diff --git a/core/lib/Drupal/Core/Render/Element/HtmlTag.php b/core/lib/Drupal/Core/Render/Element/HtmlTag.php index ed02b45..5526246 100644 --- a/core/lib/Drupal/Core/Render/Element/HtmlTag.php +++ b/core/lib/Drupal/Core/Render/Element/HtmlTag.php @@ -47,6 +47,9 @@ public function getInfo() { /** * Pre-render callback: Renders a generic HTML tag with attributes into #markup. * + * Note: It is the caller's responsibility to sanitize #value_prefix and + * #value_suffix. They are not filtered by this function. + * * @param array $element * An associative array containing: * - #tag: The tag name to output. Typical tags added to the HTML HEAD: @@ -87,7 +90,7 @@ public static function preRenderHtmlTag($element) { if (isset($element['#value_prefix'])) { $markup .= $element['#value_prefix']; } - $markup .= static::xssFilterAdminIfUnsafe($element['#value']); + $markup .= SafeMarkup::isSafe($element['#value']) ? $element['#value'] : Xss::filterAdmin($element['#value']); if (isset($element['#value_suffix'])) { $markup .= $element['#value_suffix']; } @@ -96,7 +99,7 @@ public static function preRenderHtmlTag($element) { if (!empty($element['#noscript'])) { $markup = ""; } - $element['#markup'] = SafeMarkup::set($markup); + $element['#markup'] = SafeString::create($markup); return $element; } @@ -181,25 +184,4 @@ public static function preRenderConditionalComments($element) { return $element; } - - /** - * Applies a very permissive XSS/HTML filter for admin-only use. - * - * Note: This method only filters if $string is not marked safe already. This - * ensures that HTML intended for display is not filtered. - * - * @param string|\Drupal\Core\Render\SafeString $string - * A string. - * - * @return \Drupal\Core\Render\SafeString - * The escaped string wrapped in a SafeString object. If - * SafeMarkup::isSafe($string) returns TRUE, it won't be escaped again. - */ - protected static function xssFilterAdminIfUnsafe($string) { - if (!SafeMarkup::isSafe($string)) { - $string = Xss::filterAdmin($string); - } - return SafeString::create($string); - } - }