ function testDrupalRenderChildElementRenderCachePlaceholder() { $child = &$element['test_element']; $element['#children'] = drupal_render($child, TRUE); $output = drupal_render($element); - $this->assertIdentical($output, $expected_output, 'Placeholder was replaced in output'); + $this->assertIdentical((string) $output, $expected_output, 'Placeholder was replaced in output'); $this->assertFalse(isset($element['#printed']), 'Cache hit'); $this->assertIdentical($element['#markup'], $expected_output, 'Placeholder was replaced in #markup.'); $settings = $this->parseDrupalSettings(drupal_get_js()); diff --git a/core/modules/system/system.admin.inc b/core/modules/system/system.admin.inc index 9ba1a1c..255832d 100644 --- a/core/modules/system/system.admin.inc +++ b/core/modules/system/system.admin.inc @@ -5,11 +5,13 @@ * Admin page callbacks for the system module. */ +use Drupal\Component\Utility\String; use Drupal\Component\Utility\Xss; use Drupal\Core\Cache\Cache; use Drupal\Core\Extension\Extension; use Drupal\Core\Render\Element; use Drupal\Core\Template\Attribute; +use Drupal\Core\Template\SafeMarkup; /** * Recursively check compatibility. @@ -313,9 +315,12 @@ function theme_system_modules_uninstall($variables) { else { $disabled_message = ''; } + $name = drupal_render($form['modules'][$module]['name']); + $safe = $name instanceof SafeMarkup; + $label = ''; $rows[] = array( array('data' => drupal_render($form['uninstall'][$module]), 'align' => 'center'), - '', + $safe ? new SafeMarkup($label) : $label, array('data' => drupal_render($form['modules'][$module]['description']) . $disabled_message, 'class' => array('description')), ); } @@ -326,11 +331,11 @@ function theme_system_modules_uninstall($variables) { '#rows' => $rows, '#empty' => t('No modules are available to uninstall.'), ); - $output = drupal_render($form['filters']); - $output .= drupal_render($table); - $output .= drupal_render_children($form); + $filters = drupal_render($form['filters']); + $table = drupal_render($table); + $form = drupal_render_children($form); - return $output; + return String::concat($filters, $table, $form); } /** diff --git a/core/modules/system/system.install b/core/modules/system/system.install index a14cd7b..b8b4d6d 100644 --- a/core/modules/system/system.install +++ b/core/modules/system/system.install @@ -10,6 +10,7 @@ use Drupal\Core\Language\Language; use Drupal\Core\Site\Settings; use Drupal\Core\StreamWrapper\PublicStream; +use Drupal\Core\Template\SafeMarkup; /** * Implements hook_requirements(). @@ -56,7 +57,8 @@ function system_requirements($phase) { if (function_exists('phpinfo')) { $requirements['php'] = array( 'title' => t('PHP'), - 'value' => ($phase == 'runtime') ? $phpversion .' ('. l(t('more information'), 'admin/reports/status/php') .')' : $phpversion, + // $phpversion is safe and output of l() is safe, so this value is safe. + 'value' => new SafeMarkup(($phase == 'runtime') ? $phpversion . ' (' . l(t('more information'), 'admin/reports/status/php') . ')' : $phpversion), ); } else { @@ -318,7 +320,8 @@ function system_requirements($phase) { 'title' => t('Cron maintenance tasks'), 'severity' => $severity, 'value' => $summary, - 'description' => $description + // @todo Needs to preserve safe markup. + 'description' => new SafeMarkup($description), ); } if ($phase != 'install') { diff --git a/core/modules/system/templates/block--system-branding-block.html.twig b/core/modules/system/templates/block--system-branding-block.html.twig index 2a12c7a..4cf0f1a 100644 --- a/core/modules/system/templates/block--system-branding-block.html.twig +++ b/core/modules/system/templates/block--system-branding-block.html.twig @@ -23,7 +23,7 @@ {% endif %} {% if site_name %}
- {{ site_name|e }} + {{ site_name }}
{% endif %} {% if site_slogan %} diff --git a/core/modules/system/templates/datetime.html.twig b/core/modules/system/templates/datetime.html.twig index 25ef788..183b834 100644 --- a/core/modules/system/templates/datetime.html.twig +++ b/core/modules/system/templates/datetime.html.twig @@ -25,5 +25,4 @@ * @see http://www.w3.org/TR/html5-author/the-time-element.html#attr-time-datetime */ #} -{# @todo Revisit once http://drupal.org/node/1825952 is resolved. #} -{{ html ? text|raw : text|escape }} +{{ html ? text|raw : text }} diff --git a/core/modules/user/user.module b/core/modules/user/user.module index 3fe1f1c..b6a2d4b 100644 --- a/core/modules/user/user.module +++ b/core/modules/user/user.module @@ -1,6 +1,7 @@ last_render = $this->renderText($alter); } } + // @TODO: this is very dicey! + if ($this->last_render && is_string($this->last_render)) { + $this->last_render = new SafeMarkup($this->last_render); + } return $this->last_render; } diff --git a/core/modules/views/lib/Drupal/views/Plugin/views/filter/FilterPluginBase.php b/core/modules/views/lib/Drupal/views/Plugin/views/filter/FilterPluginBase.php index 902b543..42b8d0b 100644 --- a/core/modules/views/lib/Drupal/views/Plugin/views/filter/FilterPluginBase.php +++ b/core/modules/views/lib/Drupal/views/Plugin/views/filter/FilterPluginBase.php @@ -1159,8 +1159,7 @@ protected function prepareFilterSelectOptions(&$options) { $this->prepareFilterSelectOptions($options[$value]); } // FAPI has some special value to allow hierarchy. - // @see _form_options_flatten - elseif (is_object($label)) { + elseif (is_object($label) && isset($options[$value]->option)) { $this->prepareFilterSelectOptions($options[$value]->option); } else { diff --git a/core/modules/views/views.module b/core/modules/views/views.module index 216bc93..fffa64b 100644 --- a/core/modules/views/views.module +++ b/core/modules/views/views.module @@ -903,7 +903,7 @@ function views_pre_render_views_form_views_form($element) { } // Apply substitutions to the rendered output. - $element['output']['#markup'] = str_replace($search, $replace, $element['output']['#markup']); + $element['output']['#markup'] = String::strReplace($search, $replace, $element['output']['#markup']); // Sort, render and add remaining form fields. $children = Element::children($element, TRUE); diff --git a/core/modules/views/views.theme.inc b/core/modules/views/views.theme.inc index ae967bd..3678423 100644 --- a/core/modules/views/views.theme.inc +++ b/core/modules/views/views.theme.inc @@ -9,6 +9,7 @@ use Drupal\Component\Utility\Xss; use Drupal\Core\Language\Language; use Drupal\Core\Template\Attribute; +use Drupal\Core\Template\SafeMarkup; use Drupal\views\Form\ViewsForm; use Drupal\views\ViewExecutable; @@ -525,6 +526,7 @@ function template_preprocess_views_view_table(&$variables) { // Render the header labels. if ($field == $column && empty($fields[$field]->options['exclude'])) { + $safe = TRUE; $label = String::checkPlain(!empty($fields[$field]) ? $fields[$field]->label() : ''); if (empty($options['info'][$field]['sortable']) || !$fields[$field]->clickSortable()) { $variables['header'][$field]['content'] = $label; @@ -542,7 +544,10 @@ function template_preprocess_views_view_table(&$variables) { '#theme' => 'tablesort_indicator', '#style' => $initial, ); - $label .= drupal_render($tablesort_indicator); + $markup = drupal_render($tablesort_indicator); + // $label is safe. + $safe = $markup instanceof SafeMarkup; + $label .= $markup; } $query['order'] = $field; @@ -552,7 +557,7 @@ function template_preprocess_views_view_table(&$variables) { 'attributes' => array('title' => $title), 'query' => $query, ); - $variables['header'][$field]['content'] = l($label, current_path(), $link_options); + $variables['header'][$field]['content'] = l($safe ? new SafeMarkup($label) : $label, current_path(), $link_options); } // Set up the header label class. diff --git a/core/modules/views_ui/lib/Drupal/views_ui/Controller/ViewsUIController.php b/core/modules/views_ui/lib/Drupal/views_ui/Controller/ViewsUIController.php index a09b063..d4673be 100644 --- a/core/modules/views_ui/lib/Drupal/views_ui/Controller/ViewsUIController.php +++ b/core/modules/views_ui/lib/Drupal/views_ui/Controller/ViewsUIController.php @@ -92,7 +92,7 @@ public function reportFields() { foreach ($views as $view) { $rows[$field_name]['data'][1][] = $this->l($view, 'views_ui.edit', array('view' => $view)); } - $rows[$field_name]['data'][1] = implode(', ', $rows[$field_name]['data'][1]); + $rows[$field_name]['data'][1] = String::implode(', ', $rows[$field_name]['data'][1]); } // Sort rows by field name. @@ -120,7 +120,7 @@ public function reportPlugins() { foreach ($row['views'] as $row_name => $view) { $row['views'][$row_name] = $this->l($view, 'views_ui.edit', array('view' => $view)); } - $row['views'] = implode(', ', $row['views']); + $row['views'] = String::implode(', ', $row['views']); } // Sort rows by field name. diff --git a/core/modules/views_ui/views_ui.theme.inc b/core/modules/views_ui/views_ui.theme.inc index 430f14a..dea00af 100644 --- a/core/modules/views_ui/views_ui.theme.inc +++ b/core/modules/views_ui/views_ui.theme.inc @@ -6,7 +6,6 @@ */ use Drupal\Core\Render\Element; -use Drupal\Core\Template\Attribute; /** * Prepares variables for Views UI display tab setting templates. diff --git a/core/themes/bartik/templates/block--system-branding-block.html.twig b/core/themes/bartik/templates/block--system-branding-block.html.twig index 5917f58..f6147a6 100644 --- a/core/themes/bartik/templates/block--system-branding-block.html.twig +++ b/core/themes/bartik/templates/block--system-branding-block.html.twig @@ -23,7 +23,7 @@
{% if site_name %} - {{ site_name|e }} + {{ site_name }} {% endif %} {% if site_slogan %} diff --git a/core/themes/engines/twig/twig.engine b/core/themes/engines/twig/twig.engine index 1595bf8..47376dc 100644 --- a/core/themes/engines/twig/twig.engine +++ b/core/themes/engines/twig/twig.engine @@ -6,6 +6,7 @@ */ use Drupal\Core\Extension\Extension; +use Drupal\Core\Template\SafeMarkup; /** * Implements hook_theme(). @@ -93,7 +94,7 @@ function twig_render_template($template_file, $variables) { $output['debug_info'] .= "\n\n"; $output['debug_suffix'] .= "\n\n\n"; } - return implode('', $output); + return new SafeMarkup(implode('', $output)); } /** diff --git a/core/vendor/twig/twig/lib/Twig/Extension/Core.php b/core/vendor/twig/twig/lib/Twig/Extension/Core.php index 4e80c67..cdb5874 100644 --- a/core/vendor/twig/twig/lib/Twig/Extension/Core.php +++ b/core/vendor/twig/twig/lib/Twig/Extension/Core.php @@ -922,7 +922,11 @@ function twig_escape_filter(Twig_Environment $env, $string, $strategy = 'html', if (!is_string($string)) { if (is_object($string) && method_exists($string, '__toString')) { - $string = (string) $string; + // @todo Move to twig engine. + $string = $string->__toString(); + if ($autoescape && $string instanceof Twig_Markup) { + return $string; + } } else { return $string; }