diff --git a/core/lib/Drupal/Core/Render/Element/HtmlTag.php b/core/lib/Drupal/Core/Render/Element/HtmlTag.php
index f0c78bb..44bf835 100644
--- a/core/lib/Drupal/Core/Render/Element/HtmlTag.php
+++ b/core/lib/Drupal/Core/Render/Element/HtmlTag.php
@@ -174,8 +174,14 @@ public static function preRenderConditionalComments($element) {
// Ensure what we are dealing with is safe.
// This would be done later anyway in drupal_render().
- $prefix = isset($elements['#prefix']) ? Xss::filterAdmin($elements['#prefix']) : '';
- $suffix = isset($elements['#suffix']) ? Xss::filterAdmin($elements['#suffix']) : '';
+ $prefix = isset($element['#prefix']) ? $element['#prefix'] : '';
+ if ($prefix && !SafeMarkup::isSafe($prefix)) {
+ $prefix = Xss::filterAdmin($prefix);
+ }
+ $suffix = isset($element['#suffix']) ? $element['#suffix'] : '';
+ if ($suffix && !SafeMarkup::isSafe($suffix)) {
+ $suffix = Xss::filterAdmin($suffix);
+ }
// Now calling SafeMarkup::set is safe, because we ensured the
// data coming in was at least admin escaped.
diff --git a/core/tests/Drupal/Tests/Core/Render/Element/HtmlTagTest.php b/core/tests/Drupal/Tests/Core/Render/Element/HtmlTagTest.php
index 53abbbe..2135344 100644
--- a/core/tests/Drupal/Tests/Core/Render/Element/HtmlTagTest.php
+++ b/core/tests/Drupal/Tests/Core/Render/Element/HtmlTagTest.php
@@ -7,6 +7,7 @@
namespace Drupal\Tests\Core\Render\Element;
+use Drupal\Component\Utility\SafeMarkup;
use Drupal\Tests\UnitTestCase;
use Drupal\Core\Render\Element\HtmlTag;
@@ -84,7 +85,11 @@ public function providerPreRenderHtmlTag() {
* @covers ::preRenderConditionalComments
* @dataProvider providerPreRenderConditionalComments
*/
- public function testPreRenderConditionalComments($element, $expected) {
+ public function testPreRenderConditionalComments($element, $expected, $set_safe = FALSE) {
+ if ($set_safe) {
+ SafeMarkup::set($element['#prefix']);
+ SafeMarkup::set($element['#suffix']);
+ }
$this->assertSame($expected, HtmlTag::preRenderConditionalComments($element));
}
@@ -142,6 +147,26 @@ public function providerPreRenderConditionalComments() {
$expected['#suffix'] = "\n";
$tags[] = array($element, $expected);
+ // Prefix and suffix filtering if not safe.
+ $element = array(
+ '#tag' => 'link',
+ '#browsers' => array(
+ 'IE' => FALSE,
+ ),
+ '#prefix' => '',
+ '#suffix' => '',
+ );
+ $expected = $element;
+ $expected['#prefix'] = "\n\nprefix";
+ $expected['#suffix'] = "suffix\n";
+ $tags[] = array($element, $expected);
+
+ // Prefix and suffix filtering if marked as safe. This has to come after the
+ // previous test case.
+ $expected['#prefix'] = "\n\n";
+ $expected['#suffix'] = "\n";
+ $tags[] = array($element, $expected, TRUE);
+
return $tags;
}