diff --git a/core/lib/Drupal/Core/Template/Attribute.php b/core/lib/Drupal/Core/Template/Attribute.php index 3ea18b1..ad4e1b1 100644 --- a/core/lib/Drupal/Core/Template/Attribute.php +++ b/core/lib/Drupal/Core/Template/Attribute.php @@ -40,7 +40,7 @@ * @endcode * * The attribute keys and values are automatically sanitized for output with - * \Drupal\Component\Utility\SafeMarkup::checkPlain(). + * htmlspecialchars() and the entire attribute string is marked safe for output. */ class Attribute implements \ArrayAccess, \IteratorAggregate { @@ -252,12 +252,16 @@ public function hasClass($class) { */ public function __toString() { $return = ''; + /** @var \Drupal\Core\Template\AttributeValueBase $value */ foreach ($this->storage as $name => $value) { $rendered = $value->render(); if ($rendered) { $return .= ' ' . $rendered; } } + // The implementations of AttributeValueBase::render() call + // htmlspecialchars() on the attribute name and value so we are confident + // that the return value can be set as safe. return SafeMarkup::set($return); } diff --git a/core/lib/Drupal/Core/Template/AttributeArray.php b/core/lib/Drupal/Core/Template/AttributeArray.php index 4cdd932..9cd3915 100644 --- a/core/lib/Drupal/Core/Template/AttributeArray.php +++ b/core/lib/Drupal/Core/Template/AttributeArray.php @@ -76,7 +76,7 @@ public function offsetExists($offset) { public function __toString() { // Filter out any empty values before printing. $this->value = array_unique(array_filter($this->value)); - return SafeMarkup::checkPlain(implode(' ', $this->value)); + return htmlspecialchars(implode(' ', $this->value), ENT_QUOTES, 'UTF-8'); } /** diff --git a/core/lib/Drupal/Core/Template/AttributeBoolean.php b/core/lib/Drupal/Core/Template/AttributeBoolean.php index a2e5c02..7ff67ae 100644 --- a/core/lib/Drupal/Core/Template/AttributeBoolean.php +++ b/core/lib/Drupal/Core/Template/AttributeBoolean.php @@ -7,8 +7,6 @@ namespace Drupal\Core\Template; -use Drupal\Component\Utility\SafeMarkup; - /** * A class that defines a type of boolean HTML attribute. * @@ -42,7 +40,7 @@ public function render() { * Implements the magic __toString() method. */ public function __toString() { - return $this->value === FALSE ? '' : SafeMarkup::checkPlain($this->name); + return $this->value === FALSE ? '' : htmlspecialchars($this->name, ENT_QUOTES, 'UTF-8'); } } diff --git a/core/lib/Drupal/Core/Template/AttributeString.php b/core/lib/Drupal/Core/Template/AttributeString.php index 51b1448..2dff59b 100644 --- a/core/lib/Drupal/Core/Template/AttributeString.php +++ b/core/lib/Drupal/Core/Template/AttributeString.php @@ -7,8 +7,6 @@ namespace Drupal\Core\Template; -use Drupal\Component\Utility\SafeMarkup; - /** * A class that represents most standard HTML attributes. * @@ -30,7 +28,7 @@ class AttributeString extends AttributeValueBase { * Implements the magic __toString() method. */ public function __toString() { - return SafeMarkup::checkPlain($this->value); + return htmlspecialchars($this->value, ENT_QUOTES, 'UTF-8'); } } diff --git a/core/lib/Drupal/Core/Template/AttributeValueBase.php b/core/lib/Drupal/Core/Template/AttributeValueBase.php index 4db6dd8..c037004 100644 --- a/core/lib/Drupal/Core/Template/AttributeValueBase.php +++ b/core/lib/Drupal/Core/Template/AttributeValueBase.php @@ -7,8 +7,6 @@ namespace Drupal\Core\Template; -use Drupal\Component\Utility\SafeMarkup; - /** * Defines the base class for an attribute type. * @@ -57,7 +55,7 @@ public function __construct($name, $value) { public function render() { $value = (string) $this; if (isset($this->value) && static::RENDER_EMPTY_ATTRIBUTE || !empty($value)) { - return SafeMarkup::checkPlain($this->name) . '="' . $value . '"'; + return htmlspecialchars($this->name, ENT_QUOTES, 'UTF-8') . '="' . $value . '"'; } }