diff --git a/core/includes/common.inc b/core/includes/common.inc index 006c58f..558e66e 100644 --- a/core/includes/common.inc +++ b/core/includes/common.inc @@ -16,7 +16,6 @@ use Drupal\Component\Utility\Html; use Drupal\Component\Utility\Number; use Drupal\Component\Utility\SortArray; -use Drupal\Component\Utility\SafeMarkup; use Drupal\Component\Utility\Tags; use Drupal\Component\Utility\UrlHelper; use Drupal\Core\Asset\AttachedAssets; @@ -281,10 +280,10 @@ function valid_email_address($mail) { * \Drupal\Component\Utility\UrlHelper::stripDangerousProtocols() instead. * * @see \Drupal\Component\Utility\UrlHelper::stripDangerousProtocols() - * @see \Drupal\Component\Utility\SafeMarkup::checkPlain() + * @see \Drupal\Component\Utility\Html::escape() */ function check_url($uri) { - return SafeMarkup::checkPlain(UrlHelper::stripDangerousProtocols($uri)); + return Html::escape(UrlHelper::stripDangerousProtocols($uri)); } /** @@ -488,7 +487,7 @@ function _drupal_add_html_head_link($attributes, $header = FALSE) { if ($header) { // Also add a HTTP header "Link:". - $href = '<' . SafeMarkup::checkPlain($attributes['href']) . '>;'; + $href = '<' . Html::escape($attributes['href']) . '>;'; unset($attributes['href']); $element['#attached']['http_header'][] = array('Link', $href . drupal_http_header_attributes($attributes), TRUE); } @@ -1378,7 +1377,7 @@ function _drupal_flush_css_js() { */ function debug($data, $label = NULL, $print_r = TRUE) { // Print $data contents to string. - $string = SafeMarkup::checkPlain($print_r ? print_r($data, TRUE) : var_export($data, TRUE)); + $string = Html::escape($print_r ? print_r($data, TRUE) : var_export($data, TRUE)); // Display values with pre-formatting to increase readability. $string = '
' . $string . '
'; diff --git a/core/includes/file.inc b/core/includes/file.inc index 0740c82..142bd20 100644 --- a/core/includes/file.inc +++ b/core/includes/file.inc @@ -5,11 +5,11 @@ * API for handling file uploads and server file management. */ +use Drupal\Component\Utility\Html; use Drupal\Component\Utility\Unicode; use Drupal\Component\Utility\UrlHelper; use Drupal\Component\PhpStorage\FileStorage; use Drupal\Component\Utility\Bytes; -use Drupal\Component\Utility\SafeMarkup; use Drupal\Core\File\FileSystem; use Drupal\Core\StreamWrapper\PublicStream; use Drupal\Core\StreamWrapper\StreamWrapperInterface; @@ -371,7 +371,7 @@ function file_save_htaccess($directory, $private = TRUE, $force_overwrite = FALS return drupal_chmod($htaccess_path, 0444); } else { - $variables = array('%directory' => $directory, '!htaccess' => '
' . nl2br(SafeMarkup::checkPlain($htaccess_lines))); + $variables = array('%directory' => $directory, '!htaccess' => '
' . nl2br(Html::escape($htaccess_lines))); \Drupal::logger('security')->error("Security warning: Couldn't write .htaccess file. Please create a .htaccess file in your %directory directory which contains the following lines: !htaccess", $variables); return FALSE; } diff --git a/core/includes/form.inc b/core/includes/form.inc index efbac99..4b15cf0 100644 --- a/core/includes/form.inc +++ b/core/includes/form.inc @@ -566,12 +566,13 @@ function template_preprocess_form_element_label(&$variables) { * @endcode * * Note: if the batch 'title', 'init_message', 'progress_message', or - * 'error_message' could contain any user input, it is the responsibility of - * the code calling batch_set() to sanitize them first with a function like - * \Drupal\Component\Utility\SafeMarkup::checkPlain() or - * \Drupal\Component\Utility\Xss::filter(). Furthermore, if the batch operation - * returns any user input in the 'results' or 'message' keys of $context, it - * must also sanitize them first. + * 'error_message' could contain any HTML that you want to display then, it is + * the responsibility of the code calling batch_set() to mark them safe using a + * function like \Drupal\Component\Utility\SafeMarkup::format() or + * \Drupal\Core\StringTranslation\TranslationManager::translate. If they are not + * marked safe then Twig will auto-escape them. Furthermore, if the batch + * operation returns any HTML in the 'results' or 'message' keys of $context, + * it must also consider sanitization. * * Sample callback_batch_operation(): * @code @@ -595,8 +596,9 @@ function template_preprocess_form_element_label(&$variables) { * * $nodes = entity_load_multiple_by_properties('node', array('uid' => $uid, 'type' => $type)); * $node = reset($nodes); - * $context['results'][] = $node->id() . ' : ' . SafeMarkup::checkPlain($node->label()); - * $context['message'] = SafeMarkup::checkPlain($node->label()); + * // Twig will auto-escape these variables. + * $context['results'][] = $node->id() . ' : ' .$node->label(); + * $context['message'] = $node->label(); * } * * // A more advanced example is a multi-step operation that loads all rows, @@ -615,10 +617,10 @@ function template_preprocess_form_element_label(&$variables) { * ->range(0, $limit) * ->execute(); * foreach ($result as $row) { - * $context['results'][] = $row->id . ' : ' . SafeMarkup::checkPlain($row->title); + * $context['results'][] = $row->id . ' : ' . $row->title; * $context['sandbox']['progress']++; * $context['sandbox']['current_id'] = $row->id; - * $context['message'] = SafeMarkup::checkPlain($row->title); + * $context['message'] = $row->title; * } * if ($context['sandbox']['progress'] != $context['sandbox']['max']) { * $context['finished'] = $context['sandbox']['progress'] / $context['sandbox']['max']; diff --git a/core/includes/schema.inc b/core/includes/schema.inc index b74c270..bba4eab 100644 --- a/core/includes/schema.inc +++ b/core/includes/schema.inc @@ -130,12 +130,6 @@ function drupal_install_schema($module) { * * @param string $module * The module for which the tables will be removed. - * - * @return array - * An array of arrays with the following key/value pairs: - * - success: a boolean indicating whether the query succeeded. - * - query: the SQL query(s) executed, passed through - * \Drupal\Component\Utility\SafeMarkup::checkPlain(). */ function drupal_uninstall_schema($module) { $schema = drupal_get_module_schema($module); diff --git a/core/includes/update.inc b/core/includes/update.inc index 8e9a24c..04ac350 100644 --- a/core/includes/update.inc +++ b/core/includes/update.inc @@ -9,7 +9,6 @@ */ use Drupal\Component\Graph\Graph; -use Drupal\Component\Utility\SafeMarkup; use Drupal\Core\Entity\EntityStorageException; use Drupal\Core\Utility\Error; @@ -215,7 +214,7 @@ function update_do_one($module, $number, $dependency_map, &$context) { drupal_set_installed_schema_version($module, $number); } - $context['message'] = 'Updating ' . SafeMarkup::checkPlain($module) . ' module'; + $context['message'] = 'Updating ' . $module . ' module'; } /** diff --git a/core/lib/Drupal/Component/Utility/SafeMarkup.php b/core/lib/Drupal/Component/Utility/SafeMarkup.php index ee25f86..62ffd46 100644 --- a/core/lib/Drupal/Component/Utility/SafeMarkup.php +++ b/core/lib/Drupal/Component/Utility/SafeMarkup.php @@ -15,9 +15,9 @@ * provides a store for known safe strings and methods to manage them * throughout the page request. * - * Strings sanitized by self::checkPlain() and self::escape() are automatically - * marked safe, as are markup strings created from @link theme_render render - * arrays @endlink via drupal_render(). + * Strings sanitized by self::escape() are automatically marked safe. The output + * of the render system is automatically filtered or escaped as necessary and + * then marked as safe. * * This class should be limited to internal use only. Module developers should * instead use the appropriate @@ -135,7 +135,11 @@ public static function setMultiple(array $safe_strings) { * self::set(), it won't be escaped again. */ public static function escape($string) { - return static::isSafe($string) ? $string : static::checkPlain($string); + if (!static::isSafe($string)) { + $string = Html::escape($string); + static::$safeStrings[$string]['html'] = TRUE; + } + return $string; } /** @@ -152,29 +156,6 @@ public static function getAll() { } /** - * Encodes special characters in a plain-text string for display as HTML. - * - * Also validates strings as UTF-8. All processed strings are also - * automatically flagged as safe markup strings for rendering. - * - * @param string $text - * The text to be checked or processed. - * - * @return string - * An HTML safe version of $text, or an empty string if $text is not valid - * UTF-8. - * - * @ingroup sanitization - * - * @see drupal_validate_utf8() - */ - public static function checkPlain($text) { - $string = Html::escape($text); - static::$safeStrings[$string]['html'] = TRUE; - return $string; - } - - /** * Formats a string for HTML display by replacing variable placeholders. * * This function replaces variable placeholders in a string with the requested @@ -206,8 +187,8 @@ public static function checkPlain($text) { * use this when the resulting string is being generated for one of: * - Non-HTML usage, such as a plain-text email. * - Non-direct HTML output, such as a plain-text variable that will be - * printed as an HTML attribute value and therefore formatted with - * self::checkPlain() as part of that. + * printed as an HTML attribute value and therefore escaped as part of + * that. * - Some other special reason for suppressing sanitization. * * @return string diff --git a/core/lib/Drupal/Component/Utility/UrlHelper.php b/core/lib/Drupal/Component/Utility/UrlHelper.php index 608a5da..df20c23 100644 --- a/core/lib/Drupal/Component/Utility/UrlHelper.php +++ b/core/lib/Drupal/Component/Utility/UrlHelper.php @@ -303,7 +303,7 @@ public static function setAllowedProtocols(array $protocols = array()) { * check_url() or Drupal\Component\Utility\Xss::filter(), but those functions * return an HTML-encoded string, so this function can be called independently * when the output needs to be a plain-text string for passing to functions - * that will call \Drupal\Component\Utility\SafeMarkup::checkPlain() separately. + * that will call \Drupal\Component\Utility\Html::escape() separately. * * @param string $uri * A plain-text URI that might contain dangerous protocols. diff --git a/core/lib/Drupal/Component/Utility/Xss.php b/core/lib/Drupal/Component/Utility/Xss.php index 6fdeb68..a547e41 100644 --- a/core/lib/Drupal/Component/Utility/Xss.php +++ b/core/lib/Drupal/Component/Utility/Xss.php @@ -107,10 +107,9 @@ public static function filter($string, array $html_tags = NULL) { /** * Applies a very permissive XSS/HTML filter for admin-only use. * - * Use only for fields where it is impractical to use the - * whole filter system, but where some (mainly inline) mark-up - * is desired (so \Drupal\Component\Utility\SafeMarkup::checkPlain() is - * not acceptable). + * Use only for fields where it is impractical to use the whole filter system, + * but where some (mainly inline) mark-up is desired (so + * \Drupal\Component\Utility\Html::escape() is not acceptable). * * Allows all tags that can be used inside an HTML body, save * for scripts and styles. diff --git a/core/lib/Drupal/Core/Asset/CssCollectionRenderer.php b/core/lib/Drupal/Core/Asset/CssCollectionRenderer.php index 6ef6be3..63a2452 100644 --- a/core/lib/Drupal/Core/Asset/CssCollectionRenderer.php +++ b/core/lib/Drupal/Core/Asset/CssCollectionRenderer.php @@ -7,7 +7,7 @@ namespace Drupal\Core\Asset; -use Drupal\Component\Utility\SafeMarkup; +use Drupal\Component\Utility\Html; use Drupal\Core\State\StateInterface; /** @@ -168,7 +168,7 @@ public function render(array $css_assets) { // control browser-caching. IE7 does not support a media type on // the @import statement, so we instead specify the media for // the group on the STYLE tag. - $import[] = '@import url("' . SafeMarkup::checkPlain(file_create_url($next_css_asset['data']) . '?' . $query_string) . '");'; + $import[] = '@import url("' . Html::escape(file_create_url($next_css_asset['data']) . '?' . $query_string) . '");'; // Move the outer for loop skip the next item, since we // processed it here. $i = $j; diff --git a/core/lib/Drupal/Core/Block/BlockBase.php b/core/lib/Drupal/Core/Block/BlockBase.php index ef127e9..d196999 100644 --- a/core/lib/Drupal/Core/Block/BlockBase.php +++ b/core/lib/Drupal/Core/Block/BlockBase.php @@ -8,7 +8,6 @@ namespace Drupal\Core\Block; use Drupal\block\BlockInterface; -use Drupal\Component\Utility\SafeMarkup; use Drupal\Core\Access\AccessResult; use Drupal\Core\Cache\CacheableDependencyInterface; use Drupal\Core\Form\FormStateInterface; @@ -17,6 +16,7 @@ use Drupal\Component\Utility\NestedArray; use Drupal\Core\Language\LanguageInterface; use Drupal\Core\Cache\Cache; +use Drupal\Core\Render\Element\Markup; use Drupal\Core\Session\AccountInterface; use Drupal\Component\Transliteration\TransliterationInterface; @@ -166,7 +166,8 @@ public function buildConfigurationForm(array $form, FormStateInterface $form_sta $form['admin_label'] = array( '#type' => 'item', '#title' => $this->t('Block description'), - '#markup' => SafeMarkup::checkPlain($definition['admin_label']), + '#markup' => $definition['admin_label'], + '#safe_strategy' => Markup::SAFE_STRATEGY_ESCAPE, ); $form['label'] = array( '#type' => 'textfield', diff --git a/core/lib/Drupal/Core/Controller/TitleResolverInterface.php b/core/lib/Drupal/Core/Controller/TitleResolverInterface.php index bedfd17..fa72e11 100644 --- a/core/lib/Drupal/Core/Controller/TitleResolverInterface.php +++ b/core/lib/Drupal/Core/Controller/TitleResolverInterface.php @@ -17,18 +17,20 @@ /** * Returns a static or dynamic title for the route. * - * The returned title string must be safe to output in HTML. For example, an - * implementation should call \Drupal\Component\Utility\SafeMarkup::checkPlain() - * or \Drupal\Component\Utility\Xss::filterAdmin() on the string, or use - * appropriate placeholders to sanitize dynamic content inside a localized - * string before returning it. The title may contain HTML such as EM tags. + * If the returned title can contain HTML that should not be escaped it should + * return a render array, for example: + * @code + * ['#markup' => 'title', '#allowed_tags' => ['em']] + * @endcode + * If the method returns a string and it is not marked safe then it will be + * auto-escaped. * * @param \Symfony\Component\HttpFoundation\Request $request * The request object passed to the title callback. * @param \Symfony\Component\Routing\Route $route * The route information of the route to fetch the title. * - * @return string|null + * @return array|string|null * The title for the route. */ public function getTitle(Request $request, Route $route); diff --git a/core/lib/Drupal/Core/Diff/DiffFormatter.php b/core/lib/Drupal/Core/Diff/DiffFormatter.php index cfd6bb8..cd46fab 100644 --- a/core/lib/Drupal/Core/Diff/DiffFormatter.php +++ b/core/lib/Drupal/Core/Diff/DiffFormatter.php @@ -9,7 +9,7 @@ use Drupal\Component\Diff\DiffFormatter as DiffFormatterBase; use Drupal\Component\Diff\WordLevelDiff; -use Drupal\Component\Utility\SafeMarkup; +use Drupal\Component\Utility\Html; use Drupal\Core\Config\ConfigFactoryInterface; /** @@ -172,7 +172,7 @@ protected function emptyLine() { */ protected function _added($lines) { foreach ($lines as $line) { - $this->rows[] = array_merge($this->emptyLine(), $this->addedLine(SafeMarkup::checkPlain($line))); + $this->rows[] = array_merge($this->emptyLine(), $this->addedLine(Html::escape($line))); } } @@ -181,7 +181,7 @@ protected function _added($lines) { */ protected function _deleted($lines) { foreach ($lines as $line) { - $this->rows[] = array_merge($this->deletedLine(SafeMarkup::checkPlain($line)), $this->emptyLine()); + $this->rows[] = array_merge($this->deletedLine(Html::escape($line)), $this->emptyLine()); } } @@ -190,7 +190,7 @@ protected function _deleted($lines) { */ protected function _context($lines) { foreach ($lines as $line) { - $this->rows[] = array_merge($this->contextLine(SafeMarkup::checkPlain($line)), $this->contextLine(SafeMarkup::checkPlain($line))); + $this->rows[] = array_merge($this->contextLine(Html::escape($line)), $this->contextLine(Html::escape($line))); } } diff --git a/core/lib/Drupal/Core/Entity/EntityListBuilder.php b/core/lib/Drupal/Core/Entity/EntityListBuilder.php index 6fbdeda..b4e54b1 100644 --- a/core/lib/Drupal/Core/Entity/EntityListBuilder.php +++ b/core/lib/Drupal/Core/Entity/EntityListBuilder.php @@ -9,7 +9,6 @@ use Drupal\Core\Extension\ModuleHandlerInterface; use Symfony\Component\DependencyInjection\ContainerInterface; -use Drupal\Component\Utility\SafeMarkup; /** * Defines a generic implementation to build a listing of entities. @@ -112,10 +111,10 @@ protected function getEntityIds() { * The entity being listed. * * @return string - * The escaped entity label. + * The entity label. */ protected function getLabel(EntityInterface $entity) { - return SafeMarkup::checkPlain($entity->label()); + return $entity->label(); } /** diff --git a/core/lib/Drupal/Core/Entity/Plugin/EntityReferenceSelection/SelectionBase.php b/core/lib/Drupal/Core/Entity/Plugin/EntityReferenceSelection/SelectionBase.php index cb8c7d6..f05844a 100644 --- a/core/lib/Drupal/Core/Entity/Plugin/EntityReferenceSelection/SelectionBase.php +++ b/core/lib/Drupal/Core/Entity/Plugin/EntityReferenceSelection/SelectionBase.php @@ -7,7 +7,6 @@ namespace Drupal\Core\Entity\Plugin\EntityReferenceSelection; -use Drupal\Component\Utility\SafeMarkup; use Drupal\Core\Database\Query\AlterableInterface; use Drupal\Core\Database\Query\SelectInterface; use Drupal\Core\Entity\EntityManagerInterface; @@ -235,7 +234,7 @@ public function getReferenceableEntities($match = NULL, $match_operator = 'CONTA $entities = entity_load_multiple($target_type, $result); foreach ($entities as $entity_id => $entity) { $bundle = $entity->bundle(); - $options[$bundle][$entity_id] = SafeMarkup::checkPlain($entity->label()); + $options[$bundle][$entity_id] = $entity->label(); } return $options; diff --git a/core/lib/Drupal/Core/EventSubscriber/ExceptionLoggingSubscriber.php b/core/lib/Drupal/Core/EventSubscriber/ExceptionLoggingSubscriber.php index 6a2bd6c..a6f5e84 100644 --- a/core/lib/Drupal/Core/EventSubscriber/ExceptionLoggingSubscriber.php +++ b/core/lib/Drupal/Core/EventSubscriber/ExceptionLoggingSubscriber.php @@ -7,7 +7,6 @@ namespace Drupal\Core\EventSubscriber; -use Drupal\Component\Utility\SafeMarkup; use Drupal\Core\Logger\LoggerChannelFactoryInterface; use Drupal\Core\Utility\Error; use Symfony\Component\EventDispatcher\EventSubscriberInterface; @@ -45,7 +44,7 @@ public function __construct(LoggerChannelFactoryInterface $logger) { */ public function on403(GetResponseForExceptionEvent $event) { $request = $event->getRequest(); - $this->logger->get('access denied')->warning(SafeMarkup::checkPlain($request->getRequestUri())); + $this->logger->get('access denied')->warning('%uri', ['%uri' => $request->getRequestUri()]); } /** @@ -56,7 +55,7 @@ public function on403(GetResponseForExceptionEvent $event) { */ public function on404(GetResponseForExceptionEvent $event) { $request = $event->getRequest(); - $this->logger->get('page not found')->warning(SafeMarkup::checkPlain($request->getRequestUri())); + $this->logger->get('page not found')->warning('%uri', ['%uri' => $request->getRequestUri()]); } /** diff --git a/core/lib/Drupal/Core/EventSubscriber/Fast404ExceptionHtmlSubscriber.php b/core/lib/Drupal/Core/EventSubscriber/Fast404ExceptionHtmlSubscriber.php index 94a13b5..3f095b0 100644 --- a/core/lib/Drupal/Core/EventSubscriber/Fast404ExceptionHtmlSubscriber.php +++ b/core/lib/Drupal/Core/EventSubscriber/Fast404ExceptionHtmlSubscriber.php @@ -8,7 +8,7 @@ namespace Drupal\Core\EventSubscriber; use Drupal\Core\Config\ConfigFactoryInterface; -use Drupal\Component\Utility\SafeMarkup; +use Drupal\Component\Utility\Html; use Symfony\Component\HttpFoundation\Response; use Symfony\Component\HttpKernel\Event\GetResponseForExceptionEvent; use Symfony\Component\HttpKernel\HttpKernelInterface; @@ -79,7 +79,7 @@ public function on404(GetResponseForExceptionEvent $event) { if ($config->get('fast_404.enabled') && $exclude_paths && !preg_match($exclude_paths, $request->getPathInfo())) { $fast_paths = $config->get('fast_404.paths'); if ($fast_paths && preg_match($fast_paths, $request->getPathInfo())) { - $fast_404_html = strtr($config->get('fast_404.html'), ['@path' => SafeMarkup::checkPlain($request->getUri())]); + $fast_404_html = strtr($config->get('fast_404.html'), ['@path' => Html::escape($request->getUri())]); $response = new Response($fast_404_html, Response::HTTP_NOT_FOUND); $event->setResponse($response); } diff --git a/core/lib/Drupal/Core/Extension/ThemeHandler.php b/core/lib/Drupal/Core/Extension/ThemeHandler.php index 2eb56bc..83465bf 100644 --- a/core/lib/Drupal/Core/Extension/ThemeHandler.php +++ b/core/lib/Drupal/Core/Extension/ThemeHandler.php @@ -7,7 +7,6 @@ namespace Drupal\Core\Extension; -use Drupal\Component\Utility\SafeMarkup; use Drupal\Core\Config\ConfigFactoryInterface; use Drupal\Core\State\StateInterface; @@ -431,7 +430,7 @@ public function getName($theme) { if (!isset($themes[$theme])) { throw new \InvalidArgumentException("Requested the name of a non-existing theme $theme"); } - return SafeMarkup::checkPlain($themes[$theme]->info['name']); + return $themes[$theme]->info['name']; } /** diff --git a/core/lib/Drupal/Core/Field/AllowedTagsXssTrait.php b/core/lib/Drupal/Core/Field/AllowedTagsXssTrait.php index 6125c5c..850bfce 100644 --- a/core/lib/Drupal/Core/Field/AllowedTagsXssTrait.php +++ b/core/lib/Drupal/Core/Field/AllowedTagsXssTrait.php @@ -23,7 +23,7 @@ * * Used for items entered by administrators, like field descriptions, allowed * values, where some (mainly inline) mark-up may be desired (so - * \Drupal\Component\Utility\SafeMarkup::checkPlain() is not acceptable). + * \Drupal\Component\Utility\Html::escape() is not acceptable). * * @param string $string * The string with raw HTML in it. diff --git a/core/lib/Drupal/Core/Field/Plugin/Field/FieldFormatter/BasicStringFormatter.php b/core/lib/Drupal/Core/Field/Plugin/Field/FieldFormatter/BasicStringFormatter.php index c03b96d..9d2b730 100644 --- a/core/lib/Drupal/Core/Field/Plugin/Field/FieldFormatter/BasicStringFormatter.php +++ b/core/lib/Drupal/Core/Field/Plugin/Field/FieldFormatter/BasicStringFormatter.php @@ -7,7 +7,7 @@ namespace Drupal\Core\Field\Plugin\Field\FieldFormatter; -use Drupal\Component\Utility\SafeMarkup; +use Drupal\Component\Utility\Html; use Drupal\Core\Field\FormatterBase; use Drupal\Core\Field\FieldItemListInterface; @@ -37,7 +37,7 @@ public function viewElements(FieldItemListInterface $items) { foreach ($items as $delta => $item) { // The text value has no text format assigned to it, so the user input // should equal the output, including newlines. - $elements[$delta] = array('#markup' => nl2br(SafeMarkup::checkPlain($item->value))); + $elements[$delta] = array('#markup' => nl2br(Html::escape($item->value))); } return $elements; diff --git a/core/lib/Drupal/Core/Field/Plugin/Field/FieldFormatter/EntityReferenceIdFormatter.php b/core/lib/Drupal/Core/Field/Plugin/Field/FieldFormatter/EntityReferenceIdFormatter.php index 69b5b9f..249b3a0 100644 --- a/core/lib/Drupal/Core/Field/Plugin/Field/FieldFormatter/EntityReferenceIdFormatter.php +++ b/core/lib/Drupal/Core/Field/Plugin/Field/FieldFormatter/EntityReferenceIdFormatter.php @@ -8,7 +8,7 @@ namespace Drupal\Core\Field\Plugin\Field\FieldFormatter; use Drupal\Core\Field\FieldItemListInterface; -use Drupal\Component\Utility\SafeMarkup; +use Drupal\Core\Render\Element\Markup; /** * Plugin implementation of the 'entity reference ID' formatter. @@ -33,7 +33,8 @@ public function viewElements(FieldItemListInterface $items) { foreach ($this->getEntitiesToView($items) as $delta => $entity) { if ($entity->id()) { $elements[$delta] = array( - '#markup' => SafeMarkup::checkPlain($entity->id()), + '#markup' => $entity->id(), + '#safe_strategy' => Markup::SAFE_STRATEGY_ESCAPE, // Create a cache tag entry for the referenced entity. In the case // that the referenced entity is deleted, the cache for referring // entities must be cleared. diff --git a/core/lib/Drupal/Core/Field/Plugin/Field/FieldFormatter/EntityReferenceLabelFormatter.php b/core/lib/Drupal/Core/Field/Plugin/Field/FieldFormatter/EntityReferenceLabelFormatter.php index c362a80..04b0172 100644 --- a/core/lib/Drupal/Core/Field/Plugin/Field/FieldFormatter/EntityReferenceLabelFormatter.php +++ b/core/lib/Drupal/Core/Field/Plugin/Field/FieldFormatter/EntityReferenceLabelFormatter.php @@ -7,10 +7,10 @@ namespace Drupal\Core\Field\Plugin\Field\FieldFormatter; -use Drupal\Component\Utility\SafeMarkup; use Drupal\Core\Entity\Exception\UndefinedLinkTemplateException; use Drupal\Core\Field\FieldItemListInterface; use Drupal\Core\Form\FormStateInterface; +use Drupal\Core\Render\Element\Markup; /** * Plugin implementation of the 'entity reference label' formatter. @@ -98,7 +98,10 @@ public function viewElements(FieldItemListInterface $items) { } } else { - $elements[$delta] = array('#markup' => SafeMarkup::checkPlain($label)); + $elements[$delta] = array( + '#markup' => $label, + '#safe_strategy' => Markup::SAFE_STRATEGY_ESCAPE, + ); } $elements[$delta]['#cache']['tags'] = $entity->getCacheTags(); } diff --git a/core/lib/Drupal/Core/Field/Plugin/Field/FieldFormatter/LanguageFormatter.php b/core/lib/Drupal/Core/Field/Plugin/Field/FieldFormatter/LanguageFormatter.php index dea2989..c8185aa 100644 --- a/core/lib/Drupal/Core/Field/Plugin/Field/FieldFormatter/LanguageFormatter.php +++ b/core/lib/Drupal/Core/Field/Plugin/Field/FieldFormatter/LanguageFormatter.php @@ -7,7 +7,6 @@ namespace Drupal\Core\Field\Plugin\Field\FieldFormatter; -use Drupal\Component\Utility\SafeMarkup; use Drupal\Core\Entity\EntityManagerInterface; use Drupal\Core\Field\FieldDefinitionInterface; use Drupal\Core\Field\FieldItemInterface; @@ -123,7 +122,7 @@ protected function viewValue(FieldItemInterface $item) { // storage by LanguageManager::getLanguages()) or in its native language // name. That only depends on formatter settings and no language condition. $languages = $this->getSetting('native_language') ? $this->languageManager->getNativeLanguages(LanguageInterface::STATE_ALL) : $this->languageManager->getLanguages(LanguageInterface::STATE_ALL); - return $item->language && isset($languages[$item->language->getId()]) ? SafeMarkup::checkPlain($languages[$item->language->getId()]->getName()) : ''; + return $item->language && isset($languages[$item->language->getId()]) ? $languages[$item->language->getId()]->getName() : ''; } } diff --git a/core/lib/Drupal/Core/Field/Plugin/Field/FieldFormatter/StringFormatter.php b/core/lib/Drupal/Core/Field/Plugin/Field/FieldFormatter/StringFormatter.php index 6276f95..1379282 100644 --- a/core/lib/Drupal/Core/Field/Plugin/Field/FieldFormatter/StringFormatter.php +++ b/core/lib/Drupal/Core/Field/Plugin/Field/FieldFormatter/StringFormatter.php @@ -7,7 +7,7 @@ namespace Drupal\Core\Field\Plugin\Field\FieldFormatter; -use Drupal\Component\Utility\SafeMarkup; +use Drupal\Component\Utility\Html; use Drupal\Core\Entity\EntityManagerInterface; use Drupal\Core\Entity\RevisionableInterface; use Drupal\Core\Field\FieldDefinitionInterface; @@ -128,17 +128,16 @@ public function viewElements(FieldItemListInterface $items) { } foreach ($items as $delta => $item) { - $string = $this->viewValue($item); + $elements[$delta] = ['#markup' => $this->viewValue($item)]; + + // Wrap in a link if configured to. if ($url) { $elements[$delta] = [ '#type' => 'link', - '#title' => $string, + '#title' => $elements[$delta], '#url' => $url, ]; } - else { - $elements[$delta] = ['#markup' => $string]; - } } return $elements; } @@ -155,7 +154,7 @@ public function viewElements(FieldItemListInterface $items) { protected function viewValue(FieldItemInterface $item) { // The text value has no text format assigned to it, so the user input // should equal the output, including newlines. - return nl2br(SafeMarkup::checkPlain($item->value)); + return nl2br(Html::escape($item->value)); } } diff --git a/core/lib/Drupal/Core/Field/WidgetBase.php b/core/lib/Drupal/Core/Field/WidgetBase.php index 356eece..0764c51 100644 --- a/core/lib/Drupal/Core/Field/WidgetBase.php +++ b/core/lib/Drupal/Core/Field/WidgetBase.php @@ -10,7 +10,6 @@ use Drupal\Component\Utility\Html; use Drupal\Component\Utility\NestedArray; use Drupal\Component\Utility\SortArray; -use Drupal\Component\Utility\SafeMarkup; use Drupal\Core\Form\FormStateInterface; use Drupal\Core\Render\Element; use Symfony\Component\Validator\ConstraintViolationInterface; @@ -85,7 +84,7 @@ public function form(FieldItemListInterface $items, array &$form, FormStateInter if ($this->handlesMultipleValues() || isset($get_delta)) { $delta = isset($get_delta) ? $get_delta : 0; $element = array( - '#title' => SafeMarkup::checkPlain($this->fieldDefinition->getLabel()), + '#title' => $this->fieldDefinition->getLabel(), '#description' => $this->fieldFilterXss(\Drupal::token()->replace($this->fieldDefinition->getDescription())), ); $element = $this->formSingleElement($items, $delta, $element, $form, $form_state); @@ -164,7 +163,7 @@ protected function formMultipleElements(FieldItemListInterface $items, array &$f break; } - $title = SafeMarkup::checkPlain($this->fieldDefinition->getLabel()); + $title = $this->fieldDefinition->getLabel(); $description = $this->fieldFilterXss(\Drupal::token()->replace($this->fieldDefinition->getDescription())); $elements = array(); diff --git a/core/lib/Drupal/Core/Form/FormErrorHandler.php b/core/lib/Drupal/Core/Form/FormErrorHandler.php index df736b0..03c86c9 100644 --- a/core/lib/Drupal/Core/Form/FormErrorHandler.php +++ b/core/lib/Drupal/Core/Form/FormErrorHandler.php @@ -82,9 +82,7 @@ protected function displayErrorMessages(array $form, FormStateInterface $form_st unset($errors[$name]); } elseif ($is_visible_element && $has_title && $has_id) { - // We need to pass this through SafeMarkup::escape() so - // drupal_set_message() does not encode the links. - $error_links[] = SafeMarkup::escape($this->l($title, Url::fromRoute('', [], ['fragment' => $form_element['#id'], 'external' => TRUE]))); + $error_links[] = $this->l($title, Url::fromRoute('', [], ['fragment' => $form_element['#id'], 'external' => TRUE])); unset($errors[$name]); } } diff --git a/core/lib/Drupal/Core/Form/form.api.php b/core/lib/Drupal/Core/Form/form.api.php index 9173231..12ce8d1 100644 --- a/core/lib/Drupal/Core/Form/form.api.php +++ b/core/lib/Drupal/Core/Form/form.api.php @@ -5,8 +5,6 @@ * Callbacks and hooks related to form system. */ -use Drupal\Component\Utility\SafeMarkup; - /** * @addtogroup callbacks * @{ @@ -79,7 +77,7 @@ function callback_batch_operation($MULTIPLE_PARAMS, &$context) { node_save($node); // Store some result for post-processing in the finished callback. - $context['results'][] = SafeMarkup::checkPlain($node->title); + $context['results'][] = $node->title; // Update our progress information. $context['sandbox']['progress']++; diff --git a/core/lib/Drupal/Core/Menu/menu.api.php b/core/lib/Drupal/Core/Menu/menu.api.php index e68b795..45396fd 100644 --- a/core/lib/Drupal/Core/Menu/menu.api.php +++ b/core/lib/Drupal/Core/Menu/menu.api.php @@ -611,7 +611,7 @@ function hook_system_breadcrumb_alter(\Drupal\Core\Breadcrumb\Breadcrumb &$bread * Drupal\Core\Template\Attribute($options['attributes']). * - html: Whether or not HTML should be allowed as the link text. If FALSE, * the text will be run through - * \Drupal\Component\Utility\SafeMarkup::checkPlain() before being output. + * \Drupal\Component\Utility\Html::escape() before being output. * * @see \Drupal\Core\Routing\UrlGenerator::generateFromPath() * @see \Drupal\Core\Routing\UrlGenerator::generateFromRoute() diff --git a/core/lib/Drupal/Core/Session/AccountInterface.php b/core/lib/Drupal/Core/Session/AccountInterface.php index fa437c0..96aeb2d 100644 --- a/core/lib/Drupal/Core/Session/AccountInterface.php +++ b/core/lib/Drupal/Core/Session/AccountInterface.php @@ -116,10 +116,7 @@ public function getPreferredAdminLangcode($fallback_to_default = TRUE); * @see hook_user_format_name_alter() * * @return - * An unsanitized string with the username to display. The code receiving - * this result must ensure that \Drupal\Component\Utility\SafeMarkup::checkPlain() - * is called on it before it is - * printed to the page. + * An unsanitized string with the username to display. */ public function getUsername(); diff --git a/core/lib/Drupal/Core/Template/TwigExtension.php b/core/lib/Drupal/Core/Template/TwigExtension.php index 482c888..443cf73 100644 --- a/core/lib/Drupal/Core/Template/TwigExtension.php +++ b/core/lib/Drupal/Core/Template/TwigExtension.php @@ -12,6 +12,7 @@ namespace Drupal\Core\Template; +use Drupal\Component\Utility\Html; use Drupal\Component\Utility\SafeMarkup; use Drupal\Component\Utility\SafeStringInterface; use Drupal\Core\Render\RendererInterface; @@ -433,7 +434,7 @@ public function escapeFilter(\Twig_Environment $env, $arg, $strategy = 'html', $ // Drupal only supports the HTML escaping strategy, so provide a // fallback for other strategies. if ($strategy == 'html') { - return SafeMarkup::checkPlain($return); + return Html::escape($return); } return twig_escape_filter($env, $return, $strategy, $charset, $autoescape); } diff --git a/core/lib/Drupal/Core/Utility/Token.php b/core/lib/Drupal/Core/Utility/Token.php index 9966726..1db2a04 100644 --- a/core/lib/Drupal/Core/Utility/Token.php +++ b/core/lib/Drupal/Core/Utility/Token.php @@ -164,7 +164,7 @@ public function __construct(ModuleHandlerInterface $module_handler, CacheBackend * display to a web browser. Defaults to TRUE. Developers who set this * option to FALSE assume responsibility for running * \Drupal\Component\Utility\Xss::filter(), - * \Drupal\Component\Utility\SafeMarkup::checkPlain() or other appropriate + * \Drupal\Component\Utility\Html::escape() or other appropriate * scrubbing functions before displaying data to users. * @param \Drupal\Core\Render\BubbleableMetadata $bubbleable_metadata|null * (optional) An object to which static::generate() and the hooks and @@ -285,7 +285,7 @@ public function scan($text) { * - sanitize: A boolean flag indicating that tokens should be sanitized for * display to a web browser. Developers who set this option to FALSE assume * responsibility for running \Drupal\Component\Utility\Xss::filter(), - * \Drupal\Component\Utility\SafeMarkup::checkPlain() or other appropriate + * \Drupal\Component\Utility\Html::escape() or other appropriate * scrubbing functions before displaying data to users. * @param \Drupal\Core\Render\BubbleableMetadata $bubbleable_metadata * The bubbleable metadata. This is passed to the token replacement diff --git a/core/lib/Drupal/Core/Utility/token.api.php b/core/lib/Drupal/Core/Utility/token.api.php index d2d87ed..0cf2e7a 100644 --- a/core/lib/Drupal/Core/Utility/token.api.php +++ b/core/lib/Drupal/Core/Utility/token.api.php @@ -5,7 +5,7 @@ * Hooks related to the Token system. */ -use Drupal\Component\Utility\SafeMarkup; +use Drupal\Component\Utility\Html; use Drupal\user\Entity\User; /** @@ -97,7 +97,7 @@ function hook_tokens($type, $tokens, array $data, array $options, \Drupal\Core\R break; case 'title': - $replacements[$original] = $sanitize ? SafeMarkup::checkPlain($node->getTitle()) : $node->getTitle(); + $replacements[$original] = $sanitize ? Html::escape($node->getTitle()) : $node->getTitle(); break; case 'edit-url': @@ -107,7 +107,7 @@ function hook_tokens($type, $tokens, array $data, array $options, \Drupal\Core\R // Default values for the chained tokens handled below. case 'author': $account = $node->getOwner() ? $node->getOwner() : User::load(0); - $replacements[$original] = $sanitize ? SafeMarkup::checkPlain($account->label()) : $account->label(); + $replacements[$original] = $sanitize ? Html::escape($account->label()) : $account->label(); $bubbleable_metadata->addCacheableDependency($account); break; diff --git a/core/modules/action/action.views_execution.inc b/core/modules/action/action.views_execution.inc index 8421d79..fb74455 100644 --- a/core/modules/action/action.views_execution.inc +++ b/core/modules/action/action.views_execution.inc @@ -5,14 +5,15 @@ * Provides views runtime hooks for action.module. */ -use Drupal\Component\Utility\SafeMarkup; +use Drupal\Component\Utility\Html; /** * Implements hook_views_form_substitutions(). */ function action_views_form_substitutions() { - // Views SafeMarkup::checkPlain()s the column label, so we need to match that. - $select_all_placeholder = SafeMarkup::checkPlain(''); + // Views uses \Drupal\Core\Utility\Html::escape() on the column label, so we + // need to match that. + $select_all_placeholder = Html::escape(''); $select_all = array( '#type' => 'checkbox', '#default_value' => FALSE, diff --git a/core/modules/aggregator/aggregator.theme.inc b/core/modules/aggregator/aggregator.theme.inc index ab6c3dc..e2a4591 100644 --- a/core/modules/aggregator/aggregator.theme.inc +++ b/core/modules/aggregator/aggregator.theme.inc @@ -5,7 +5,6 @@ * Preprocessors and theme functions of Aggregator module. */ -use Drupal\Component\Utility\SafeMarkup; use Drupal\Core\Render\Element; /** @@ -26,7 +25,7 @@ function template_preprocess_aggregator_item(&$variables) { } $variables['url'] = check_url($item->getLink()); - $variables['title'] = SafeMarkup::checkPlain($item->label()); + $variables['title'] = $item->label(); } /** @@ -46,5 +45,5 @@ function template_preprocess_aggregator_feed(&$variables) { $variables['content'][$key] = $variables['elements'][$key]; } $variables['full'] = $variables['elements']['#view_mode'] == 'full'; - $variables['title'] = SafeMarkup::checkPlain($feed->label()); + $variables['title'] = $feed->label(); } diff --git a/core/modules/aggregator/src/Plugin/views/argument/Fid.php b/core/modules/aggregator/src/Plugin/views/argument/Fid.php index b4abeca..f219d17 100644 --- a/core/modules/aggregator/src/Plugin/views/argument/Fid.php +++ b/core/modules/aggregator/src/Plugin/views/argument/Fid.php @@ -9,7 +9,6 @@ use Drupal\Core\Entity\EntityManagerInterface; use Drupal\views\Plugin\views\argument\NumericArgument; -use Drupal\Component\Utility\SafeMarkup; use Symfony\Component\DependencyInjection\ContainerInterface; /** @@ -60,7 +59,7 @@ public function titleQuery() { $feeds = $this->entityManager->getStorage('aggregator_feed')->loadMultiple($this->value); foreach ($feeds as $feed) { - $titles[] = SafeMarkup::checkPlain($feed->label()); + $titles[] = $feed->label(); } return $titles; } diff --git a/core/modules/aggregator/src/Plugin/views/argument/Iid.php b/core/modules/aggregator/src/Plugin/views/argument/Iid.php index a125856..d04968b 100644 --- a/core/modules/aggregator/src/Plugin/views/argument/Iid.php +++ b/core/modules/aggregator/src/Plugin/views/argument/Iid.php @@ -9,7 +9,6 @@ use Drupal\Core\Entity\EntityManagerInterface; use Drupal\views\Plugin\views\argument\NumericArgument; -use Drupal\Component\Utility\SafeMarkup; use Symfony\Component\DependencyInjection\ContainerInterface; /** @@ -60,7 +59,7 @@ public function titleQuery() { $items = $this->entityManager->getStorage('aggregator_item')->loadMultiple($this->value); foreach ($items as $feed) { - $titles[] = SafeMarkup::checkPlain($feed->label()); + $titles[] = $feed->label(); } return $titles; } diff --git a/core/modules/block/src/BlockListBuilder.php b/core/modules/block/src/BlockListBuilder.php index 43d7a1c..19fb7e3 100644 --- a/core/modules/block/src/BlockListBuilder.php +++ b/core/modules/block/src/BlockListBuilder.php @@ -9,7 +9,6 @@ use Drupal\Component\Utility\Html; use Drupal\Component\Serialization\Json; -use Drupal\Component\Utility\SafeMarkup; use Drupal\Core\Config\Entity\ConfigEntityListBuilder; use Drupal\Core\Entity\EntityInterface; use Drupal\Core\Entity\EntityStorageInterface; @@ -17,6 +16,7 @@ use Drupal\Core\Form\FormBuilderInterface; use Drupal\Core\Form\FormInterface; use Drupal\Core\Form\FormStateInterface; +use Drupal\Core\Render\Element\Markup; use Drupal\Core\Theme\ThemeManagerInterface; use Drupal\Core\Url; use Symfony\Component\DependencyInjection\ContainerInterface; @@ -261,7 +261,8 @@ protected function buildBlocksForm() { $form[$entity_id]['#attributes']['class'][] = 'js-block-placed'; } $form[$entity_id]['info'] = array( - '#markup' => SafeMarkup::checkPlain($info['label']), + '#markup' => $info['label'], + '#safe_strategy' => Markup::SAFE_STRATEGY_ESCAPE, '#wrapper_attributes' => array( 'class' => array('block'), ), diff --git a/core/modules/block/src/BlockViewBuilder.php b/core/modules/block/src/BlockViewBuilder.php index 187692d..3ff8ae7 100644 --- a/core/modules/block/src/BlockViewBuilder.php +++ b/core/modules/block/src/BlockViewBuilder.php @@ -7,7 +7,6 @@ namespace Drupal\block; -use Drupal\Component\Utility\SafeMarkup; use Drupal\Core\Cache\Cache; use Drupal\Core\Cache\CacheableMetadata; use Drupal\Core\Entity\EntityViewBuilder; @@ -83,7 +82,7 @@ public function viewMultiple(array $entities = array(), $view_mode = 'full', $la // Add the entity so that it can be used in the #pre_render method. '#block' => $entity, ); - $build[$entity_id]['#configuration']['label'] = SafeMarkup::checkPlain($configuration['label']); + $build[$entity_id]['#configuration']['label'] = $configuration['label']; // Don't run in ::buildBlock() to ensure cache keys can be altered. If an // alter hook wants to modify the block contents, it can append another diff --git a/core/modules/block/src/Controller/BlockLibraryController.php b/core/modules/block/src/Controller/BlockLibraryController.php index 2a0148f..972dd73 100644 --- a/core/modules/block/src/Controller/BlockLibraryController.php +++ b/core/modules/block/src/Controller/BlockLibraryController.php @@ -8,7 +8,6 @@ namespace Drupal\block\Controller; use Drupal\Component\Serialization\Json; -use Drupal\Component\Utility\SafeMarkup; use Drupal\Core\Block\BlockManagerInterface; use Drupal\Core\Controller\ControllerBase; use Drupal\Core\EventSubscriber\MainContentViewSubscriber; @@ -109,7 +108,7 @@ public function listBlocks(Request $request, $theme) { '#prefix' => '
', '#suffix' => '
', ]; - $row['category']['data'] = SafeMarkup::checkPlain($plugin_definition['category']); + $row['category']['data'] = $plugin_definition['category']; $links['add'] = [ 'title' => $this->t('Place block'), 'url' => Url::fromRoute('block.admin_add', ['plugin_id' => $plugin_id, 'theme' => $theme]), diff --git a/core/modules/block/src/Controller/CategoryAutocompleteController.php b/core/modules/block/src/Controller/CategoryAutocompleteController.php index 0f6a011..aa5bc97 100644 --- a/core/modules/block/src/Controller/CategoryAutocompleteController.php +++ b/core/modules/block/src/Controller/CategoryAutocompleteController.php @@ -8,7 +8,7 @@ namespace Drupal\block\Controller; use Drupal\Core\Block\BlockManagerInterface; -use Drupal\Component\Utility\SafeMarkup; +use Drupal\Component\Utility\Html; use Drupal\Core\DependencyInjection\ContainerInjectionInterface; use Symfony\Component\DependencyInjection\ContainerInterface; use Symfony\Component\HttpFoundation\JsonResponse; @@ -59,7 +59,7 @@ public function autocomplete(Request $request) { $matches = array(); foreach ($this->blockManager->getCategories() as $category) { if (stripos($category, $typed_category) === 0) { - $matches[] = array('value' => $category, 'label' => SafeMarkup::checkPlain($category)); + $matches[] = array('value' => $category, 'label' => Html::escape($category)); } } return new JsonResponse($matches); diff --git a/core/modules/block/src/Tests/BlockInterfaceTest.php b/core/modules/block/src/Tests/BlockInterfaceTest.php index 5e8b54c..10c6135 100644 --- a/core/modules/block/src/Tests/BlockInterfaceTest.php +++ b/core/modules/block/src/Tests/BlockInterfaceTest.php @@ -8,8 +8,8 @@ namespace Drupal\block\Tests; use Drupal\Core\Cache\Cache; -use Drupal\Component\Utility\SafeMarkup; use Drupal\Core\Form\FormState; +use Drupal\Core\Render\Element\Markup; use Drupal\simpletest\KernelTestBase; use Drupal\block\BlockInterface; @@ -73,7 +73,8 @@ public function testBlockInterface() { 'admin_label' => array( '#type' => 'item', '#title' => t('Block description'), - '#markup' => SafeMarkup::checkPlain($definition['admin_label']), + '#markup' => $definition['admin_label'], + '#safe_strategy' => Markup::SAFE_STRATEGY_ESCAPE, ), 'label' => array( '#type' => 'textfield', diff --git a/core/modules/block/tests/src/Unit/CategoryAutocompleteTest.php b/core/modules/block/tests/src/Unit/CategoryAutocompleteTest.php index 065a25b..a4c65b2 100644 --- a/core/modules/block/tests/src/Unit/CategoryAutocompleteTest.php +++ b/core/modules/block/tests/src/Unit/CategoryAutocompleteTest.php @@ -8,7 +8,7 @@ namespace Drupal\Tests\block\Unit; use Drupal\block\Controller\CategoryAutocompleteController; -use Drupal\Component\Utility\SafeMarkup; +use Drupal\Component\Utility\Html; use Drupal\Tests\UnitTestCase; use Symfony\Component\HttpFoundation\Request; @@ -48,7 +48,7 @@ protected function setUp() { */ public function testAutocompleteSuggestions($string, $suggestions) { $suggestions = array_map(function ($suggestion) { - return array('value' => $suggestion, 'label' => SafeMarkup::checkPlain($suggestion)); + return array('value' => $suggestion, 'label' => Html::escape($suggestion)); }, $suggestions); $result = $this->autocompleteController->autocomplete(new Request(array('q' => $string))); $this->assertSame($suggestions, json_decode($result->getContent(), TRUE)); diff --git a/core/modules/book/book.module b/core/modules/book/book.module index e80b5e3..3a48671 100644 --- a/core/modules/book/book.module +++ b/core/modules/book/book.module @@ -7,7 +7,6 @@ use Drupal\book\BookManager; use Drupal\book\BookManagerInterface; -use Drupal\Component\Utility\SafeMarkup; use Drupal\Core\Entity\EntityInterface; use Drupal\Core\Form\FormStateInterface; use Drupal\Core\Render\Element; @@ -384,7 +383,7 @@ function template_preprocess_book_navigation(&$variables) { // Provide extra variables for themers. Not needed by default. $variables['book_id'] = $book_link['bid']; - $variables['book_title'] = SafeMarkup::checkPlain($book_link['link_title']); + $variables['book_title'] = $book_link['link_title']; $variables['book_url'] = \Drupal::url('entity.node.canonical', array('node' => $book_link['bid'])); $variables['current_depth'] = $book_link['depth']; $variables['tree'] = ''; @@ -404,7 +403,7 @@ function template_preprocess_book_navigation(&$variables) { 'href' => $prev_href, ); $variables['prev_url'] = $prev_href; - $variables['prev_title'] = SafeMarkup::checkPlain($prev['title']); + $variables['prev_title'] = $prev['title']; } /** @var \Drupal\book\BookManagerInterface $book_manager */ @@ -416,7 +415,7 @@ function template_preprocess_book_navigation(&$variables) { 'href' => $parent_href, ); $variables['parent_url'] = $parent_href; - $variables['parent_title'] = SafeMarkup::checkPlain($parent['title']); + $variables['parent_title'] = $parent['title']; } if ($next = $book_outline->nextLink($book_link)) { @@ -426,7 +425,7 @@ function template_preprocess_book_navigation(&$variables) { 'href' => $next_href, ); $variables['next_url'] = $next_href; - $variables['next_title'] = SafeMarkup::checkPlain($next['title']); + $variables['next_title'] = $next['title']; } } @@ -464,7 +463,6 @@ function template_preprocess_book_export_html(&$variables) { global $base_url; $language_interface = \Drupal::languageManager()->getCurrentLanguage(); - $variables['title'] = SafeMarkup::checkPlain($variables['title']); $variables['base_url'] = $base_url; $variables['language'] = $language_interface; $variables['language_rtl'] = ($language_interface->getDirection() == LanguageInterface::DIRECTION_RTL); @@ -490,7 +488,7 @@ function template_preprocess_book_export_html(&$variables) { */ function template_preprocess_book_node_export_html(&$variables) { $variables['depth'] = $variables['node']->book['depth']; - $variables['title'] = SafeMarkup::checkPlain($variables['node']->label()); + $variables['title'] = $variables['node']->label(); } /** diff --git a/core/modules/color/color.module b/core/modules/color/color.module index fa9499b..46ddce5 100644 --- a/core/modules/color/color.module +++ b/core/modules/color/color.module @@ -8,7 +8,6 @@ use Drupal\Core\Asset\CssOptimizer; use Drupal\Component\Utility\Bytes; use Drupal\Component\Utility\Environment; -use Drupal\Component\Utility\SafeMarkup; use Drupal\Core\Cache\Cache; use Drupal\Core\Form\FormStateInterface; use Drupal\Core\Language\LanguageInterface; @@ -251,7 +250,7 @@ function color_scheme_form($complete_form, FormStateInterface $form_state, $them if (isset($names[$name])) { $form['palette'][$name] = array( '#type' => 'textfield', - '#title' => SafeMarkup::checkPlain($names[$name]), + '#title' => $names[$name], '#value_callback' => 'color_palette_color_value', '#default_value' => $value, '#size' => 8, diff --git a/core/modules/comment/comment.module b/core/modules/comment/comment.module index 20ba4a3..1d9168e 100644 --- a/core/modules/comment/comment.module +++ b/core/modules/comment/comment.module @@ -16,7 +16,6 @@ use Drupal\comment\Entity\CommentType; use Drupal\Core\Entity\FieldableEntityInterface; use Drupal\comment\Plugin\Field\FieldType\CommentItemInterface; -use Drupal\Component\Utility\SafeMarkup; use Drupal\Core\Entity\EntityInterface; use Drupal\Core\Form\FormStateInterface; use Drupal\Core\Routing\RouteMatchInterface; @@ -575,7 +574,7 @@ function comment_preview(CommentInterface $comment, FormStateInterface $form_sta if (!empty($account) && $account->isAuthenticated()) { $comment->setOwner($account); - $comment->setAuthorName(SafeMarkup::checkPlain($account->getUsername())); + $comment->setAuthorName($account->getUsername()); } elseif (empty($author_name)) { $comment->setAuthorName(\Drupal::config('user.settings')->get('anonymous')); diff --git a/core/modules/comment/comment.tokens.inc b/core/modules/comment/comment.tokens.inc index 3a73f39..5b11466 100644 --- a/core/modules/comment/comment.tokens.inc +++ b/core/modules/comment/comment.tokens.inc @@ -5,7 +5,7 @@ * Builds placeholder replacement tokens for comment-related data. */ -use Drupal\Component\Utility\SafeMarkup; +use Drupal\Component\Utility\Html; use Drupal\Component\Utility\Xss; use Drupal\Core\Datetime\Entity\DateFormat; use Drupal\Core\Render\BubbleableMetadata; @@ -135,7 +135,7 @@ function comment_tokens($type, $tokens, array $data, array $options, BubbleableM // Poster identity information for comments. case 'hostname': - $replacements[$original] = $sanitize ? SafeMarkup::checkPlain($comment->getHostname()) : $comment->getHostname(); + $replacements[$original] = $sanitize ? Html::escape($comment->getHostname()) : $comment->getHostname(); break; case 'mail': @@ -145,7 +145,7 @@ function comment_tokens($type, $tokens, array $data, array $options, BubbleableM if ($comment->getOwnerId()) { $bubbleable_metadata->addCacheableDependency($comment->getOwner()); } - $replacements[$original] = $sanitize ? SafeMarkup::checkPlain($mail) : $mail; + $replacements[$original] = $sanitize ? Html::escape($mail) : $mail; break; case 'homepage': @@ -161,7 +161,7 @@ function comment_tokens($type, $tokens, array $data, array $options, BubbleableM break; case 'langcode': - $replacements[$original] = $sanitize ? SafeMarkup::checkPlain($comment->language()->getId()) : $comment->language()->getId(); + $replacements[$original] = $sanitize ? Html::escape($comment->language()->getId()) : $comment->language()->getId(); break; // Comment related URLs. diff --git a/core/modules/comment/src/CommentTypeListBuilder.php b/core/modules/comment/src/CommentTypeListBuilder.php index 4f99871..f8a3451 100644 --- a/core/modules/comment/src/CommentTypeListBuilder.php +++ b/core/modules/comment/src/CommentTypeListBuilder.php @@ -7,8 +7,6 @@ namespace Drupal\comment; -use Drupal\Component\Utility\SafeMarkup; -use Drupal\Component\Utility\Xss; use Drupal\Core\Config\Entity\ConfigEntityListBuilder; use Drupal\Core\Entity\EntityInterface; @@ -45,7 +43,7 @@ public function buildHeader() { * {@inheritdoc} */ public function buildRow(EntityInterface $entity) { - $row['type'] = SafeMarkup::checkPlain($entity->label()); + $row['type'] = $entity->label(); $row['description']['data'] = ['#markup' => $entity->getDescription()]; return $row + parent::buildRow($entity); } diff --git a/core/modules/comment/src/Form/ConfirmDeleteMultiple.php b/core/modules/comment/src/Form/ConfirmDeleteMultiple.php index 666b555..5a12ed9 100644 --- a/core/modules/comment/src/Form/ConfirmDeleteMultiple.php +++ b/core/modules/comment/src/Form/ConfirmDeleteMultiple.php @@ -8,7 +8,7 @@ namespace Drupal\comment\Form; use Drupal\comment\CommentStorageInterface; -use Drupal\Component\Utility\SafeMarkup; +use Drupal\Component\Utility\Html; use Drupal\Core\Form\ConfirmFormBase; use Drupal\Core\Form\FormStateInterface; use Drupal\Core\Url; @@ -100,7 +100,7 @@ public function buildForm(array $form, FormStateInterface $form_state) { '#type' => 'hidden', '#value' => $cid, '#prefix' => '
  • ', - '#suffix' => SafeMarkup::checkPlain($comment->label()) . '
    • ' + '#suffix' => Html::escape($comment->label()) . '' ); $comment_counter++; } diff --git a/core/modules/comment/src/Plugin/views/argument/UserUid.php b/core/modules/comment/src/Plugin/views/argument/UserUid.php index 5195a7a..c408f31 100644 --- a/core/modules/comment/src/Plugin/views/argument/UserUid.php +++ b/core/modules/comment/src/Plugin/views/argument/UserUid.php @@ -7,7 +7,6 @@ namespace Drupal\comment\Plugin\views\argument; -use Drupal\Component\Utility\SafeMarkup; use Drupal\Core\Database\Connection; use Drupal\views\Plugin\views\argument\ArgumentPluginBase; use Symfony\Component\DependencyInjection\ContainerInterface; @@ -65,7 +64,7 @@ function title() { return $this->t('No user'); } - return SafeMarkup::checkPlain($title); + return $title; } protected function defaultActions($which = NULL) { diff --git a/core/modules/comment/src/Tests/CommentTokenReplaceTest.php b/core/modules/comment/src/Tests/CommentTokenReplaceTest.php index c1f4303..0267346 100644 --- a/core/modules/comment/src/Tests/CommentTokenReplaceTest.php +++ b/core/modules/comment/src/Tests/CommentTokenReplaceTest.php @@ -7,7 +7,7 @@ namespace Drupal\comment\Tests; -use Drupal\Component\Utility\SafeMarkup; +use Drupal\Component\Utility\Html; use Drupal\Component\Utility\Xss; use Drupal\comment\Entity\Comment; use Drupal\Core\Render\BubbleableMetadata; @@ -52,26 +52,26 @@ function testCommentTokenReplacement() { // Generate and test sanitized tokens. $tests = array(); $tests['[comment:cid]'] = $comment->id(); - $tests['[comment:hostname]'] = SafeMarkup::checkPlain($comment->getHostname()); + $tests['[comment:hostname]'] = Html::escape($comment->getHostname()); $tests['[comment:author]'] = Xss::filter($comment->getAuthorName()); - $tests['[comment:mail]'] = SafeMarkup::checkPlain($this->adminUser->getEmail()); + $tests['[comment:mail]'] = Html::escape($this->adminUser->getEmail()); $tests['[comment:homepage]'] = check_url($comment->getHomepage()); $tests['[comment:title]'] = Xss::filter($comment->getSubject()); $tests['[comment:body]'] = $comment->comment_body->processed; - $tests['[comment:langcode]'] = SafeMarkup::checkPlain($comment->language()->getId()); + $tests['[comment:langcode]'] = Html::escape($comment->language()->getId()); $tests['[comment:url]'] = $comment->url('canonical', $url_options + array('fragment' => 'comment-' . $comment->id())); $tests['[comment:edit-url]'] = $comment->url('edit-form', $url_options); $tests['[comment:created]'] = \Drupal::service('date.formatter')->format($comment->getCreatedTime(), 'medium', array('langcode' => $language_interface->getId())); $tests['[comment:created:since]'] = \Drupal::service('date.formatter')->formatTimeDiffSince($comment->getCreatedTime(), array('langcode' => $language_interface->getId())); $tests['[comment:changed:since]'] = \Drupal::service('date.formatter')->formatTimeDiffSince($comment->getChangedTimeAcrossTranslations(), array('langcode' => $language_interface->getId())); $tests['[comment:parent:cid]'] = $comment->hasParentComment() ? $comment->getParentComment()->id() : NULL; - $tests['[comment:parent:title]'] = SafeMarkup::checkPlain($parent_comment->getSubject()); - $tests['[comment:entity]'] = SafeMarkup::checkPlain($node->getTitle()); + $tests['[comment:parent:title]'] = Html::escape($parent_comment->getSubject()); + $tests['[comment:entity]'] = Html::escape($node->getTitle()); // Test node specific tokens. $tests['[comment:entity:nid]'] = $comment->getCommentedEntityId(); - $tests['[comment:entity:title]'] = SafeMarkup::checkPlain($node->getTitle()); + $tests['[comment:entity:title]'] = Html::escape($node->getTitle()); $tests['[comment:author:uid]'] = $comment->getOwnerId(); - $tests['[comment:author:name]'] = SafeMarkup::checkPlain($this->adminUser->getUsername()); + $tests['[comment:author:name]'] = Html::escape($this->adminUser->getUsername()); $base_bubbleable_metadata = BubbleableMetadata::createFromObject($comment); $metadata_tests = []; diff --git a/core/modules/config_translation/src/Controller/ConfigTranslationBlockListBuilder.php b/core/modules/config_translation/src/Controller/ConfigTranslationBlockListBuilder.php index 275dfed..8046dc3 100644 --- a/core/modules/config_translation/src/Controller/ConfigTranslationBlockListBuilder.php +++ b/core/modules/config_translation/src/Controller/ConfigTranslationBlockListBuilder.php @@ -7,7 +7,6 @@ namespace Drupal\config_translation\Controller; -use Drupal\Component\Utility\SafeMarkup; use Drupal\Core\Entity\EntityInterface; use Drupal\Core\Entity\EntityStorageInterface; use Drupal\Core\Entity\EntityTypeInterface; @@ -70,12 +69,12 @@ public function buildRow(EntityInterface $entity) { ); $row['theme'] = array( - 'data' => SafeMarkup::checkPlain($this->themes[$theme]->info['name']), + 'data' => $this->themes[$theme]->info['name'], 'class' => 'table-filter-text-source', ); $row['category'] = array( - 'data' => SafeMarkup::checkPlain($plugin_definition['category']), + 'data' => $plugin_definition['category'], 'class' => 'table-filter-text-source', ); diff --git a/core/modules/config_translation/src/Controller/ConfigTranslationFieldListBuilder.php b/core/modules/config_translation/src/Controller/ConfigTranslationFieldListBuilder.php index a340707..850bbc6 100644 --- a/core/modules/config_translation/src/Controller/ConfigTranslationFieldListBuilder.php +++ b/core/modules/config_translation/src/Controller/ConfigTranslationFieldListBuilder.php @@ -7,7 +7,6 @@ namespace Drupal\config_translation\Controller; -use Drupal\Component\Utility\SafeMarkup; use Drupal\Component\Utility\Unicode; use Drupal\Core\Entity\EntityInterface; use Drupal\Core\Entity\EntityManagerInterface; @@ -123,7 +122,7 @@ public function buildRow(EntityInterface $entity) { if ($this->displayBundle()) { $bundle = $entity->get('bundle'); $row['bundle'] = array( - 'data' => SafeMarkup::checkPlain($this->baseEntityBundles[$bundle]['label']), + 'data' => $this->baseEntityBundles[$bundle]['label'], 'class' => 'table-filter-text-source', ); } diff --git a/core/modules/config_translation/src/Controller/ConfigTranslationMapperList.php b/core/modules/config_translation/src/Controller/ConfigTranslationMapperList.php index e32714b..5c95452 100644 --- a/core/modules/config_translation/src/Controller/ConfigTranslationMapperList.php +++ b/core/modules/config_translation/src/Controller/ConfigTranslationMapperList.php @@ -7,7 +7,6 @@ namespace Drupal\config_translation\Controller; -use Drupal\Component\Utility\SafeMarkup; use Drupal\config_translation\ConfigMapperInterface; use Drupal\Core\Controller\ControllerBase; use Symfony\Component\DependencyInjection\ContainerInterface; @@ -94,7 +93,7 @@ public function render() { * A render array structure of fields for this mapper. */ public function buildRow(ConfigMapperInterface $mapper) { - $row['label'] = SafeMarkup::checkPlain($mapper->getTypeLabel()); + $row['label'] = $mapper->getTypeLabel(); $row['operations']['data'] = $this->buildOperations($mapper); return $row; } diff --git a/core/modules/config_translation/src/Tests/ConfigTranslationOverviewTest.php b/core/modules/config_translation/src/Tests/ConfigTranslationOverviewTest.php index 0916dcd..0dbab3e 100644 --- a/core/modules/config_translation/src/Tests/ConfigTranslationOverviewTest.php +++ b/core/modules/config_translation/src/Tests/ConfigTranslationOverviewTest.php @@ -7,7 +7,6 @@ namespace Drupal\config_translation\Tests; -use Drupal\Component\Utility\SafeMarkup; use Drupal\language\Entity\ConfigurableLanguage; use Drupal\simpletest\WebTestBase; @@ -101,7 +100,7 @@ public function testMapperListPage() { $base_url = 'admin/structure/config_test/manage/' . $test_entity->id(); $this->drupalGet('admin/config/regional/config-translation/config_test'); $this->assertLinkByHref($base_url . '/translate'); - $this->assertText(SafeMarkup::checkPlain($test_entity->label())); + $this->assertEscaped($test_entity->label()); // Make sure there is only a single 'Translate' operation for each // dropbutton. diff --git a/core/modules/config_translation/src/Tests/ConfigTranslationUiTest.php b/core/modules/config_translation/src/Tests/ConfigTranslationUiTest.php index f220d1a..86da2f8 100644 --- a/core/modules/config_translation/src/Tests/ConfigTranslationUiTest.php +++ b/core/modules/config_translation/src/Tests/ConfigTranslationUiTest.php @@ -751,9 +751,9 @@ public function testFieldConfigTranslation() { $this->clickLink('Add'); $this->assertText('Translatable field setting'); - $this->assertRaw(SafeMarkup::checkPlain($translatable_field_setting)); + $this->assertEscaped($translatable_field_setting); $this->assertText('Translatable storage setting'); - $this->assertRaw(SafeMarkup::checkPlain($translatable_storage_setting)); + $this->assertEscaped($translatable_storage_setting); } /** diff --git a/core/modules/contact/src/ContactFormListBuilder.php b/core/modules/contact/src/ContactFormListBuilder.php index 5a2b6b0..927e879 100644 --- a/core/modules/contact/src/ContactFormListBuilder.php +++ b/core/modules/contact/src/ContactFormListBuilder.php @@ -7,7 +7,6 @@ namespace Drupal\contact; -use Drupal\Component\Utility\SafeMarkup; use Drupal\Core\Config\Entity\ConfigEntityListBuilder; use Drupal\Core\Entity\EntityInterface; use Drupal\Core\Link; @@ -41,7 +40,7 @@ public function buildRow(EntityInterface $entity) { } else { $row['form'] = $entity->link(NULL, 'canonical'); - $row['recipients'] = SafeMarkup::checkPlain(implode(', ', $entity->getRecipients())); + $row['recipients'] = implode(', ', $entity->getRecipients()); $default_form = \Drupal::config('contact.settings')->get('default_form'); $row['selected'] = ($default_form == $entity->id() ? t('Yes') : t('No')); } diff --git a/core/modules/contact/src/Controller/ContactController.php b/core/modules/contact/src/Controller/ContactController.php index 7233bb8..1abd33c 100644 --- a/core/modules/contact/src/Controller/ContactController.php +++ b/core/modules/contact/src/Controller/ContactController.php @@ -11,7 +11,6 @@ use Drupal\contact\ContactFormInterface; use Drupal\Core\Render\RendererInterface; use Drupal\user\UserInterface; -use Drupal\Component\Utility\SafeMarkup; use Symfony\Component\DependencyInjection\ContainerInterface; use Symfony\Component\HttpKernel\Exception\NotFoundHttpException; @@ -87,7 +86,7 @@ public function contactSitePage(ContactFormInterface $contact_form = NULL) { )); $form = $this->entityFormBuilder()->getForm($message); - $form['#title'] = SafeMarkup::checkPlain($contact_form->label()); + $form['#title'] = $contact_form->label(); $form['#cache']['contexts'][] = 'user.permissions'; $this->renderer->addCacheableDependency($form, $config); return $form; diff --git a/core/modules/contact/src/MessageForm.php b/core/modules/contact/src/MessageForm.php index adad131..b7f0c95 100644 --- a/core/modules/contact/src/MessageForm.php +++ b/core/modules/contact/src/MessageForm.php @@ -7,7 +7,6 @@ namespace Drupal\contact; -use Drupal\Component\Utility\SafeMarkup; use Drupal\Core\Datetime\DateFormatter; use Drupal\Core\Entity\ContentEntityForm; use Drupal\Core\Entity\EntityManagerInterface; @@ -15,6 +14,7 @@ use Drupal\Core\Form\FormStateInterface; use Drupal\Core\Language\LanguageInterface; use Drupal\Core\Language\LanguageManagerInterface; +use Drupal\Core\Render\Element\Markup; use Symfony\Component\DependencyInjection\ContainerInterface; /** @@ -130,12 +130,14 @@ public function form(array $form, FormStateInterface $form_state) { $form['name']['#type'] = 'item'; $form['name']['#value'] = $user->getUsername(); $form['name']['#required'] = FALSE; - $form['name']['#markup'] = SafeMarkup::checkPlain($user->getUsername()); + $form['name']['#markup'] = $user->getUsername(); + $form['name']['#safe_strategy'] = Markup::SAFE_STRATEGY_ESCAPE; $form['mail']['#type'] = 'item'; $form['mail']['#value'] = $user->getEmail(); $form['mail']['#required'] = FALSE; - $form['mail']['#markup'] = SafeMarkup::checkPlain($user->getEmail()); + $form['mail']['#markup'] = $user->getEmail(); + $form['mail']['#safe_strategy'] = Markup::SAFE_STRATEGY_ESCAPE; } // The user contact form has a preset recipient. diff --git a/core/modules/contact/src/MessageViewBuilder.php b/core/modules/contact/src/MessageViewBuilder.php index 24f58f5..a89aa4a 100644 --- a/core/modules/contact/src/MessageViewBuilder.php +++ b/core/modules/contact/src/MessageViewBuilder.php @@ -9,9 +9,9 @@ use Drupal\Core\Entity\EntityInterface; use Drupal\Core\Entity\EntityViewBuilder; -use Drupal\Component\Utility\SafeMarkup; use Drupal\Core\Mail\MailFormatHelper; use Drupal\Core\Render\Element; +use Drupal\Core\Render\Element\Markup; /** * Render controller for contact messages. @@ -42,7 +42,8 @@ public function buildComponents(array &$build, array $entities, array $displays, $build[$id]['message'] = array( '#type' => 'item', '#title' => t('Message'), - '#markup' => SafeMarkup::checkPlain($entity->getMessage()), + '#markup' => $entity->getMessage(), + '#safe_strategy' => Markup::SAFE_STRATEGY_ESCAPE, ); } } diff --git a/core/modules/content_translation/content_translation.admin.inc b/core/modules/content_translation/content_translation.admin.inc index 5623f75..6d8323c 100644 --- a/core/modules/content_translation/content_translation.admin.inc +++ b/core/modules/content_translation/content_translation.admin.inc @@ -5,7 +5,7 @@ * The content translation administration forms. */ -use Drupal\Component\Utility\SafeMarkup; +use Drupal\Component\Utility\Html; use Drupal\Core\Config\Entity\ThirdPartySettingsInterface; use Drupal\Core\Entity\ContentEntityTypeInterface; use Drupal\Core\Entity\EntityTypeInterface; @@ -14,6 +14,7 @@ use Drupal\Core\Form\FormStateInterface; use Drupal\Core\Language\LanguageInterface; use Drupal\Core\Render\Element; +use Drupal\Core\Render\Element\Markup; /** * Returns a form element to configure field synchronization. @@ -216,10 +217,11 @@ function _content_translation_preprocess_language_content_settings_table(&$varia 'bundle' => array( '#prefix' => ' ', - '#markup' => SafeMarkup::checkPlain($element[$bundle]['settings']['#label']), + '#markup' => $element[$bundle]['settings']['#label'], + '#safe_strategy' => Markup::SAFE_STRATEGY_ESCAPE, ), 'field' => array( - '#markup' => SafeMarkup::checkPlain($field_element['#label']), + '#markup' => Html::escape($field_element['#label']), ), ), 'class' => array('field'), @@ -250,15 +252,18 @@ function _content_translation_preprocess_language_content_settings_table(&$varia 'bundle' => array( '#prefix' => ' ', - '#markup' => SafeMarkup::checkPlain($element[$bundle]['settings']['#label']), + '#markup' => $element[$bundle]['settings']['#label'], + '#safe_strategy' => Markup::SAFE_STRATEGY_ESCAPE, ), 'field' => array( '#prefix' => ' ', - '#markup' => SafeMarkup::checkPlain($field_element['#label']), + '#markup' => $field_element['#label'], + '#safe_strategy' => Markup::SAFE_STRATEGY_ESCAPE, ), 'columns' => array( - '#markup' => SafeMarkup::checkPlain($column_label), + '#markup' => $column_label, + '#safe_strategy' => Markup::SAFE_STRATEGY_ESCAPE, ), ), 'class' => array('column'), diff --git a/core/modules/dblog/src/Controller/DbLogController.php b/core/modules/dblog/src/Controller/DbLogController.php index 81f9156..9f8e4c7 100644 --- a/core/modules/dblog/src/Controller/DbLogController.php +++ b/core/modules/dblog/src/Controller/DbLogController.php @@ -8,9 +8,7 @@ namespace Drupal\dblog\Controller; use Drupal\Component\Utility\Html; -use Drupal\Component\Utility\SafeMarkup; use Drupal\Component\Utility\Unicode; -use Drupal\Component\Utility\Xss; use Drupal\Core\Controller\ControllerBase; use Drupal\Core\Database\Connection; use Drupal\Core\Datetime\DateFormatter; @@ -280,7 +278,7 @@ public function eventDetails($event_id) { ), array( array('data' => $this->t('Hostname'), 'header' => TRUE), - SafeMarkup::checkPlain($dblog->hostname), + $dblog->hostname, ), array( array('data' => $this->t('Operations'), 'header' => TRUE), diff --git a/core/modules/editor/src/EditorXssFilter/Standard.php b/core/modules/editor/src/EditorXssFilter/Standard.php index 43ef797..2bab2e8 100644 --- a/core/modules/editor/src/EditorXssFilter/Standard.php +++ b/core/modules/editor/src/EditorXssFilter/Standard.php @@ -9,7 +9,6 @@ use Drupal\Component\Utility\Html; use Drupal\Component\Utility\Xss; -use Drupal\Component\Utility\SafeMarkup; use Drupal\filter\FilterFormatInterface; use Drupal\editor\EditorXssFilterInterface; @@ -114,7 +113,7 @@ protected static function filterXssDataAttributes($html) { // value. There is no need to explicitly decode $node->value, since the // DOMAttr::value getter returns the decoded value. $value = Xss::filterAdmin($node->value); - $node->value = SafeMarkup::checkPlain($value); + $node->value = Html::escape($value); } $html = Html::serialize($dom); } diff --git a/core/modules/editor/src/Tests/EditorSecurityTest.php b/core/modules/editor/src/Tests/EditorSecurityTest.php index a50b6ab..bb39450 100644 --- a/core/modules/editor/src/Tests/EditorSecurityTest.php +++ b/core/modules/editor/src/Tests/EditorSecurityTest.php @@ -9,7 +9,6 @@ use Drupal\Component\Serialization\Json; use Drupal\simpletest\WebTestBase; -use Drupal\Component\Utility\SafeMarkup; /** * Tests XSS protection for content creators when using text editors. @@ -388,7 +387,6 @@ function testSwitchingSecurity() { // Log in as the privileged user, and for every sample, do the following: // - switch to every other text format/editor // - assert the XSS-filtered values that we get from the server - $value_original_attribute = SafeMarkup::checkPlain(self::$sampleContent); $this->drupalLogin($this->privilegedUser); foreach ($expected as $case) { $this->drupalGet('node/' . $case['node_id'] . '/edit'); diff --git a/core/modules/entity_reference/src/ConfigurableEntityReferenceItem.php b/core/modules/entity_reference/src/ConfigurableEntityReferenceItem.php index be11617..09d1edd 100644 --- a/core/modules/entity_reference/src/ConfigurableEntityReferenceItem.php +++ b/core/modules/entity_reference/src/ConfigurableEntityReferenceItem.php @@ -7,7 +7,6 @@ namespace Drupal\entity_reference; -use Drupal\Component\Utility\SafeMarkup; use Drupal\Core\Entity\EntityTypeInterface; use Drupal\Core\Field\Plugin\Field\FieldType\EntityReferenceItem; use Drupal\Core\Field\PreconfiguredFieldUiOptionsInterface; @@ -80,7 +79,7 @@ public function getSettableOptions(AccountInterface $account = NULL) { $return = array(); foreach ($options as $bundle => $entity_ids) { - $bundle_label = SafeMarkup::checkPlain($bundles[$bundle]['label']); + $bundle_label = $bundles[$bundle]['label']; $return[$bundle_label] = $entity_ids; } @@ -135,11 +134,11 @@ public function fieldSettingsForm(array $form, FormStateInterface $form_state) { // entity type specific plugins (e.g., 'default:node', 'default:user', // etc.). if (array_key_exists($selection_group_id, $selection_plugins[$selection_group_id])) { - $handlers_options[$selection_group_id] = SafeMarkup::checkPlain($selection_plugins[$selection_group_id][$selection_group_id]['label']); + $handlers_options[$selection_group_id] = $selection_plugins[$selection_group_id][$selection_group_id]['label']; } elseif (array_key_exists($selection_group_id . ':' . $this->getSetting('target_type'), $selection_plugins[$selection_group_id])) { $selection_group_plugin = $selection_group_id . ':' . $this->getSetting('target_type'); - $handlers_options[$selection_group_plugin] = SafeMarkup::checkPlain($selection_plugins[$selection_group_id][$selection_group_plugin]['base_plugin_label']); + $handlers_options[$selection_group_plugin] = $selection_plugins[$selection_group_id][$selection_group_plugin]['base_plugin_label']; } } diff --git a/core/modules/field/src/Tests/EntityReference/EntityReferenceFormatterTest.php b/core/modules/field/src/Tests/EntityReference/EntityReferenceFormatterTest.php index 3c7b9d6..0f3f01c 100644 --- a/core/modules/field/src/Tests/EntityReference/EntityReferenceFormatterTest.php +++ b/core/modules/field/src/Tests/EntityReference/EntityReferenceFormatterTest.php @@ -10,6 +10,7 @@ use Drupal\Core\Cache\Cache; use Drupal\Core\Cache\CacheableMetadata; use Drupal\Core\Field\FieldStorageDefinitionInterface; +use Drupal\Core\Render\Element\Markup; use Drupal\entity_reference\Tests\EntityReferenceTestTrait; use Drupal\field\Entity\FieldStorageConfig; use Drupal\filter\Entity\FilterFormat; @@ -245,6 +246,7 @@ public function testLabelFormatter() { // lacking any URL info. $expected_item_2 = array( '#markup' => $this->unsavedReferencedEntity->label(), + '#safe_strategy' => Markup::SAFE_STRATEGY_ESCAPE, '#cache' => array( 'contexts' => [ 'user.permissions', diff --git a/core/modules/field/src/Tests/FormTest.php b/core/modules/field/src/Tests/FormTest.php index e51cb17..d674d62 100644 --- a/core/modules/field/src/Tests/FormTest.php +++ b/core/modules/field/src/Tests/FormTest.php @@ -7,7 +7,6 @@ namespace Drupal\field\Tests; -use Drupal\Component\Utility\SafeMarkup; use Drupal\Core\Field\FieldStorageDefinitionInterface; use Drupal\Core\Form\FormState; use Drupal\field\Entity\FieldConfig; @@ -105,8 +104,8 @@ function testFieldFormSingle() { $this->drupalGet('entity_test/add'); // Create token value expected for description. - $token_description = SafeMarkup::checkPlain($this->config('system.site')->get('name')) . '_description'; - $this->assertText($token_description, 'Token replacement for description is displayed'); + $token_description = $this->config('system.site')->get('name') . '_description'; + $this->assertEscaped($token_description, 'Token replacement for description is displayed'); $this->assertFieldByName("{$field_name}[0][value]", '', 'Widget is displayed'); $this->assertNoField("{$field_name}[1][value]", 'No extraneous widget is displayed'); diff --git a/core/modules/field/src/Tests/String/RawStringFormatterTest.php b/core/modules/field/src/Tests/String/RawStringFormatterTest.php index 82f6973..60ea420 100644 --- a/core/modules/field/src/Tests/String/RawStringFormatterTest.php +++ b/core/modules/field/src/Tests/String/RawStringFormatterTest.php @@ -7,7 +7,7 @@ namespace Drupal\field\Tests\String; -use Drupal\Component\Utility\SafeMarkup; +use Drupal\Component\Utility\Html; use Drupal\Component\Utility\Unicode; use Drupal\Core\Entity\Display\EntityViewDisplayInterface; use Drupal\Core\Entity\FieldableEntityInterface; @@ -119,7 +119,7 @@ public function testStringFormatter() { // Verify that all HTML is escaped and newlines are retained. $this->renderEntityFields($entity, $this->display); $this->assertNoRaw($value); - $this->assertRaw(nl2br(SafeMarkup::checkPlain($value))); + $this->assertRaw(nl2br(Html::escape($value))); // Verify the cache tags. $build = $entity->{$this->fieldName}->view(); diff --git a/core/modules/field/src/Tests/String/StringFormatterTest.php b/core/modules/field/src/Tests/String/StringFormatterTest.php index dcb515e..1703c3e 100644 --- a/core/modules/field/src/Tests/String/StringFormatterTest.php +++ b/core/modules/field/src/Tests/String/StringFormatterTest.php @@ -7,7 +7,7 @@ namespace Drupal\field\Tests\String; -use Drupal\Component\Utility\SafeMarkup; +use Drupal\Component\Utility\Html; use Drupal\Component\Utility\Unicode; use Drupal\Core\Entity\Display\EntityViewDisplayInterface; use Drupal\Core\Entity\FieldableEntityInterface; @@ -119,7 +119,7 @@ public function testStringFormatter() { // Verify that all HTML is escaped and newlines are retained. $this->renderEntityFields($entity, $this->display); $this->assertNoRaw($value); - $this->assertRaw(nl2br(SafeMarkup::checkPlain($value))); + $this->assertRaw(nl2br(Html::escape($value))); // Verify the cache tags. $build = $entity->{$this->fieldName}->view(); diff --git a/core/modules/field/src/Tests/String/UuidFormatterTest.php b/core/modules/field/src/Tests/String/UuidFormatterTest.php index 2eaf7e9..4d849cd 100644 --- a/core/modules/field/src/Tests/String/UuidFormatterTest.php +++ b/core/modules/field/src/Tests/String/UuidFormatterTest.php @@ -51,7 +51,7 @@ public function testUuidStringFormatter() { $render_array = $uuid_field->view(['settings' => ['link_to_entity' => TRUE]]); $this->assertIdentical($render_array[0]['#type'], 'link'); - $this->assertIdentical($render_array[0]['#title'], $entity->uuid()); + $this->assertIdentical($render_array[0]['#title']['#markup'], $entity->uuid()); $this->assertIdentical($render_array[0]['#url']->toString(), $entity->url()); } diff --git a/core/modules/field_ui/src/FieldConfigListBuilder.php b/core/modules/field_ui/src/FieldConfigListBuilder.php index d3feac1..1dd2c7c 100644 --- a/core/modules/field_ui/src/FieldConfigListBuilder.php +++ b/core/modules/field_ui/src/FieldConfigListBuilder.php @@ -8,7 +8,6 @@ namespace Drupal\field_ui; use Drupal\Component\Utility\Html; -use Drupal\Component\Utility\SafeMarkup; use Drupal\Core\Config\Entity\ConfigEntityListBuilder; use Drupal\Core\Entity\EntityInterface; use Drupal\Core\Entity\EntityManagerInterface; @@ -131,7 +130,7 @@ public function buildRow(EntityInterface $field_config) { $row = array( 'id' => Html::getClass($field_config->getName()), 'data' => array( - 'label' => SafeMarkup::checkPlain($field_config->getLabel()), + 'label' => $field_config->getLabel(), 'field_name' => $field_config->getName(), 'field_type' => array( 'data' => array( diff --git a/core/modules/field_ui/src/FieldStorageConfigListBuilder.php b/core/modules/field_ui/src/FieldStorageConfigListBuilder.php index 6e74442..0b8e567 100644 --- a/core/modules/field_ui/src/FieldStorageConfigListBuilder.php +++ b/core/modules/field_ui/src/FieldStorageConfigListBuilder.php @@ -7,6 +7,7 @@ namespace Drupal\field_ui; +use Drupal\Component\Utility\Html; use Drupal\Component\Utility\SafeMarkup; use Drupal\Core\Config\Entity\ConfigEntityListBuilder; use Drupal\Core\Entity\EntityInterface; @@ -116,16 +117,10 @@ public function buildRow(EntityInterface $field_storage) { $usage[] = \Drupal::l($this->bundles[$entity_type_id][$bundle]['label'], $route_info); } else { - $usage[] = $this->bundles[$entity_type_id][$bundle]['label']; + $usage[] = Html::escape($this->bundles[$entity_type_id][$bundle]['label']); } } - $usage_escaped = ''; - $separator = ''; - foreach ($usage as $usage_item) { - $usage_escaped .= $separator . SafeMarkup::escape($usage_item); - $separator = ', '; - } - $row['data']['usage'] = SafeMarkup::set($usage_escaped); + $row['data']['usage'] = SafeMarkup::set(implode($usage, ', ')); return $row; } diff --git a/core/modules/field_ui/src/Form/EntityDisplayFormBase.php b/core/modules/field_ui/src/Form/EntityDisplayFormBase.php index 3ba0258..e27a1f5 100644 --- a/core/modules/field_ui/src/Form/EntityDisplayFormBase.php +++ b/core/modules/field_ui/src/Form/EntityDisplayFormBase.php @@ -10,7 +10,6 @@ use Drupal\Component\Plugin\Factory\DefaultFactory; use Drupal\Component\Plugin\PluginManagerBase; use Drupal\Component\Utility\Html; -use Drupal\Component\Utility\SafeMarkup; use Drupal\Core\Entity\EntityForm; use Drupal\Core\Entity\EntityInterface; use Drupal\Core\Entity\EntityWithPluginCollectionInterface; @@ -19,6 +18,7 @@ use Drupal\Core\Field\PluginSettingsInterface; use Drupal\Core\Form\FormStateInterface; use Drupal\Core\Render\Element; +use Drupal\Core\Render\Element\Markup; use Drupal\Core\Routing\RouteMatchInterface; use Drupal\field_ui\FieldUI; @@ -290,7 +290,8 @@ protected function buildFieldRow(FieldDefinitionInterface $field_definition, arr 'defaultPlugin' => $this->getDefaultPlugin($field_definition->getType()), ), 'human_name' => array( - '#markup' => SafeMarkup::checkPlain($label), + '#markup' => $label, + '#safe_strategy' => Markup::SAFE_STRATEGY_ESCAPE, ), 'weight' => array( '#type' => 'textfield', diff --git a/core/modules/field_ui/src/Form/FieldConfigEditForm.php b/core/modules/field_ui/src/Form/FieldConfigEditForm.php index 52ace95..d4f761c 100644 --- a/core/modules/field_ui/src/Form/FieldConfigEditForm.php +++ b/core/modules/field_ui/src/Form/FieldConfigEditForm.php @@ -7,7 +7,6 @@ namespace Drupal\field_ui\Form; -use Drupal\Component\Utility\SafeMarkup; use Drupal\Core\Entity\EntityForm; use Drupal\Core\Field\AllowedTagsXssTrait; use Drupal\Core\Form\FormStateInterface; @@ -202,7 +201,7 @@ public function save(array $form, FormStateInterface $form_state) { * The label of the field. */ public function getTitle(FieldConfigInterface $field_config) { - return SafeMarkup::checkPlain($field_config->label()); + return $field_config->label(); } } diff --git a/core/modules/file/file.module b/core/modules/file/file.module index c4163e6..25ad8df 100644 --- a/core/modules/file/file.module +++ b/core/modules/file/file.module @@ -5,7 +5,7 @@ * Defines a "managed_file" Form API field and a "file" field for Field module. */ -use Drupal\Component\Utility\SafeMarkup; +use Drupal\Component\Utility\Html; use Drupal\Core\Datetime\Entity\DateFormat; use Drupal\Core\Field\FieldDefinitionInterface; use Drupal\Core\Form\FormStateInterface; @@ -968,15 +968,15 @@ function file_tokens($type, $tokens, array $data, array $options, BubbleableMeta // Essential file data case 'name': - $replacements[$original] = $sanitize ? SafeMarkup::checkPlain($file->getFilename()) : $file->getFilename(); + $replacements[$original] = $sanitize ? Html::escape($file->getFilename()) : $file->getFilename(); break; case 'path': - $replacements[$original] = $sanitize ? SafeMarkup::checkPlain($file->getFileUri()) : $file->getFileUri(); + $replacements[$original] = $sanitize ? Html::escape($file->getFileUri()) : $file->getFileUri(); break; case 'mime': - $replacements[$original] = $sanitize ? SafeMarkup::checkPlain($file->getMimeType()) : $file->getMimeType(); + $replacements[$original] = $sanitize ? Html::escape($file->getMimeType()) : $file->getMimeType(); break; case 'size': @@ -984,7 +984,7 @@ function file_tokens($type, $tokens, array $data, array $options, BubbleableMeta break; case 'url': - $replacements[$original] = $sanitize ? SafeMarkup::checkPlain(file_create_url($file->getFileUri())) : file_create_url($file->getFileUri()); + $replacements[$original] = $sanitize ? Html::escape(file_create_url($file->getFileUri())) : file_create_url($file->getFileUri()); break; // These tokens are default variations on the chained tokens handled below. @@ -1004,7 +1004,7 @@ function file_tokens($type, $tokens, array $data, array $options, BubbleableMeta $owner = $file->getOwner(); $bubbleable_metadata->addCacheableDependency($owner); $name = $owner->label(); - $replacements[$original] = $sanitize ? SafeMarkup::checkPlain($name) : $name; + $replacements[$original] = $sanitize ? Html::escape($name) : $name; break; } } @@ -1248,7 +1248,7 @@ function template_preprocess_file_link(&$variables) { } else { $link_text = $variables['description']; - $options['attributes']['title'] = SafeMarkup::checkPlain($file_entity->getFilename()); + $options['attributes']['title'] = Html::escape($file_entity->getFilename()); } // Classes to add to the file field for icons. diff --git a/core/modules/file/src/Plugin/Field/FieldWidget/FileWidget.php b/core/modules/file/src/Plugin/Field/FieldWidget/FileWidget.php index a2d1fef..2b14328 100644 --- a/core/modules/file/src/Plugin/Field/FieldWidget/FileWidget.php +++ b/core/modules/file/src/Plugin/Field/FieldWidget/FileWidget.php @@ -7,7 +7,6 @@ namespace Drupal\file\Plugin\Field\FieldWidget; -use Drupal\Component\Utility\SafeMarkup; use Drupal\Component\Utility\NestedArray; use Drupal\Core\Field\FieldDefinitionInterface; use Drupal\Core\Field\FieldItemListInterface; @@ -118,7 +117,7 @@ protected function formMultipleElements(FieldItemListInterface $items, array &$f break; } - $title = SafeMarkup::checkPlain($this->fieldDefinition->getLabel()); + $title = $this->fieldDefinition->getLabel(); $description = $this->fieldFilterXss($this->fieldDefinition->getDescription()); $elements = array(); diff --git a/core/modules/file/src/Plugin/views/argument/Fid.php b/core/modules/file/src/Plugin/views/argument/Fid.php index d935386..100b735 100644 --- a/core/modules/file/src/Plugin/views/argument/Fid.php +++ b/core/modules/file/src/Plugin/views/argument/Fid.php @@ -10,7 +10,6 @@ use Drupal\Core\Entity\EntityManagerInterface; use Drupal\Core\Entity\Query\QueryFactory; use Drupal\views\Plugin\views\argument\NumericArgument; -use Drupal\Component\Utility\SafeMarkup; use Drupal\Core\Plugin\ContainerFactoryPluginInterface; use Symfony\Component\DependencyInjection\ContainerInterface; @@ -81,7 +80,7 @@ public function titleQuery() { $files = $controller->loadMultiple($fids); $titles = array(); foreach ($files as $file) { - $titles[] = SafeMarkup::checkPlain($file->getFilename()); + $titles[] = $file->getFilename(); } return $titles; } diff --git a/core/modules/file/src/Tests/FileTokenReplaceTest.php b/core/modules/file/src/Tests/FileTokenReplaceTest.php index 2d289c4..0f771d0 100644 --- a/core/modules/file/src/Tests/FileTokenReplaceTest.php +++ b/core/modules/file/src/Tests/FileTokenReplaceTest.php @@ -7,7 +7,7 @@ namespace Drupal\file\Tests; -use Drupal\Component\Utility\SafeMarkup; +use Drupal\Component\Utility\Html; use Drupal\Core\Render\BubbleableMetadata; use Drupal\file\Entity\File; @@ -47,16 +47,16 @@ function testFileTokenReplacement() { // Generate and test sanitized tokens. $tests = array(); $tests['[file:fid]'] = $file->id(); - $tests['[file:name]'] = SafeMarkup::checkPlain($file->getFilename()); - $tests['[file:path]'] = SafeMarkup::checkPlain($file->getFileUri()); - $tests['[file:mime]'] = SafeMarkup::checkPlain($file->getMimeType()); + $tests['[file:name]'] = Html::escape($file->getFilename()); + $tests['[file:path]'] = Html::escape($file->getFileUri()); + $tests['[file:mime]'] = Html::escape($file->getMimeType()); $tests['[file:size]'] = format_size($file->getSize()); - $tests['[file:url]'] = SafeMarkup::checkPlain(file_create_url($file->getFileUri())); + $tests['[file:url]'] = Html::escape(file_create_url($file->getFileUri())); $tests['[file:created]'] = format_date($file->getCreatedTime(), 'medium', '', NULL, $language_interface->getId()); $tests['[file:created:short]'] = format_date($file->getCreatedTime(), 'short', '', NULL, $language_interface->getId()); $tests['[file:changed]'] = format_date($file->getChangedTime(), 'medium', '', NULL, $language_interface->getId()); $tests['[file:changed:short]'] = format_date($file->getChangedTime(), 'short', '', NULL, $language_interface->getId()); - $tests['[file:owner]'] = SafeMarkup::checkPlain(user_format_name($this->adminUser)); + $tests['[file:owner]'] = Html::escape(user_format_name($this->adminUser)); $tests['[file:owner:uid]'] = $file->getOwnerId(); $base_bubbleable_metadata = BubbleableMetadata::createFromObject($file); diff --git a/core/modules/filter/filter.module b/core/modules/filter/filter.module index c186576..1b29288 100644 --- a/core/modules/filter/filter.module +++ b/core/modules/filter/filter.module @@ -7,7 +7,6 @@ use Drupal\Component\Utility\Html; use Drupal\Component\Utility\Unicode; -use Drupal\Component\Utility\SafeMarkup; use Drupal\Component\Utility\Xss; use Drupal\Core\Cache\Cache; use Drupal\Core\Render\Element; @@ -437,7 +436,7 @@ function template_preprocess_filter_tips(&$variables) { $variables['tips'][$name] = array( 'attributes' => new Attribute(), - 'name' => SafeMarkup::checkPlain($name), + 'name' => $name, 'list' => $tiplist, ); } @@ -616,8 +615,8 @@ function _filter_url_parse_full_links($match) { $i = 1; $match[$i] = Html::decodeEntities($match[$i]); - $caption = SafeMarkup::checkPlain(_filter_url_trim($match[$i])); - $match[$i] = SafeMarkup::checkPlain($match[$i]); + $caption = Html::escape(_filter_url_trim($match[$i])); + $match[$i] = Html::escape($match[$i]); return '' . $caption . ''; } @@ -631,8 +630,8 @@ function _filter_url_parse_email_links($match) { $i = 0; $match[$i] = Html::decodeEntities($match[$i]); - $caption = SafeMarkup::checkPlain(_filter_url_trim($match[$i])); - $match[$i] = SafeMarkup::checkPlain($match[$i]); + $caption = Html::escape(_filter_url_trim($match[$i])); + $match[$i] = Html::escape($match[$i]); return '' . $caption . ''; } @@ -646,8 +645,8 @@ function _filter_url_parse_partial_links($match) { $i = 1; $match[$i] = Html::decodeEntities($match[$i]); - $caption = SafeMarkup::checkPlain(_filter_url_trim($match[$i])); - $match[$i] = SafeMarkup::checkPlain($match[$i]); + $caption = Html::escape(_filter_url_trim($match[$i])); + $match[$i] = Html::escape($match[$i]); return '' . $caption . ''; } @@ -778,7 +777,7 @@ function _filter_autop($text) { * Escapes all HTML tags, so they will be visible instead of being effective. */ function _filter_html_escape($text) { - return trim(SafeMarkup::checkPlain($text)); + return trim(Html::escape($text)); } /** diff --git a/core/modules/filter/src/FilterFormatFormBase.php b/core/modules/filter/src/FilterFormatFormBase.php index 77b5433..37b26e7 100644 --- a/core/modules/filter/src/FilterFormatFormBase.php +++ b/core/modules/filter/src/FilterFormatFormBase.php @@ -79,7 +79,7 @@ public function form(array $form, FormStateInterface $form_state) { $form['roles'] = array( '#type' => 'checkboxes', '#title' => $this->t('Roles'), - '#options' => array_map('\Drupal\Component\Utility\SafeMarkup::checkPlain', user_role_names()), + '#options' => user_role_names(), '#disabled' => $is_fallback, '#weight' => -10, ); diff --git a/core/modules/filter/src/FilterFormatListBuilder.php b/core/modules/filter/src/FilterFormatListBuilder.php index 8f46cbc..eb19db7 100644 --- a/core/modules/filter/src/FilterFormatListBuilder.php +++ b/core/modules/filter/src/FilterFormatListBuilder.php @@ -107,7 +107,7 @@ public function buildRow(EntityInterface $entity) { } else { $row['label'] = $this->getLabel($entity); - $roles = array_map('\Drupal\Component\Utility\SafeMarkup::checkPlain', filter_get_roles_by_format($entity)); + $roles = filter_get_roles_by_format($entity); $roles_markup = $roles ? implode(', ', $roles) : $this->t('No roles may use this format'); } diff --git a/core/modules/filter/src/Plugin/Filter/FilterCaption.php b/core/modules/filter/src/Plugin/Filter/FilterCaption.php index e199538..634319a 100644 --- a/core/modules/filter/src/Plugin/Filter/FilterCaption.php +++ b/core/modules/filter/src/Plugin/Filter/FilterCaption.php @@ -40,7 +40,7 @@ public function process($text, $langcode) { $xpath = new \DOMXPath($dom); foreach ($xpath->query('//*[@data-caption]') as $node) { // Read the data-caption attribute's value, then delete it. - $caption = SafeMarkup::checkPlain($node->getAttribute('data-caption')); + $caption = Html::escape($node->getAttribute('data-caption')); $node->removeAttribute('data-caption'); // Sanitize caption: decode HTML encoding, limit allowed HTML tags; only diff --git a/core/modules/filter/src/Plugin/Filter/FilterHtml.php b/core/modules/filter/src/Plugin/Filter/FilterHtml.php index 63e3f57..3a39f5f 100644 --- a/core/modules/filter/src/Plugin/Filter/FilterHtml.php +++ b/core/modules/filter/src/Plugin/Filter/FilterHtml.php @@ -9,6 +9,7 @@ use Drupal\Core\Form\FormStateInterface; use Drupal\Component\Utility\Html; +use Drupal\Core\Render\Element\Markup; use Drupal\filter\FilterProcessResult; use Drupal\filter\Plugin\FilterBase; @@ -149,7 +150,8 @@ public function tips($long = FALSE) { array('data' => array( '#prefix' => '', - '#markup' => Html::escape($tips[$tag][1]), + '#markup' => $tips[$tag][1], + '#safe_strategy' => Markup::SAFE_STRATEGY_ESCAPE, '#suffix' => '' ), 'class' => array('type')), @@ -193,7 +195,8 @@ public function tips($long = FALSE) { array( 'data' => array( '#prefix' => '', - '#markup' => Html::escape($entity[1]), + '#markup' => $entity[1], + '#safe_strategy' => Markup::SAFE_STRATEGY_ESCAPE, '#suffix' => '', ), 'class' => array('type'), diff --git a/core/modules/filter/src/Tests/FilterUnitTest.php b/core/modules/filter/src/Tests/FilterUnitTest.php index fe7664c..003e4d0 100644 --- a/core/modules/filter/src/Tests/FilterUnitTest.php +++ b/core/modules/filter/src/Tests/FilterUnitTest.php @@ -8,7 +8,6 @@ namespace Drupal\filter\Tests; use Drupal\Component\Utility\Html; -use Drupal\Component\Utility\SafeMarkup; use Drupal\Core\Render\RenderContext; use Drupal\editor\EditorXssFilter\Standard; use Drupal\filter\Entity\FilterFormat; @@ -480,7 +479,7 @@ function testNoFollowFilter() { /** * Tests the HTML escaping filter. * - * \Drupal\Component\Utility\SafeMarkup::checkPlain() is not tested here. + * \Drupal\Component\Utility\Html::escape() is not tested here. */ function testHtmlEscapeFilter() { // Get FilterHtmlEscape object. @@ -849,10 +848,10 @@ function assertFilteredString($filter, $tests) { ))); } if (!$success) { - $this->verbose('Source:
    ' . SafeMarkup::checkPlain(var_export($source, TRUE)) . '
    ' - . '
    ' . 'Result:
    ' . SafeMarkup::checkPlain(var_export($result, TRUE)) . '
    ' + $this->verbose('Source:
    ' . Html::escape(var_export($source, TRUE)) . '
    ' + . '
    ' . 'Result:
    ' . Html::escape(var_export($result, TRUE)) . '
    ' . '
    ' . ($is_expected ? 'Expected:' : 'Not expected:') - . '
    ' . SafeMarkup::checkPlain(var_export($value, TRUE)) . '
    ' + . '
    ' . Html::escape(var_export($value, TRUE)) . '
    ' ); } } diff --git a/core/modules/forum/forum.module b/core/modules/forum/forum.module index 90086a6..30fbb45 100644 --- a/core/modules/forum/forum.module +++ b/core/modules/forum/forum.module @@ -10,7 +10,6 @@ use Drupal\Component\Utility\Xss; use Drupal\Core\Entity\EntityInterface; use Drupal\Core\Url; -use Drupal\Component\Utility\SafeMarkup; use Drupal\Core\Form\FormStateInterface; use Drupal\Core\Routing\RouteMatchInterface; use Drupal\user\Entity\User; @@ -447,7 +446,7 @@ function template_preprocess_forums(&$variables) { // them is a shadow copy. if ($variables['tid'] != $topic->forum_tid) { $variables['topics'][$id]->moved = TRUE; - $variables['topics'][$id]->title = SafeMarkup::checkPlain($topic->getTitle()); + $variables['topics'][$id]->title = $topic->getTitle(); $variables['topics'][$id]->message = \Drupal::l(t('This topic has been moved'), new Url('forum.page', ['taxonomy_term' => $topic->forum_tid])); } else { @@ -542,7 +541,7 @@ function template_preprocess_forum_list(&$variables) { foreach ($variables['forums'] as $id => $forum) { $variables['forums'][$id]->description = array('#markup' => $forum->description->value); $variables['forums'][$id]->link = forum_uri($forum); - $variables['forums'][$id]->name = SafeMarkup::checkPlain($forum->label()); + $variables['forums'][$id]->name = $forum->label(); $variables['forums'][$id]->is_container = !empty($forum->forum_container->value); $variables['forums'][$id]->zebra = $row % 2 == 0 ? 'odd' : 'even'; $row++; diff --git a/core/modules/help/src/Controller/HelpController.php b/core/modules/help/src/Controller/HelpController.php index 802f9d9..4ebd4c8 100644 --- a/core/modules/help/src/Controller/HelpController.php +++ b/core/modules/help/src/Controller/HelpController.php @@ -12,7 +12,6 @@ use Drupal\Core\Url; use Symfony\Component\DependencyInjection\ContainerInterface; use Symfony\Component\HttpKernel\Exception\NotFoundHttpException; -use Drupal\Component\Utility\SafeMarkup; /** * Controller routines for help routes. @@ -115,7 +114,7 @@ public function helpPage($name) { $build = array(); if ($this->moduleHandler()->implementsHook($name, 'help')) { $module_name = $this->moduleHandler()->getName($name); - $build['#title'] = SafeMarkup::checkPlain($module_name); + $build['#title'] = $module_name; $temp = $this->moduleHandler()->invoke($name, 'help', array("help.page.$name", $this->routeMatch)); if (empty($temp)) { diff --git a/core/modules/image/image.admin.inc b/core/modules/image/image.admin.inc index 0c98603..b3d4a6e 100644 --- a/core/modules/image/image.admin.inc +++ b/core/modules/image/image.admin.inc @@ -5,7 +5,6 @@ * Administration pages for image settings. */ -use Drupal\Component\Utility\SafeMarkup; use Drupal\Core\Render\Element; /** @@ -20,8 +19,8 @@ function template_preprocess_image_style_preview(&$variables) { // Style information. $style = $variables['style']; - $variables['style_id'] = SafeMarkup::checkPlain($style->id()); - $variables['style_name'] = SafeMarkup::checkPlain($style->label()); + $variables['style_id'] = $style->id(); + $variables['style_name'] = $style->label(); // Cache bypass token. $variables['cache_bypass'] = REQUEST_TIME; diff --git a/core/modules/image/src/Form/ImageStyleEditForm.php b/core/modules/image/src/Form/ImageStyleEditForm.php index b07090b..dc94099 100644 --- a/core/modules/image/src/Form/ImageStyleEditForm.php +++ b/core/modules/image/src/Form/ImageStyleEditForm.php @@ -9,10 +9,10 @@ use Drupal\Core\Entity\EntityStorageInterface; use Drupal\Core\Form\FormStateInterface; +use Drupal\Core\Render\Element\Markup; use Drupal\Core\Url; use Drupal\image\ConfigurableImageEffectInterface; use Drupal\image\ImageEffectManager; -use Drupal\Component\Utility\SafeMarkup; use Symfony\Component\DependencyInjection\ContainerInterface; /** @@ -99,7 +99,8 @@ public function form(array $form, FormStateInterface $form_state) { '#tree' => FALSE, 'data' => array( 'label' => array( - '#markup' => SafeMarkup::checkPlain($effect->label()), + '#markup' => $effect->label(), + '#safe_strategy' => Markup::SAFE_STRATEGY_ESCAPE, ), ), ); diff --git a/core/modules/language/language.admin.inc b/core/modules/language/language.admin.inc index 8c35c6b..7617414 100644 --- a/core/modules/language/language.admin.inc +++ b/core/modules/language/language.admin.inc @@ -5,8 +5,8 @@ * Administration functions for language.module. */ -use Drupal\Component\Utility\SafeMarkup; use Drupal\Core\Render\Element; +use Drupal\Core\Render\Element\Markup; use Drupal\Core\Template\Attribute; use Drupal\Core\Url; @@ -170,7 +170,8 @@ function template_preprocess_language_content_settings_table(&$variables) { 'data' => array( '#prefix' => '', - '#markup' => SafeMarkup::checkPlain($element[$bundle]['settings']['#label']), + '#markup' => $element[$bundle]['settings']['#label'], + '#safe_strategy' => Markup::SAFE_STRATEGY_ESCAPE, ), 'class' => array('bundle'), ), diff --git a/core/modules/language/src/Form/LanguageFormBase.php b/core/modules/language/src/Form/LanguageFormBase.php index e3711ed..bbafe0e 100644 --- a/core/modules/language/src/Form/LanguageFormBase.php +++ b/core/modules/language/src/Form/LanguageFormBase.php @@ -7,7 +7,7 @@ namespace Drupal\language\Form; -use Drupal\Component\Utility\SafeMarkup; +use Drupal\Component\Utility\Html; use Drupal\Core\Entity\EntityForm; use Drupal\Core\Form\FormStateInterface; use Drupal\Core\Language\LanguageInterface; @@ -106,7 +106,7 @@ public function validateCommon(array $form, FormStateInterface $form_state) { '@url' => 'http://www.w3.org/International/articles/language-tags/', ))); } - if ($form_state->getValue('label') != SafeMarkup::checkPlain($form_state->getValue('label'))) { + if ($form_state->getValue('label') != Html::escape($form_state->getValue('label'))) { $form_state->setErrorByName('label', $this->t('%field cannot contain any markup.', array('%field' => $form['label']['#title']))); } } diff --git a/core/modules/language/src/Form/NegotiationConfigureForm.php b/core/modules/language/src/Form/NegotiationConfigureForm.php index 938564e..f1ebc15 100644 --- a/core/modules/language/src/Form/NegotiationConfigureForm.php +++ b/core/modules/language/src/Form/NegotiationConfigureForm.php @@ -8,7 +8,6 @@ namespace Drupal\language\Form; use Drupal\Core\Block\BlockManagerInterface; -use Drupal\Component\Utility\SafeMarkup; use Drupal\Component\Utility\Unicode; use Drupal\Component\Utility\Xss; use Drupal\Core\Config\ConfigFactoryInterface; @@ -277,11 +276,11 @@ protected function configureFormTable(array &$form, $type) { if (isset($types[$type])) { $table_form['#language_negotiation_info'][$method_id] = $method; - $method_name = SafeMarkup::checkPlain($method['name']); + $method_name = $method['name']; $table_form['weight'][$method_id] = array( '#type' => 'weight', - '#title' => $this->t('Weight for !title language detection method', array('!title' => Unicode::strtolower($method_name))), + '#title' => $this->t('Weight for @title language detection method', array('@title' => Unicode::strtolower($method_name))), '#title_display' => 'invisible', '#default_value' => $weight, '#attributes' => array('class' => array("language-method-weight-$type")), @@ -292,7 +291,7 @@ protected function configureFormTable(array &$form, $type) { $table_form['enabled'][$method_id] = array( '#type' => 'checkbox', - '#title' => $this->t('Enable !title language detection method', array('!title' => Unicode::strtolower($method_name))), + '#title' => $this->t('Enable @title language detection method', array('@title' => Unicode::strtolower($method_name))), '#title_display' => 'invisible', '#default_value' => $enabled, ); diff --git a/core/modules/link/link.module b/core/modules/link/link.module index 8ce087f..e8d53f8 100644 --- a/core/modules/link/link.module +++ b/core/modules/link/link.module @@ -5,7 +5,6 @@ * Defines simple link field types. */ -use Drupal\Component\Utility\SafeMarkup; use Drupal\Core\Routing\RouteMatchInterface; /** @@ -62,9 +61,5 @@ function link_theme() { * - url: A \Drupal\Core\Url object. */ function template_preprocess_link_formatter_link_separate(&$variables) { - if (!empty($variables['title'])) { - $variables['title'] = SafeMarkup::checkPlain($variables['title']); - } - $variables['link'] = \Drupal::l($variables['url_title'], $variables['url']); } diff --git a/core/modules/link/src/Plugin/Field/FieldFormatter/LinkFormatter.php b/core/modules/link/src/Plugin/Field/FieldFormatter/LinkFormatter.php index eb3804a..02f06ed 100644 --- a/core/modules/link/src/Plugin/Field/FieldFormatter/LinkFormatter.php +++ b/core/modules/link/src/Plugin/Field/FieldFormatter/LinkFormatter.php @@ -7,7 +7,6 @@ namespace Drupal\link\Plugin\Field\FieldFormatter; -use Drupal\Component\Utility\SafeMarkup; use Drupal\Component\Utility\Unicode; use Drupal\Component\Utility\UrlHelper; use Drupal\Core\Field\FieldDefinitionInterface; @@ -16,6 +15,7 @@ use Drupal\Core\Form\FormStateInterface; use Drupal\Core\Path\PathValidatorInterface; use Drupal\Core\Plugin\ContainerFactoryPluginInterface; +use Drupal\Core\Render\Element\Markup; use Drupal\Core\Url; use Drupal\link\LinkItemInterface; use Symfony\Component\DependencyInjection\ContainerInterface; @@ -201,7 +201,8 @@ public function viewElements(FieldItemListInterface $items) { if (!empty($settings['url_only']) && !empty($settings['url_plain'])) { $element[$delta] = array( - '#markup' => SafeMarkup::checkPlain($link_title), + '#markup' => $link_title, + '#safe_strategy' => Markup::SAFE_STRATEGY_ESCAPE, ); if (!empty($item->_attributes)) { diff --git a/core/modules/link/src/Tests/LinkFieldTest.php b/core/modules/link/src/Tests/LinkFieldTest.php index 558e78f..b39a2f5 100644 --- a/core/modules/link/src/Tests/LinkFieldTest.php +++ b/core/modules/link/src/Tests/LinkFieldTest.php @@ -7,7 +7,7 @@ namespace Drupal\link\Tests; -use Drupal\Component\Utility\SafeMarkup; +use Drupal\Component\Utility\Html; use Drupal\Component\Utility\Unicode; use Drupal\Core\Url; use Drupal\link\LinkItemInterface; @@ -420,39 +420,39 @@ function testLinkFormatter() { case 'trim_length': $url = $url1; $title = isset($new_value) ? Unicode::truncate($title1, $new_value, FALSE, TRUE) : $title1; - $this->assertRaw('' . SafeMarkup::checkPlain($title) . ''); + $this->assertRaw('' . Html::escape($title) . ''); $url = $url2; $title = isset($new_value) ? Unicode::truncate($title2, $new_value, FALSE, TRUE) : $title2; - $this->assertRaw('' . SafeMarkup::checkPlain($title) . ''); + $this->assertRaw('' . Html::escape($title) . ''); break; case 'rel': $rel = isset($new_value) ? ' rel="' . $new_value . '"' : ''; - $this->assertRaw('' . SafeMarkup::checkPlain($title1) . ''); - $this->assertRaw('' . SafeMarkup::checkPlain($title2) . ''); + $this->assertRaw('' . Html::escape($title1) . ''); + $this->assertRaw('' . Html::escape($title2) . ''); break; case 'target': $target = isset($new_value) ? ' target="' . $new_value . '"' : ''; - $this->assertRaw('' . SafeMarkup::checkPlain($title1) . ''); - $this->assertRaw('' . SafeMarkup::checkPlain($title2) . ''); + $this->assertRaw('' . Html::escape($title1) . ''); + $this->assertRaw('' . Html::escape($title2) . ''); break; case 'url_only': // In this case, $new_value is an array. if (!$new_value['url_only']) { - $this->assertRaw('' . SafeMarkup::checkPlain($title1) . ''); - $this->assertRaw('' . SafeMarkup::checkPlain($title2) . ''); + $this->assertRaw('' . Html::escape($title1) . ''); + $this->assertRaw('' . Html::escape($title2) . ''); } else { if (empty($new_value['url_plain'])) { - $this->assertRaw('' . SafeMarkup::checkPlain($url1) . ''); - $this->assertRaw('' . SafeMarkup::checkPlain($url2) . ''); + $this->assertRaw('' . Html::escape($url1) . ''); + $this->assertRaw('' . Html::escape($url2) . ''); } else { - $this->assertNoRaw('' . SafeMarkup::checkPlain($url1) . ''); - $this->assertNoRaw('' . SafeMarkup::checkPlain($url2) . ''); + $this->assertNoRaw('' . Html::escape($url1) . ''); + $this->assertNoRaw('' . Html::escape($url2) . ''); $this->assertEscaped($url1); $this->assertEscaped($url2); } @@ -540,7 +540,7 @@ function testLinkSeparateFormatter() { $url = $url1; $url_title = isset($new_value) ? Unicode::truncate($url, $new_value, FALSE, TRUE) : $url; $expected = '
    '; - $expected .= '
    ' . SafeMarkup::checkPlain($url_title) . '
    '; + $expected .= '
    ' . Html::escape($url_title) . '
    '; $expected .= '
    '; $this->assertRaw($expected); @@ -548,22 +548,22 @@ function testLinkSeparateFormatter() { $url_title = isset($new_value) ? Unicode::truncate($url, $new_value, FALSE, TRUE) : $url; $title = isset($new_value) ? Unicode::truncate($title2, $new_value, FALSE, TRUE) : $title2; $expected = '
    '; - $expected .= '
    ' . SafeMarkup::checkPlain($title) . '
    '; - $expected .= '
    ' . SafeMarkup::checkPlain($url_title) . '
    '; + $expected .= '
    ' . Html::escape($title) . '
    '; + $expected .= '
    ' . Html::escape($url_title) . '
    '; $expected .= '
    '; $this->assertRaw($expected); break; case 'rel': $rel = isset($new_value) ? ' rel="' . $new_value . '"' : ''; - $this->assertRaw('
    ' . SafeMarkup::checkPlain($url1) . '
    '); - $this->assertRaw('
    ' . SafeMarkup::checkPlain($url2) . '
    '); + $this->assertRaw('
    ' . Html::escape($url1) . '
    '); + $this->assertRaw('
    ' . Html::escape($url2) . '
    '); break; case 'target': $target = isset($new_value) ? ' target="' . $new_value . '"' : ''; - $this->assertRaw('
    ' . SafeMarkup::checkPlain($url1) . '
    '); - $this->assertRaw('
    ' . SafeMarkup::checkPlain($url2) . '
    '); + $this->assertRaw('
    ' . Html::escape($url1) . '
    '); + $this->assertRaw('
    ' . Html::escape($url2) . '
    '); break; } } diff --git a/core/modules/locale/src/Form/TranslateEditForm.php b/core/modules/locale/src/Form/TranslateEditForm.php index bac65c7..2fee0ba 100644 --- a/core/modules/locale/src/Form/TranslateEditForm.php +++ b/core/modules/locale/src/Form/TranslateEditForm.php @@ -7,9 +7,9 @@ namespace Drupal\locale\Form; -use Drupal\Component\Utility\SafeMarkup; use Drupal\Core\Form\FormStateInterface; use Drupal\Core\Render\Element; +use Drupal\Core\Render\Element\Markup; use Drupal\locale\SourceString; /** @@ -73,7 +73,10 @@ public function buildForm(array $form, FormStateInterface $form_state) { '#type' => 'item', '#title' => $this->t('Source string (@language)', array('@language' => $this->t('Built-in English'))), '#title_display' => 'invisible', - '#markup' => '' . SafeMarkup::checkPlain($source_array[0]) . '', + '#markup' => $source_array[0], + '#safe_strategy' => Markup::SAFE_STRATEGY_ESCAPE, + '#preffix' => '', + '#suffix' => '', ); } else { @@ -82,13 +85,18 @@ public function buildForm(array $form, FormStateInterface $form_state) { $original_singular = [ '#type' => 'item', '#title' => $this->t('Singular form'), - '#markup' => '' . SafeMarkup::checkPlain($source_array[0]) . '', - '#prefix' => '', + '#markup' => $source_array[0], + '#safe_strategy' => Markup::SAFE_STRATEGY_ESCAPE, + '#prefix' => '', + '#suffix' => '', ]; $original_plural = [ '#type' => 'item', '#title' => $this->t('Plural form'), - '#markup' => '' . SafeMarkup::checkPlain($source_array[1]) . '', + '#markup' => $source_array[1], + '#safe_strategy' => Markup::SAFE_STRATEGY_ESCAPE, + '#preffix' => '', + '#suffix' => '', ]; $form['strings'][$string->lid]['original'] = [ $original_singular, diff --git a/core/modules/locale/src/Form/TranslationStatusForm.php b/core/modules/locale/src/Form/TranslationStatusForm.php index d257139..7a3ef29 100644 --- a/core/modules/locale/src/Form/TranslationStatusForm.php +++ b/core/modules/locale/src/Form/TranslationStatusForm.php @@ -7,10 +7,10 @@ namespace Drupal\locale\Form; -use Drupal\Component\Utility\SafeMarkup; use Drupal\Core\Extension\ModuleHandlerInterface; use Drupal\Core\Form\FormBase; use Drupal\Core\Form\FormStateInterface; +use Drupal\Core\Render\Element\Markup; use Drupal\Core\State\StateInterface; use Symfony\Component\DependencyInjection\ContainerInterface; @@ -82,7 +82,7 @@ public function buildForm(array $form, FormStateInterface $form_state) { // Build data options for the select table. foreach ($updates as $langcode => $update) { - $title = SafeMarkup::checkPlain($languages[$langcode]->getName()); + $title = $languages[$langcode]->getName(); $locale_translation_update_info = array('#theme' => 'locale_translation_update_info'); foreach (array('updates', 'not_found') as $update_status) { if (isset($update[$update_status])) { @@ -95,6 +95,7 @@ public function buildForm(array $form, FormStateInterface $form_state) { 'data' => array( '#title' => $title, '#markup' => $title, + '#safe_strategy' => Markup::SAFE_STRATEGY_ESCAPE, ), ), 'status' => array( diff --git a/core/modules/node/node.api.php b/core/modules/node/node.api.php index fc45df4..132f72a 100644 --- a/core/modules/node/node.api.php +++ b/core/modules/node/node.api.php @@ -1,7 +1,7 @@ $node->id())); foreach ($ratings as $rating) { - $text .= '

    ' . SafeMarkup::checkPlain($rating->title) . '

    ' . Xss::filter($rating->description); + $text .= '

    ' . Html::escape($rating->title) . '

    ' . Xss::filter($rating->description); } return $text; } diff --git a/core/modules/node/node.tokens.inc b/core/modules/node/node.tokens.inc index 1bba0cc..3294044 100644 --- a/core/modules/node/node.tokens.inc +++ b/core/modules/node/node.tokens.inc @@ -5,7 +5,7 @@ * Builds placeholder replacement tokens for node-related data. */ -use Drupal\Component\Utility\SafeMarkup; +use Drupal\Component\Utility\Html; use Drupal\Core\Datetime\Entity\DateFormat; use Drupal\Core\Language\LanguageInterface; use Drupal\Core\Render\BubbleableMetadata; @@ -116,16 +116,16 @@ function node_tokens($type, $tokens, array $data, array $options, BubbleableMeta break; case 'type': - $replacements[$original] = $sanitize ? SafeMarkup::checkPlain($node->getType()) : $node->getType(); + $replacements[$original] = $sanitize ? Html::escape($node->getType()) : $node->getType(); break; case 'type-name': $type_name = node_get_type_label($node); - $replacements[$original] = $sanitize ? SafeMarkup::checkPlain($type_name) : $type_name; + $replacements[$original] = $sanitize ? Html::escape($type_name) : $type_name; break; case 'title': - $replacements[$original] = $sanitize ? SafeMarkup::checkPlain($node->getTitle()) : $node->getTitle(); + $replacements[$original] = $sanitize ? Html::escape($node->getTitle()) : $node->getTitle(); break; case 'body': @@ -164,7 +164,7 @@ function node_tokens($type, $tokens, array $data, array $options, BubbleableMeta break; case 'langcode': - $replacements[$original] = $sanitize ? SafeMarkup::checkPlain($node->language()->getId()) : $node->language()->getId(); + $replacements[$original] = $sanitize ? Html::escape($node->language()->getId()) : $node->language()->getId(); break; case 'url': @@ -179,7 +179,7 @@ function node_tokens($type, $tokens, array $data, array $options, BubbleableMeta case 'author': $account = $node->getOwner() ? $node->getOwner() : User::load(0); $bubbleable_metadata->addCacheableDependency($account); - $replacements[$original] = $sanitize ? SafeMarkup::checkPlain($account->label()) : $account->label(); + $replacements[$original] = $sanitize ? Html::escape($account->label()) : $account->label(); break; case 'created': diff --git a/core/modules/node/src/Controller/NodePreviewController.php b/core/modules/node/src/Controller/NodePreviewController.php index 96b65b5..b1009be 100644 --- a/core/modules/node/src/Controller/NodePreviewController.php +++ b/core/modules/node/src/Controller/NodePreviewController.php @@ -7,7 +7,6 @@ namespace Drupal\node\Controller; -use Drupal\Component\Utility\SafeMarkup; use Drupal\Core\Entity\EntityInterface; use Drupal\Core\Entity\Controller\EntityViewController; @@ -61,7 +60,7 @@ public function view(EntityInterface $node_preview, $view_mode_id = 'full', $lan * The page title. */ public function title(EntityInterface $node_preview) { - return SafeMarkup::checkPlain($this->entityManager->getTranslationFromContext($node_preview)->label()); + return $this->entityManager->getTranslationFromContext($node_preview)->label(); } } diff --git a/core/modules/node/src/NodeListBuilder.php b/core/modules/node/src/NodeListBuilder.php index 7acbfc9..26f2876 100644 --- a/core/modules/node/src/NodeListBuilder.php +++ b/core/modules/node/src/NodeListBuilder.php @@ -7,7 +7,6 @@ namespace Drupal\node; -use Drupal\Component\Utility\SafeMarkup; use Drupal\Core\Datetime\DateFormatter; use Drupal\Core\Entity\EntityInterface; use Drupal\Core\Entity\EntityListBuilder; @@ -119,7 +118,7 @@ public function buildRow(EntityInterface $entity) { '#suffix' => ' ' . drupal_render($mark), '#url' => $uri, ); - $row['type'] = SafeMarkup::checkPlain(node_get_type_label($entity)); + $row['type'] = node_get_type_label($entity); $row['author']['data'] = array( '#theme' => 'username', '#account' => $entity->getOwner(), diff --git a/core/modules/node/src/NodeTypeForm.php b/core/modules/node/src/NodeTypeForm.php index ff757f9..24b47b3 100644 --- a/core/modules/node/src/NodeTypeForm.php +++ b/core/modules/node/src/NodeTypeForm.php @@ -9,7 +9,6 @@ use Drupal\Core\Entity\EntityForm; use Drupal\Core\Entity\EntityManagerInterface; -use Drupal\Component\Utility\SafeMarkup; use Drupal\Core\Entity\EntityTypeInterface; use Drupal\Core\Form\FormStateInterface; use Drupal\Core\Url; @@ -55,7 +54,7 @@ public function form(array $form, FormStateInterface $form_state) { $type = $this->entity; if ($this->operation == 'add') { - $form['#title'] = SafeMarkup::checkPlain($this->t('Add content type')); + $form['#title'] = $this->t('Add content type'); $fields = $this->entityManager->getBaseFieldDefinitions('node'); // Create a node with a fake bundle using the type's UUID so that we can // get the default values for workflow settings. diff --git a/core/modules/node/src/Plugin/Search/NodeSearch.php b/core/modules/node/src/Plugin/Search/NodeSearch.php index bab5cc9..4dc1cee 100644 --- a/core/modules/node/src/Plugin/Search/NodeSearch.php +++ b/core/modules/node/src/Plugin/Search/NodeSearch.php @@ -7,7 +7,7 @@ namespace Drupal\node\Plugin\Search; -use Drupal\Component\Utility\SafeMarkup; +use Drupal\Component\Utility\Html; use Drupal\Core\Access\AccessResult; use Drupal\Core\Config\Config; use Drupal\Core\Database\Connection; @@ -346,7 +346,7 @@ protected function prepareResults(StatementInterface $found) { $result = array( 'link' => $node->url('canonical', array('absolute' => TRUE, 'language' => $language)), - 'type' => SafeMarkup::checkPlain($type->label()), + 'type' => $type->label(), 'title' => $node->label(), 'node' => $node, 'extra' => $extra, @@ -448,7 +448,7 @@ protected function indexNode(NodeInterface $node) { unset($build['#theme']); $rendered = $this->renderer->renderPlain($build); - $text = '

    ' . SafeMarkup::checkPlain($node->label($language->getId())) . '

    ' . $rendered; + $text = '

    ' . Html::escape($node->label($language->getId())) . '

    ' . $rendered; // Fetch extra data normally not visible. $extra = $this->moduleHandler->invokeAll('node_update_index', array($node, $language->getId())); @@ -549,7 +549,6 @@ public function searchFormAlter(array &$form, FormStateInterface $form_state) { ); // Add node types. - $types = array_map(array('\Drupal\Component\Utility\SafeMarkup', 'checkPlain'), node_type_get_names()); $form['advanced']['types-fieldset'] = array( '#type' => 'fieldset', '#title' => t('Types'), @@ -559,7 +558,7 @@ public function searchFormAlter(array &$form, FormStateInterface $form_state) { '#title' => t('Only of the type(s)'), '#prefix' => '
    ', '#suffix' => '
    ', - '#options' => $types, + '#options' => node_type_get_names(), '#default_value' => isset($defaults['type']) ? $defaults['type'] : array(), ); diff --git a/core/modules/node/src/Plugin/views/argument/Nid.php b/core/modules/node/src/Plugin/views/argument/Nid.php index 879ac9d..f0692f8 100644 --- a/core/modules/node/src/Plugin/views/argument/Nid.php +++ b/core/modules/node/src/Plugin/views/argument/Nid.php @@ -7,7 +7,6 @@ namespace Drupal\node\Plugin\views\argument; -use Drupal\Component\Utility\SafeMarkup; use Drupal\node\NodeStorageInterface; use Drupal\views\Plugin\views\argument\NumericArgument; use Symfony\Component\DependencyInjection\ContainerInterface; @@ -62,7 +61,7 @@ public function titleQuery() { $nodes = $this->nodeStorage->loadMultiple($this->value); foreach ($nodes as $node) { - $titles[] = SafeMarkup::checkPlain($node->label()); + $titles[] = $node->label(); } return $titles; } diff --git a/core/modules/node/src/Plugin/views/argument/Type.php b/core/modules/node/src/Plugin/views/argument/Type.php index 26ab17a..62ab17d 100644 --- a/core/modules/node/src/Plugin/views/argument/Type.php +++ b/core/modules/node/src/Plugin/views/argument/Type.php @@ -7,7 +7,6 @@ namespace Drupal\node\Plugin\views\argument; -use Drupal\Component\Utility\SafeMarkup; use Drupal\Core\Entity\EntityStorageInterface; use Drupal\views\Plugin\views\argument\StringArgument; use Symfony\Component\DependencyInjection\ContainerInterface; @@ -76,7 +75,7 @@ function title() { function node_type($type_name) { $type = $this->nodeTypeStorage->load($type_name); $output = $type ? $type->label() : $this->t('Unknown content type'); - return SafeMarkup::checkPlain($output); + return $output; } } diff --git a/core/modules/node/src/Plugin/views/argument/Vid.php b/core/modules/node/src/Plugin/views/argument/Vid.php index c223a72..77f2bb5 100644 --- a/core/modules/node/src/Plugin/views/argument/Vid.php +++ b/core/modules/node/src/Plugin/views/argument/Vid.php @@ -7,7 +7,6 @@ namespace Drupal\node\Plugin\views\argument; -use Drupal\Component\Utility\SafeMarkup; use Drupal\Core\Database\Connection; use Drupal\views\Plugin\views\argument\NumericArgument; use Symfony\Component\DependencyInjection\ContainerInterface; @@ -84,7 +83,7 @@ public function titleQuery() { foreach ($results as $result) { $nodes[$result['nid']]->set('title', $result['title']); - $titles[] = SafeMarkup::checkPlain($nodes[$result['nid']]->label()); + $titles[] = $nodes[$result['nid']]->label(); } return $titles; diff --git a/core/modules/node/src/Plugin/views/row/Rss.php b/core/modules/node/src/Plugin/views/row/Rss.php index 098012f..e73d527 100644 --- a/core/modules/node/src/Plugin/views/row/Rss.php +++ b/core/modules/node/src/Plugin/views/row/Rss.php @@ -7,7 +7,6 @@ namespace Drupal\node\Plugin\views\row; -use Drupal\Component\Utility\SafeMarkup; use Drupal\Core\Entity\EntityManagerInterface; use Drupal\views\Plugin\views\row\RssPluginBase; use Symfony\Component\DependencyInjection\ContainerInterface; @@ -78,7 +77,7 @@ public function buildOptionsForm_summary_options() { public function summaryTitle() { $options = $this->buildOptionsForm_summary_options(); - return SafeMarkup::checkPlain($options[$this->options['view_mode']]); + return $options[$this->options['view_mode']]; } public function preRender($values) { diff --git a/core/modules/node/src/Tests/NodeTitleXSSTest.php b/core/modules/node/src/Tests/NodeTitleXSSTest.php index f0e80ea..70e4498 100644 --- a/core/modules/node/src/Tests/NodeTitleXSSTest.php +++ b/core/modules/node/src/Tests/NodeTitleXSSTest.php @@ -7,6 +7,8 @@ namespace Drupal\node\Tests; +use Drupal\Component\Utility\Html; + /** * Create a node with dangerous tags in its title and test that they are * escaped. @@ -34,8 +36,8 @@ function testNodeTitleXSS() { $node = $this->drupalCreateNode($settings); $this->drupalGet('node/' . $node->id()); - // assertTitle() decodes HTML-entities inside the element. - $this->assertTitle($title . ' | Drupal', 'Title is displayed when viewing a node.'); + // Titles should be escaped. + $this->assertTitle(Html::escape($title) . ' | Drupal', 'Title is displayed when viewing a node.'); $this->assertNoRaw($xss, 'Harmful tags are escaped when viewing a node.'); $this->drupalGet('node/' . $node->id() . '/edit'); diff --git a/core/modules/node/src/Tests/NodeTokenReplaceTest.php b/core/modules/node/src/Tests/NodeTokenReplaceTest.php index 9bfbdb4..84be404 100644 --- a/core/modules/node/src/Tests/NodeTokenReplaceTest.php +++ b/core/modules/node/src/Tests/NodeTokenReplaceTest.php @@ -9,7 +9,7 @@ use Drupal\Core\Render\BubbleableMetadata; use Drupal\system\Tests\System\TokenReplaceUnitTestBase; -use Drupal\Component\Utility\SafeMarkup; +use Drupal\Component\Utility\Html; /** * Generates text using placeholders for dummy content to check node token @@ -65,15 +65,15 @@ function testNodeTokenReplacement() { $tests['[node:vid]'] = $node->getRevisionId(); $tests['[node:type]'] = 'article'; $tests['[node:type-name]'] = 'Article'; - $tests['[node:title]'] = SafeMarkup::checkPlain($node->getTitle()); + $tests['[node:title]'] = Html::escape($node->getTitle()); $tests['[node:body]'] = $node->body->processed; $tests['[node:summary]'] = $node->body->summary_processed; - $tests['[node:langcode]'] = SafeMarkup::checkPlain($node->language()->getId()); + $tests['[node:langcode]'] = Html::escape($node->language()->getId()); $tests['[node:url]'] = $node->url('canonical', $url_options); $tests['[node:edit-url]'] = $node->url('edit-form', $url_options); - $tests['[node:author]'] = SafeMarkup::checkPlain($account->getUsername()); + $tests['[node:author]'] = Html::escape($account->getUsername()); $tests['[node:author:uid]'] = $node->getOwnerId(); - $tests['[node:author:name]'] = SafeMarkup::checkPlain($account->getUsername()); + $tests['[node:author:name]'] = Html::escape($account->getUsername()); $tests['[node:created:since]'] = \Drupal::service('date.formatter')->formatTimeDiffSince($node->getCreatedTime(), array('langcode' => $this->interfaceLanguage->getId())); $tests['[node:changed:since]'] = \Drupal::service('date.formatter')->formatTimeDiffSince($node->getChangedTime(), array('langcode' => $this->interfaceLanguage->getId())); diff --git a/core/modules/options/src/Plugin/views/argument/NumberListField.php b/core/modules/options/src/Plugin/views/argument/NumberListField.php index d99d86f..502d8a5 100644 --- a/core/modules/options/src/Plugin/views/argument/NumberListField.php +++ b/core/modules/options/src/Plugin/views/argument/NumberListField.php @@ -7,7 +7,6 @@ namespace Drupal\options\Plugin\views\argument; -use Drupal\Component\Utility\SafeMarkup; use Drupal\Core\Field\AllowedTagsXssTrait; use Drupal\Core\Form\FormStateInterface; use Drupal\views\FieldAPIHandlerTrait; @@ -84,7 +83,7 @@ public function summaryName($data) { } // Else, fallback to the key. else { - return SafeMarkup::checkPlain($value); + return $value; } } diff --git a/core/modules/options/src/Plugin/views/argument/StringListField.php b/core/modules/options/src/Plugin/views/argument/StringListField.php index a36ef7a..12dc329 100644 --- a/core/modules/options/src/Plugin/views/argument/StringListField.php +++ b/core/modules/options/src/Plugin/views/argument/StringListField.php @@ -13,7 +13,6 @@ use Drupal\views\ViewExecutable; use Drupal\views\Plugin\views\display\DisplayPluginBase; use Drupal\views\Plugin\views\argument\StringArgument; -use Drupal\Component\Utility\SafeMarkup; /** * Argument handler for list field to show the human readable name in summary. @@ -84,7 +83,7 @@ public function summaryName($data) { } // Else, fallback to the key. else { - return $this->caseTransform(SafeMarkup::checkPlain($value), $this->options['case']); + return $this->caseTransform($value, $this->options['case']); } } diff --git a/core/modules/path/src/Form/EditForm.php b/core/modules/path/src/Form/EditForm.php index fc85a42..a1f4a77 100644 --- a/core/modules/path/src/Form/EditForm.php +++ b/core/modules/path/src/Form/EditForm.php @@ -7,7 +7,6 @@ namespace Drupal\path\Form; -use Drupal\Component\Utility\SafeMarkup; use Drupal\Core\Form\FormStateInterface; use Drupal\Core\Url; @@ -36,7 +35,7 @@ protected function buildPath($pid) { public function buildForm(array $form, FormStateInterface $form_state, $pid = NULL) { $form = parent::buildForm($form, $form_state, $pid); - $form['#title'] = SafeMarkup::checkPlain($this->path['alias']); + $form['#title'] = $this->path['alias']; $form['pid'] = array( '#type' => 'hidden', '#value' => $this->path['pid'], diff --git a/core/modules/quickedit/src/MetadataGenerator.php b/core/modules/quickedit/src/MetadataGenerator.php index 1de5fc6..289ad53 100644 --- a/core/modules/quickedit/src/MetadataGenerator.php +++ b/core/modules/quickedit/src/MetadataGenerator.php @@ -8,7 +8,6 @@ namespace Drupal\quickedit; use Drupal\Component\Plugin\PluginManagerInterface; -use Drupal\Component\Utility\SafeMarkup; use Drupal\Core\Entity\EntityInterface; use Drupal\Core\Field\FieldItemListInterface; use Drupal\quickedit\Access\EditEntityFieldAccessCheckInterface; diff --git a/core/modules/rdf/rdf.module b/core/modules/rdf/rdf.module index 0a7e1f8..107fbad 100644 --- a/core/modules/rdf/rdf.module +++ b/core/modules/rdf/rdf.module @@ -5,7 +5,6 @@ * Enables semantically enriched output for Drupal sites in the form of RDFa. */ -use Drupal\Component\Utility\SafeMarkup; use Drupal\Core\Routing\RouteMatchInterface; use Drupal\Core\Template\Attribute; @@ -419,7 +418,7 @@ function rdf_preprocess_username(&$variables) { // Long usernames are truncated by template_preprocess_username(). Store the // full name in the content attribute so it can be extracted in RDFa. if ($variables['truncated']) { - $variables['attributes']['content'] = SafeMarkup::checkPlain($variables['name_raw']); + $variables['attributes']['content'] = $variables['name_raw']; } } diff --git a/core/modules/rest/src/Plugin/views/display/RestExport.php b/core/modules/rest/src/Plugin/views/display/RestExport.php index ae5ac7e..f881e27 100644 --- a/core/modules/rest/src/Plugin/views/display/RestExport.php +++ b/core/modules/rest/src/Plugin/views/display/RestExport.php @@ -7,9 +7,11 @@ namespace Drupal\rest\Plugin\views\display; +use Drupal\Component\Utility\Html; use Drupal\Component\Utility\SafeMarkup; use Drupal\Core\Cache\CacheableMetadata; use Drupal\Core\Cache\CacheableResponse; +use Drupal\Core\Render\Element\Markup; use Drupal\Core\Render\RenderContext; use Drupal\Core\Render\RendererInterface; use Drupal\Core\Routing\RouteProviderInterface; @@ -320,7 +322,9 @@ public function render() { // Wrap the output in a pre tag if this is for a live preview. if (!empty($this->view->live_preview)) { $build['#prefix'] = '<pre>'; - $build['#markup'] = SafeMarkup::checkPlain($build['#markup']); + // Cause #markup to lose its SafeStringInterface object wrapper. + $build['#markup'] = (string) $build['#markup']; + $build['#safe_strategy'] = Markup::SAFE_STRATEGY_ESCAPE; $build['#suffix'] = '</pre>'; } elseif ($this->view->getRequest()->getFormat($this->view->element['#content_type']) !== 'html') { diff --git a/core/modules/rest/src/Tests/Views/StyleSerializerTest.php b/core/modules/rest/src/Tests/Views/StyleSerializerTest.php index a0f482a..37958ba 100644 --- a/core/modules/rest/src/Tests/Views/StyleSerializerTest.php +++ b/core/modules/rest/src/Tests/Views/StyleSerializerTest.php @@ -7,7 +7,7 @@ namespace Drupal\rest\Tests\Views; -use Drupal\Component\Utility\SafeMarkup; +use Drupal\Component\Utility\Html; use Drupal\Core\Cache\Cache; use Drupal\entity_test\Entity\EntityTest; use Drupal\system\Tests\Cache\AssertPageCacheContextsAndTagsTrait; @@ -480,16 +480,16 @@ public function testLivePreview() { $entities[] = $row->_entity; } - $expected = SafeMarkup::checkPlain($serializer->serialize($entities, 'json')); + $expected = '<pre>' . Html::escape($serializer->serialize($entities, 'json')) . '</pre>'; $view->live_preview = TRUE; $build = $view->preview(); - $rendered_json = $build['#markup']; + $rendered_json = \Drupal::service('renderer')->renderPlain($build); $this->assertEqual($rendered_json, $expected, 'Ensure the previewed json is escaped.'); $view->destroy(); - $expected = SafeMarkup::checkPlain($serializer->serialize($entities, 'xml')); + $expected = '<pre>' . Html::escape($serializer->serialize($entities, 'xml')) . '</pre>'; // Change the request format to xml. $view->setDisplay('rest_export_1'); @@ -505,7 +505,7 @@ public function testLivePreview() { $this->executeView($view); $build = $view->preview(); - $rendered_xml = $build['#markup']; + $rendered_xml = \Drupal::service('renderer')->renderPlain($build); $this->assertEqual($rendered_xml, $expected, 'Ensure we preview xml when we change the request format.'); } diff --git a/core/modules/search/search.module b/core/modules/search/search.module index 14ecb23..3ffa639 100644 --- a/core/modules/search/search.module +++ b/core/modules/search/search.module @@ -5,7 +5,6 @@ * Enables site-wide keyword searching. */ -use Drupal\Component\Utility\SafeMarkup; use Drupal\Component\Utility\Html; use Drupal\Component\Utility\Unicode; use Drupal\Core\Cache\Cache; @@ -767,7 +766,7 @@ function search_excerpt($keys, $text, $langcode = NULL) { // translated. Let translators have the … separator text as one chunk. $ellipses = explode('!excerpt', t('… !excerpt … !excerpt …')); $text = (isset($new_ranges[0]) ? '' : $ellipses[0]) . implode($ellipses[1], $out) . (($max_end < strlen($text) - 1) ? $ellipses[2] : ''); - $text = SafeMarkup::checkPlain($text); + $text = Html::escape($text); // Highlight keywords. Must be done at once to prevent conflicts ('strong' // and '<strong>'). diff --git a/core/modules/search/search.pages.inc b/core/modules/search/search.pages.inc index b50a6cd..518a08b 100644 --- a/core/modules/search/search.pages.inc +++ b/core/modules/search/search.pages.inc @@ -5,7 +5,6 @@ * User page callbacks for the Search module. */ -use Drupal\Component\Utility\SafeMarkup; use Drupal\Core\Language\LanguageInterface; /** @@ -36,7 +35,7 @@ function template_preprocess_search_result(&$variables) { $result = $variables['result']; $variables['url'] = check_url($result['link']); - $variables['title'] = SafeMarkup::checkPlain($result['title']); + $variables['title'] = $result['title']; if (isset($result['language']) && $result['language'] != $language_interface->getId() && $result['language'] != LanguageInterface::LANGCODE_NOT_SPECIFIED) { $variables['title_attributes']['lang'] = $result['language']; $variables['content_attributes']['lang'] = $result['language']; @@ -44,7 +43,7 @@ function template_preprocess_search_result(&$variables) { $info = array(); if (!empty($result['plugin_id'])) { - $info['plugin_id'] = SafeMarkup::checkPlain($result['plugin_id']); + $info['plugin_id'] = $result['plugin_id']; } if (!empty($result['user'])) { $info['user'] = $result['user']; diff --git a/core/modules/search/src/Tests/SearchKeywordsConditionsTest.php b/core/modules/search/src/Tests/SearchKeywordsConditionsTest.php index 7789f7a..9895d7e 100644 --- a/core/modules/search/src/Tests/SearchKeywordsConditionsTest.php +++ b/core/modules/search/src/Tests/SearchKeywordsConditionsTest.php @@ -7,8 +7,6 @@ namespace Drupal\search\Tests; -use Drupal\Component\Utility\SafeMarkup; - /** * Verify the search without keywords set and extra conditions. * @@ -61,6 +59,6 @@ function testSearchKeywordsConditions() { $keys = 'moving drop ' . $this->randomMachineName(); $this->drupalGet("search/dummy_path", array('query' => array('keys' => 'bike', 'search_conditions' => $keys))); $this->assertText("Dummy search snippet to display."); - $this->assertRaw(SafeMarkup::checkPlain(print_r(array('keys' => 'bike', 'search_conditions' => $keys), TRUE))); + $this->assertEscaped(print_r(array('keys' => 'bike', 'search_conditions' => $keys), TRUE)); } } diff --git a/core/modules/shortcut/src/Form/SwitchShortcutSet.php b/core/modules/shortcut/src/Form/SwitchShortcutSet.php index 5388db5..9bc34ca 100644 --- a/core/modules/shortcut/src/Form/SwitchShortcutSet.php +++ b/core/modules/shortcut/src/Form/SwitchShortcutSet.php @@ -7,7 +7,6 @@ namespace Drupal\shortcut\Form; -use Drupal\Component\Utility\SafeMarkup; use Drupal\Core\Form\FormBase; use Drupal\Core\Form\FormStateInterface; use Drupal\Core\Routing\RouteMatchInterface; @@ -71,7 +70,7 @@ public function buildForm(array $form, FormStateInterface $form_state, UserInter // Prepare the list of shortcut sets. $options = array_map(function (ShortcutSet $set) { - return SafeMarkup::checkPlain($set->label()); + return $set->label(); }, $this->shortcutSetStorage->loadMultiple()); $current_set = shortcut_current_displayed_set($this->user); diff --git a/core/modules/simpletest/src/AssertContentTrait.php b/core/modules/simpletest/src/AssertContentTrait.php index 9eda1c5..c601943 100644 --- a/core/modules/simpletest/src/AssertContentTrait.php +++ b/core/modules/simpletest/src/AssertContentTrait.php @@ -847,8 +847,8 @@ protected function assertThemeOutput($callback, array $variables = array(), $exp return \Drupal::theme()->render($callback, $variables); }); $this->verbose( - '<hr />' . 'Result:' . '<pre>' . SafeMarkup::checkPlain(var_export($output, TRUE)) . '</pre>' - . '<hr />' . 'Expected:' . '<pre>' . SafeMarkup::checkPlain(var_export($expected, TRUE)) . '</pre>' + '<hr />' . 'Result:' . '<pre>' . Html::escape(var_export($output, TRUE)) . '</pre>' + . '<hr />' . 'Expected:' . '<pre>' . Html::escape(var_export($expected, TRUE)) . '</pre>' . '<hr />' . $output ); if (!$message) { diff --git a/core/modules/simpletest/src/Form/SimpletestTestForm.php b/core/modules/simpletest/src/Form/SimpletestTestForm.php index aadc4a9..f172c30 100644 --- a/core/modules/simpletest/src/Form/SimpletestTestForm.php +++ b/core/modules/simpletest/src/Form/SimpletestTestForm.php @@ -8,9 +8,9 @@ namespace Drupal\simpletest\Form; use Drupal\Component\Utility\SortArray; -use Drupal\Component\Utility\SafeMarkup; use Drupal\Core\Form\FormBase; use Drupal\Core\Form\FormStateInterface; +use Drupal\Core\Render\Element\Markup; use Drupal\Core\Render\RendererInterface; use Symfony\Component\DependencyInjection\ContainerInterface; @@ -179,7 +179,8 @@ public function buildForm(array $form, FormStateInterface $form_state) { ); $form['tests'][$class]['description'] = array( '#prefix' => '<div class="description">', - '#markup' => SafeMarkup::checkPlain($info['description']), + '#markup' => $info['description'], + '#safe_strategy' => Markup::SAFE_STRATEGY_ESCAPE, '#suffix' => '</div>', '#wrapper_attributes' => array( 'class' => array('simpletest-test-description', 'table-filter-text-source'), diff --git a/core/modules/simpletest/src/KernelTestBase.php b/core/modules/simpletest/src/KernelTestBase.php index 2c8c862..e536ec3 100644 --- a/core/modules/simpletest/src/KernelTestBase.php +++ b/core/modules/simpletest/src/KernelTestBase.php @@ -7,6 +7,7 @@ namespace Drupal\simpletest; +use Drupal\Component\Utility\Html; use Drupal\Component\Utility\SafeMarkup; use Drupal\Component\Utility\Variable; use Drupal\Core\Database\Database; @@ -574,7 +575,7 @@ protected function render(array &$elements) { $content = $this->container->get('renderer')->renderRoot($elements); drupal_process_attached($elements); $this->setRawContent($content); - $this->verbose('<pre style="white-space: pre-wrap">' . SafeMarkup::checkPlain($content)); + $this->verbose('<pre style="white-space: pre-wrap">' . Html::escape($content)); return $content; } diff --git a/core/modules/simpletest/src/WebTestBase.php b/core/modules/simpletest/src/WebTestBase.php index cfccbcf..77f11fc 100644 --- a/core/modules/simpletest/src/WebTestBase.php +++ b/core/modules/simpletest/src/WebTestBase.php @@ -1513,7 +1513,7 @@ protected function drupalGet($path, array $options = array(), array $headers = a $verbose = 'GET request to: ' . $path . '<hr />Ending URL: ' . $this->getUrl(); if ($this->dumpHeaders) { - $verbose .= '<hr />Headers: <pre>' . SafeMarkup::checkPlain(var_export(array_map('trim', $this->headers), TRUE)) . '</pre>'; + $verbose .= '<hr />Headers: <pre>' . Html::escape(var_export(array_map('trim', $this->headers), TRUE)) . '</pre>'; } $verbose .= '<hr />' . $out; @@ -1737,7 +1737,7 @@ protected function drupalPostForm($path, $edit, $submit, array $options = array( $verbose = 'POST request to: ' . $path; $verbose .= '<hr />Ending URL: ' . $this->getUrl(); if ($this->dumpHeaders) { - $verbose .= '<hr />Headers: <pre>' . SafeMarkup::checkPlain(var_export(array_map('trim', $this->headers), TRUE)) . '</pre>'; + $verbose .= '<hr />Headers: <pre>' . Html::escape(var_export(array_map('trim', $this->headers), TRUE)) . '</pre>'; } $verbose .= '<hr />Fields: ' . highlight_string('<?php ' . var_export($post_array, TRUE), TRUE); $verbose .= '<hr />' . $out; @@ -2199,7 +2199,7 @@ protected function drupalHead($path, array $options = array(), array $headers = if ($this->dumpHeaders) { $this->verbose('GET request to: ' . $path . '<hr />Ending URL: ' . $this->getUrl() . - '<hr />Headers: <pre>' . SafeMarkup::checkPlain(var_export(array_map('trim', $this->headers), TRUE)) . '</pre>'); + '<hr />Headers: <pre>' . Html::escape(var_export(array_map('trim', $this->headers), TRUE)) . '</pre>'); } return $out; diff --git a/core/modules/system/src/Form/ModulesListForm.php b/core/modules/system/src/Form/ModulesListForm.php index 289928f..0a52d2f 100644 --- a/core/modules/system/src/Form/ModulesListForm.php +++ b/core/modules/system/src/Form/ModulesListForm.php @@ -7,7 +7,6 @@ namespace Drupal\system\Form; -use Drupal\Component\Utility\SafeMarkup; use Drupal\Component\Utility\Unicode; use Drupal\Core\Config\PreExistingConfigException; use Drupal\Core\Config\UnmetDependenciesException; @@ -169,7 +168,7 @@ public function getFormId() { */ public function buildForm(array $form, FormStateInterface $form_state) { require_once DRUPAL_ROOT . '/core/includes/install.inc'; - $distribution = SafeMarkup::checkPlain(drupal_install_profile_distribution_name()); + $distribution = drupal_install_profile_distribution_name(); // Include system.admin.inc so we can use the sort callbacks. $this->moduleHandler->loadInclude('system', 'inc', 'system.admin'); diff --git a/core/modules/system/src/Tests/Common/RenderElementTypesTest.php b/core/modules/system/src/Tests/Common/RenderElementTypesTest.php index eed2ba9..b71b9c1 100644 --- a/core/modules/system/src/Tests/Common/RenderElementTypesTest.php +++ b/core/modules/system/src/Tests/Common/RenderElementTypesTest.php @@ -7,7 +7,7 @@ namespace Drupal\system\Tests\Common; -use Drupal\Component\Utility\SafeMarkup; +use Drupal\Component\Utility\Html; use Drupal\Core\Url; use Drupal\simpletest\KernelTestBase; @@ -46,12 +46,12 @@ protected function assertElements(array $elements, $expected_html, $message) { $actual_html = (string) \Drupal::service('renderer')->renderRoot($elements); $out = '<table><tr>'; - $out .= '<td valign="top"><pre>' . SafeMarkup::checkPlain($expected_html) . '</pre></td>'; - $out .= '<td valign="top"><pre>' . SafeMarkup::checkPlain($actual_html) . '</pre></td>'; + $out .= '<td valign="top"><pre>' . Html::escape($expected_html) . '</pre></td>'; + $out .= '<td valign="top"><pre>' . Html::escape($actual_html) . '</pre></td>'; $out .= '</tr></table>'; $this->verbose($out); - $this->assertIdentical($actual_html, $expected_html, SafeMarkup::checkPlain($message)); + $this->assertIdentical($actual_html, $expected_html, Html::escape($message)); } /** diff --git a/core/modules/system/src/Tests/Common/TableSortExtenderUnitTest.php b/core/modules/system/src/Tests/Common/TableSortExtenderUnitTest.php index 7073c28..a836da6 100644 --- a/core/modules/system/src/Tests/Common/TableSortExtenderUnitTest.php +++ b/core/modules/system/src/Tests/Common/TableSortExtenderUnitTest.php @@ -7,7 +7,7 @@ namespace Drupal\system\Tests\Common; -use Drupal\Component\Utility\SafeMarkup; +use Drupal\Component\Utility\Html; use Drupal\simpletest\KernelTestBase; use Symfony\Component\HttpFoundation\Request; @@ -38,7 +38,7 @@ function testTableSortInit() { $request->query->replace(array()); \Drupal::getContainer()->get('request_stack')->push($request); $ts = tablesort_init($headers); - $this->verbose(strtr('$ts: <pre>!ts</pre>', array('!ts' => SafeMarkup::checkPlain(var_export($ts, TRUE))))); + $this->verbose(strtr('$ts: <pre>!ts</pre>', array('!ts' => Html::escape(var_export($ts, TRUE))))); $this->assertEqual($ts, $expected_ts, 'Simple table headers sorted correctly.'); // Test with simple table headers plus $_GET parameters that should _not_ @@ -51,7 +51,7 @@ function testTableSortInit() { )); \Drupal::getContainer()->get('request_stack')->push($request); $ts = tablesort_init($headers); - $this->verbose(strtr('$ts: <pre>!ts</pre>', array('!ts' => SafeMarkup::checkPlain(var_export($ts, TRUE))))); + $this->verbose(strtr('$ts: <pre>!ts</pre>', array('!ts' => Html::escape(var_export($ts, TRUE))))); $this->assertEqual($ts, $expected_ts, 'Simple table headers plus non-overriding $_GET parameters sorted correctly.'); // Test with simple table headers plus $_GET parameters that _should_ @@ -67,7 +67,7 @@ function testTableSortInit() { $expected_ts['sort'] = 'desc'; $expected_ts['query'] = array('alpha' => 'beta'); $ts = tablesort_init($headers); - $this->verbose(strtr('$ts: <pre>!ts</pre>', array('!ts' => SafeMarkup::checkPlain(var_export($ts, TRUE))))); + $this->verbose(strtr('$ts: <pre>!ts</pre>', array('!ts' => Html::escape(var_export($ts, TRUE))))); $this->assertEqual($ts, $expected_ts, 'Simple table headers plus $_GET parameters sorted correctly.'); // Test complex table headers. @@ -99,7 +99,7 @@ function testTableSortInit() { 'sort' => 'desc', 'query' => array(), ); - $this->verbose(strtr('$ts: <pre>!ts</pre>', array('!ts' => SafeMarkup::checkPlain(var_export($ts, TRUE))))); + $this->verbose(strtr('$ts: <pre>!ts</pre>', array('!ts' => Html::escape(var_export($ts, TRUE))))); $this->assertEqual($ts, $expected_ts, 'Complex table headers sorted correctly.'); // Test complex table headers plus $_GET parameters that should _not_ @@ -118,7 +118,7 @@ function testTableSortInit() { 'sort' => 'asc', 'query' => array(), ); - $this->verbose(strtr('$ts: <pre>!ts</pre>', array('!ts' => SafeMarkup::checkPlain(var_export($ts, TRUE))))); + $this->verbose(strtr('$ts: <pre>!ts</pre>', array('!ts' => Html::escape(var_export($ts, TRUE))))); $this->assertEqual($ts, $expected_ts, 'Complex table headers plus non-overriding $_GET parameters sorted correctly.'); // Test complex table headers plus $_GET parameters that _should_ @@ -139,7 +139,7 @@ function testTableSortInit() { 'query' => array('alpha' => 'beta'), ); $ts = tablesort_init($headers); - $this->verbose(strtr('$ts: <pre>!ts</pre>', array('!ts' => SafeMarkup::checkPlain(var_export($ts, TRUE))))); + $this->verbose(strtr('$ts: <pre>!ts</pre>', array('!ts' => Html::escape(var_export($ts, TRUE))))); $this->assertEqual($ts, $expected_ts, 'Complex table headers plus $_GET parameters sorted correctly.'); } } diff --git a/core/modules/system/src/Tests/Entity/EntityAutocompleteTest.php b/core/modules/system/src/Tests/Entity/EntityAutocompleteTest.php index d1425c3..4db0e20 100644 --- a/core/modules/system/src/Tests/Entity/EntityAutocompleteTest.php +++ b/core/modules/system/src/Tests/Entity/EntityAutocompleteTest.php @@ -9,7 +9,7 @@ use Drupal\Component\Serialization\Json; use Drupal\Component\Utility\Crypt; -use Drupal\Component\Utility\SafeMarkup; +use Drupal\Component\Utility\Html; use Drupal\Component\Utility\Tags; use Drupal\Core\Site\Settings; use Drupal\system\Controller\EntityAutocompleteController; @@ -65,8 +65,8 @@ function testEntityReferenceAutocompletion() { // We should get both entities in a JSON encoded string. $input = '10/'; $data = $this->getAutocompleteResult($input); - $this->assertIdentical($data[0]['label'], SafeMarkup::checkPlain($entity_1->name->value), 'Autocomplete returned the first matching entity'); - $this->assertIdentical($data[1]['label'], SafeMarkup::checkPlain($entity_2->name->value), 'Autocomplete returned the second matching entity'); + $this->assertIdentical($data[0]['label'], Html::escape($entity_1->name->value), 'Autocomplete returned the first matching entity'); + $this->assertIdentical($data[1]['label'], Html::escape($entity_2->name->value), 'Autocomplete returned the second matching entity'); // Try to autocomplete a entity label that matches the first entity. // We should only get the first entity in a JSON encoded string. @@ -74,7 +74,7 @@ function testEntityReferenceAutocompletion() { $data = $this->getAutocompleteResult($input); $target = array( 'value' => $entity_1->name->value . ' (1)', - 'label' => SafeMarkup::checkPlain($entity_1->name->value), + 'label' => Html::escape($entity_1->name->value), ); $this->assertIdentical(reset($data), $target, 'Autocomplete returns only the expected matching entity.'); @@ -82,7 +82,7 @@ function testEntityReferenceAutocompletion() { // the first entity is already typed in the autocomplete (tags) widget. $input = $entity_1->name->value . ' (1), 10/17'; $data = $this->getAutocompleteResult($input); - $this->assertIdentical($data[0]['label'], SafeMarkup::checkPlain($entity_2->name->value), 'Autocomplete returned the second matching entity'); + $this->assertIdentical($data[0]['label'], Html::escape($entity_2->name->value), 'Autocomplete returned the second matching entity'); // Try to autocomplete a entity label with both a comma and a slash. $input = '"label with, and / t'; @@ -92,7 +92,7 @@ function testEntityReferenceAutocompletion() { $n = Tags::encode($n); $target = array( 'value' => $n, - 'label' => SafeMarkup::checkPlain($entity_3->name->value), + 'label' => Html::escape($entity_3->name->value), ); $this->assertIdentical(reset($data), $target, 'Autocomplete returns an entity label containing a comma and a slash.'); } diff --git a/core/modules/system/src/Tests/Entity/EntityReferenceSelection/EntityReferenceSelectionAccessTest.php b/core/modules/system/src/Tests/Entity/EntityReferenceSelection/EntityReferenceSelectionAccessTest.php index 45e0e92..e6bd87b 100644 --- a/core/modules/system/src/Tests/Entity/EntityReferenceSelection/EntityReferenceSelectionAccessTest.php +++ b/core/modules/system/src/Tests/Entity/EntityReferenceSelection/EntityReferenceSelectionAccessTest.php @@ -8,7 +8,6 @@ namespace Drupal\system\Tests\Entity\EntityReferenceSelection; use Drupal\comment\Tests\CommentTestTrait; -use Drupal\Component\Utility\SafeMarkup; use Drupal\Core\Language\LanguageInterface; use Drupal\comment\CommentInterface; use Drupal\simpletest\WebTestBase; @@ -110,7 +109,7 @@ public function testNodeHandler() { $node = entity_create('node', $values); $node->save(); $nodes[$key] = $node; - $node_labels[$key] = SafeMarkup::checkPlain($node->label()); + $node_labels[$key] = $node->label(); } // Test as a non-admin. @@ -241,7 +240,7 @@ public function testUserHandler() { $account = $values; } $users[$key] = $account; - $user_labels[$key] = SafeMarkup::checkPlain($account->getUsername()); + $user_labels[$key] = $account->getUsername(); } // Test as a non-admin. @@ -416,7 +415,7 @@ public function testCommentHandler() { $comment = entity_create('comment', $values); $comment->save(); $comments[$key] = $comment; - $comment_labels[$key] = SafeMarkup::checkPlain($comment->label()); + $comment_labels[$key] = $comment->label(); } // Test as a non-admin. diff --git a/core/modules/system/src/Tests/Entity/EntityReferenceSelection/EntityReferenceSelectionSortTest.php b/core/modules/system/src/Tests/Entity/EntityReferenceSelection/EntityReferenceSelectionSortTest.php index 3fae878..dc3980c 100644 --- a/core/modules/system/src/Tests/Entity/EntityReferenceSelection/EntityReferenceSelectionSortTest.php +++ b/core/modules/system/src/Tests/Entity/EntityReferenceSelection/EntityReferenceSelectionSortTest.php @@ -7,7 +7,6 @@ namespace Drupal\system\Tests\Entity\EntityReferenceSelection; -use Drupal\Component\Utility\SafeMarkup; use Drupal\node\Entity\Node; use Drupal\node\Entity\NodeType; use Drupal\system\Tests\Entity\EntityUnitTestBase; @@ -93,7 +92,7 @@ public function testSort() { $node = Node::create($values); $node->save(); $nodes[$key] = $node; - $node_labels[$key] = SafeMarkup::checkPlain($node->label()); + $node_labels[$key] = $node->label(); } $selection_options = array( diff --git a/core/modules/system/src/Tests/Form/FormTest.php b/core/modules/system/src/Tests/Form/FormTest.php index 67508a2..4585ad1 100644 --- a/core/modules/system/src/Tests/Form/FormTest.php +++ b/core/modules/system/src/Tests/Form/FormTest.php @@ -8,6 +8,7 @@ namespace Drupal\system\Tests\Form; use Drupal\Component\Serialization\Json; +use Drupal\Component\Utility\Html; use Drupal\Component\Utility\SafeMarkup; use Drupal\Core\Form\FormState; use Drupal\Core\Render\Element; @@ -616,7 +617,7 @@ function testDisabledMarkup() { $path = strtr($path, array('!type' => $type)); // Verify that the element exists. $element = $this->xpath($path, array( - ':name' => SafeMarkup::checkPlain($name), + ':name' => Html::escape($name), ':div-class' => $class, ':value' => isset($item['#value']) ? $item['#value'] : '', )); diff --git a/core/modules/system/src/Tests/Mail/HtmlToTextTest.php b/core/modules/system/src/Tests/Mail/HtmlToTextTest.php index fe6f7c0..a78406d 100644 --- a/core/modules/system/src/Tests/Mail/HtmlToTextTest.php +++ b/core/modules/system/src/Tests/Mail/HtmlToTextTest.php @@ -7,7 +7,7 @@ namespace Drupal\system\Tests\Mail; -use Drupal\Component\Utility\SafeMarkup; +use Drupal\Component\Utility\Html; use Drupal\Component\Utility\Unicode; use Drupal\Core\Mail\MailFormatHelper; use Drupal\Core\Site\Settings; @@ -34,7 +34,7 @@ protected function stringToHtml($text) { str_replace( array("\n", ' '), array('\n', ' '), - SafeMarkup::checkPlain($text) + Html::escape($text) ) . '"'; } @@ -57,7 +57,7 @@ protected function assertHtmlToText($html, $text, $message, $allowed_tags = NULL $tested_tags = implode(', ', array_unique($matches[1])); $message .= ' (' . $tested_tags . ')'; $result = MailFormatHelper::htmlToText($html, $allowed_tags); - $pass = $this->assertEqual($result, $text, SafeMarkup::checkPlain($message)); + $pass = $this->assertEqual($result, $text, Html::escape($message)); $verbose = 'html = <pre>' . $this->stringToHtml($html) . '</pre><br />' . 'result = <pre>' . $this->stringToHtml($result) . '</pre><br />' . 'expected = <pre>' . $this->stringToHtml($text) diff --git a/core/modules/system/src/Tests/Menu/AssertBreadcrumbTrait.php b/core/modules/system/src/Tests/Menu/AssertBreadcrumbTrait.php index e2f4ca7..60adadf 100644 --- a/core/modules/system/src/Tests/Menu/AssertBreadcrumbTrait.php +++ b/core/modules/system/src/Tests/Menu/AssertBreadcrumbTrait.php @@ -7,7 +7,7 @@ namespace Drupal\system\Tests\Menu; -use Drupal\Component\Utility\SafeMarkup; +use Drupal\Component\Utility\Html; use Drupal\Core\Url; /** @@ -83,7 +83,7 @@ protected function assertBreadcrumbParts($trail) { $url = $path; } $part = array_shift($parts); - $pass = ($pass && $part['href'] === $url && $part['text'] === SafeMarkup::checkPlain($title)); + $pass = ($pass && $part['href'] === $url && $part['text'] === Html::escape($title)); } } // No parts must be left, or an expected "Home" will always pass. diff --git a/core/modules/system/src/Tests/Routing/ExceptionHandlingTest.php b/core/modules/system/src/Tests/Routing/ExceptionHandlingTest.php index 1b22d5c..ee3b6eb 100644 --- a/core/modules/system/src/Tests/Routing/ExceptionHandlingTest.php +++ b/core/modules/system/src/Tests/Routing/ExceptionHandlingTest.php @@ -7,7 +7,7 @@ namespace Drupal\system\Tests\Routing; -use Drupal\Component\Utility\SafeMarkup; +use Drupal\Component\Utility\Html; use Drupal\simpletest\KernelTestBase; use Symfony\Component\HttpFoundation\Request; use Symfony\Component\HttpFoundation\Response; @@ -116,7 +116,7 @@ public function testBacktraceEscaping() { // Test both that the backtrace is properly escaped, and that the unescaped // string is not output at all. - $this->assertTrue(strpos($response->getContent(), SafeMarkup::checkPlain('<script>alert(\'xss\')</script>')) !== FALSE); + $this->assertTrue(strpos($response->getContent(), Html::escape('<script>alert(\'xss\')</script>')) !== FALSE); $this->assertTrue(strpos($response->getContent(), '<script>alert(\'xss\')</script>') === FALSE); } @@ -140,7 +140,7 @@ public function testExceptionEscaping() { // Test message is properly escaped, and that the unescaped string is not // output at all. $this->setRawContent($response->getContent()); - $this->assertRaw(SafeMarkup::checkPlain('Escaped content: <p> <br> <h3>')); + $this->assertRaw(Html::escape('Escaped content: <p> <br> <h3>')); $this->assertNoRaw('<p> <br> <h3>'); } diff --git a/core/modules/system/src/Tests/System/PageTitleTest.php b/core/modules/system/src/Tests/System/PageTitleTest.php index 6d56a6f..363b25a 100644 --- a/core/modules/system/src/Tests/System/PageTitleTest.php +++ b/core/modules/system/src/Tests/System/PageTitleTest.php @@ -7,7 +7,7 @@ namespace Drupal\system\Tests\System; -use Drupal\Component\Utility\SafeMarkup; +use Drupal\Component\Utility\Html; use Drupal\Component\Utility\Xss; use Drupal\simpletest\WebTestBase; @@ -55,9 +55,9 @@ function testTitleTags() { $node = $this->drupalGetNodeByTitle($edit['title[0][value]']); $this->assertNotNull($node, 'Node created and found in database'); - $this->assertText(SafeMarkup::checkPlain($edit['title[0][value]']), 'Check to make sure tags in the node title are converted.'); + $this->assertText(Html::escape($edit['title[0][value]']), 'Check to make sure tags in the node title are converted.'); $this->drupalGet("node/" . $node->id()); - $this->assertText(SafeMarkup::checkPlain($edit['title[0][value]']), 'Check to make sure tags in the node title are converted.'); + $this->assertText(Html::escape($edit['title[0][value]']), 'Check to make sure tags in the node title are converted.'); } /** @@ -66,7 +66,7 @@ function testTitleTags() { function testTitleXSS() { // Set some title with JavaScript and HTML chars to escape. $title = ' & < > " \' '; - $title_filtered = SafeMarkup::checkPlain($title); + $title_filtered = Html::escape($title); $slogan = ''; $slogan_filtered = Xss::filterAdmin($slogan); @@ -143,19 +143,19 @@ public function testRoutingTitle() { // controller does not escape them. $this->drupalGet('test-page-cached-controller'); $this->assertTitle('Cached title | Drupal'); - $this->assertRaw(SafeMarkup::checkPlain('Cached title') . ''); + $this->assertRaw(Html::escape('Cached title') . ''); $this->drupalGet('test-page-cached-controller'); $this->assertTitle('Cached title | Drupal'); - $this->assertRaw(SafeMarkup::checkPlain('Cached title') . ''); + $this->assertRaw(Html::escape('Cached title') . ''); // Ensure that titles are cacheable and are escaped normally if the - // controller escapes them use SafeMarkup::checkPlain(). + // controller escapes them use Html::escape(). $this->drupalGet('test-page-cached-controller-safe'); - $this->assertTitle('Cached title | Drupal'); - $this->assertRaw(SafeMarkup::checkPlain('Cached title') . ''); + $this->assertTitle(Html::escape('Cached title | Drupal')); + $this->assertRaw(Html::escape('Cached title') . ''); $this->drupalGet('test-page-cached-controller-safe'); - $this->assertTitle('Cached title | Drupal'); - $this->assertRaw(SafeMarkup::checkPlain('Cached title') . ''); + $this->assertTitle(Html::escape('Cached title | Drupal')); + $this->assertRaw(Html::escape('Cached title') . ''); } } diff --git a/core/modules/system/src/Tests/System/TokenReplaceUnitTest.php b/core/modules/system/src/Tests/System/TokenReplaceUnitTest.php index b8f31e7..33f867a 100644 --- a/core/modules/system/src/Tests/System/TokenReplaceUnitTest.php +++ b/core/modules/system/src/Tests/System/TokenReplaceUnitTest.php @@ -7,7 +7,7 @@ namespace Drupal\system\Tests\System; -use Drupal\Component\Utility\SafeMarkup; +use Drupal\Component\Utility\Html; use Drupal\Component\Utility\Xss; use Drupal\Core\Render\BubbleableMetadata; @@ -70,7 +70,7 @@ public function testClear() { $source .= '[bogus:token]'; // Replace with with the clear parameter, only the valid token should remain. - $target = SafeMarkup::checkPlain($this->config('system.site')->get('name')); + $target = Html::escape($this->config('system.site')->get('name')); $result = $this->tokenService->replace($source, array(), array('langcode' => $this->interfaceLanguage->getId(), 'clear' => TRUE)); $this->assertEqual($target, $result, 'Valid tokens replaced while invalid tokens ignored.'); @@ -105,7 +105,7 @@ public function testSystemSiteTokenReplacement() { // Generate and test sanitized tokens. $tests = array(); - $tests['[site:name]'] = SafeMarkup::checkPlain($config->get('name')); + $tests['[site:name]'] = Html::escape($config->get('name')); $tests['[site:slogan]'] = $safe_slogan; $tests['[site:mail]'] = $config->get('mail'); $tests['[site:url]'] = \Drupal::url('', [], $url_options); diff --git a/core/modules/system/src/Tests/Theme/FunctionsTest.php b/core/modules/system/src/Tests/Theme/FunctionsTest.php index 0ed135d..44f4507 100644 --- a/core/modules/system/src/Tests/Theme/FunctionsTest.php +++ b/core/modules/system/src/Tests/Theme/FunctionsTest.php @@ -8,6 +8,7 @@ namespace Drupal\system\Tests\Theme; use Drupal\Component\Serialization\Json; +use Drupal\Component\Utility\Html; use Drupal\Component\Utility\SafeMarkup; use Drupal\Core\Session\UserSession; use Drupal\Core\Url; @@ -218,13 +219,13 @@ function testLinks() { $expected_links = ''; $expected_links .= ''; // Verify that passing a string as heading works. @@ -258,13 +259,13 @@ function testLinks() { ); $expected_links = ''; $expected_links .= ''; $expected = $expected_heading . $expected_links; $this->assertThemeOutput('links', $variables, $expected); @@ -274,14 +275,14 @@ function testLinks() { $variables['set_active_class'] = TRUE; $expected_links = ''; $expected_links .= ''; $expected = $expected_heading . $expected_links; $this->assertThemeOutput('links', $variables, $expected); diff --git a/core/modules/system/src/Tests/Theme/TwigEnvironmentTest.php b/core/modules/system/src/Tests/Theme/TwigEnvironmentTest.php index e6e5988..1bab9bf 100644 --- a/core/modules/system/src/Tests/Theme/TwigEnvironmentTest.php +++ b/core/modules/system/src/Tests/Theme/TwigEnvironmentTest.php @@ -7,7 +7,7 @@ namespace Drupal\system\Tests\Theme; -use Drupal\Component\Utility\SafeMarkup; +use Drupal\Component\Utility\Html; use Drupal\Core\Site\Settings; use Drupal\simpletest\KernelTestBase; @@ -44,7 +44,7 @@ public function testInlineTemplate() { '#template' => 'test-with-context ', '#context' => array('unsafe_content' => $unsafe_string), ); - $this->assertEqual($renderer->renderRoot($element), 'test-with-context '); + $this->assertEqual($renderer->renderRoot($element), 'test-with-context '); // Enable twig_auto_reload and twig_debug. $settings = Settings::getAll(); diff --git a/core/modules/system/system.tokens.inc b/core/modules/system/system.tokens.inc index 4c0e107..31b8030 100644 --- a/core/modules/system/system.tokens.inc +++ b/core/modules/system/system.tokens.inc @@ -7,7 +7,7 @@ * This file handles tokens for the global 'site' and 'date' tokens. */ -use Drupal\Component\Utility\SafeMarkup; +use Drupal\Component\Utility\Html; use Drupal\Component\Utility\Xss; use Drupal\Core\Datetime\Entity\DateFormat; use Drupal\Core\Render\BubbleableMetadata; @@ -111,7 +111,7 @@ function system_tokens($type, $tokens, array $data, array $options, BubbleableMe $config = \Drupal::config('system.site'); $bubbleable_metadata->addCacheableDependency($config); $site_name = $config->get('name'); - $replacements[$original] = $sanitize ? SafeMarkup::checkPlain($site_name) : $site_name; + $replacements[$original] = $sanitize ? Html::escape($site_name) : $site_name; break; case 'slogan': @@ -188,7 +188,7 @@ function system_tokens($type, $tokens, array $data, array $options, BubbleableMe break; case 'raw': - $replacements[$original] = $sanitize ? SafeMarkup::checkPlain($date) : $date; + $replacements[$original] = $sanitize ? Html::escape($date) : $date; break; } } diff --git a/core/modules/system/tests/modules/common_test/src/Controller/CommonTestController.php b/core/modules/system/tests/modules/common_test/src/Controller/CommonTestController.php index 6b43aa8..cbe4b14 100644 --- a/core/modules/system/tests/modules/common_test/src/Controller/CommonTestController.php +++ b/core/modules/system/tests/modules/common_test/src/Controller/CommonTestController.php @@ -7,7 +7,7 @@ namespace Drupal\common_test\Controller; -use Drupal\Component\Utility\SafeMarkup; +use Drupal\Component\Utility\Html; use Drupal\Core\Url; use Symfony\Component\HttpFoundation\Response; @@ -89,7 +89,7 @@ public function jsAndCssQuerystring() { */ public function destination() { $destination = \Drupal::destination()->getAsArray(); - $output = "The destination: " . SafeMarkup::checkPlain($destination['destination']); + $output = "The destination: " . Html::escape($destination['destination']); return new Response($output); } diff --git a/core/modules/system/tests/modules/database_test/src/Form/DatabaseTestForm.php b/core/modules/system/tests/modules/database_test/src/Form/DatabaseTestForm.php index 342151e..73f39b1 100644 --- a/core/modules/system/tests/modules/database_test/src/Form/DatabaseTestForm.php +++ b/core/modules/system/tests/modules/database_test/src/Form/DatabaseTestForm.php @@ -7,7 +7,6 @@ namespace Drupal\database_test\Form; -use Drupal\Component\Utility\SafeMarkup; use Drupal\Core\Form\FormBase; use Drupal\Core\Form\FormStateInterface; use Drupal\user\Entity\User; @@ -56,8 +55,8 @@ public function buildForm(array $form, FormStateInterface $form_state) { foreach (User::loadMultiple($uids) as $account) { $options[$account->id()] = array( - 'title' => array('data' => array('#title' => SafeMarkup::checkPlain($account->getUsername()))), - 'username' => SafeMarkup::checkPlain($account->getUsername()), + 'title' => array('data' => array('#title' => $account->getUsername())), + 'username' => $account->getUsername(), 'status' => $account->isActive() ? t('active') : t('blocked'), ); } diff --git a/core/modules/system/tests/modules/entity_test/src/EntityTestViewBuilder.php b/core/modules/system/tests/modules/entity_test/src/EntityTestViewBuilder.php index 7cfec16..8c7ad86 100644 --- a/core/modules/system/tests/modules/entity_test/src/EntityTestViewBuilder.php +++ b/core/modules/system/tests/modules/entity_test/src/EntityTestViewBuilder.php @@ -7,9 +7,9 @@ namespace Drupal\entity_test; -use Drupal\Component\Utility\SafeMarkup; use Drupal\Core\Entity\EntityInterface; use Drupal\Core\Entity\EntityViewBuilder; +use Drupal\Core\Render\Element\Markup; /** * Defines an entity view builder for a test entity. @@ -36,7 +36,8 @@ public function buildComponents(array &$build, array $entities, array $displays, foreach ($entities as $id => $entity) { $build[$id]['label'] = array( '#weight' => -100, - '#markup' => SafeMarkup::checkPlain($entity->label()), + '#markup' => $entity->label(), + '#safe_strategy' => Markup::SAFE_STRATEGY_ESCAPE, ); $build[$id]['separator'] = array( '#weight' => -150, @@ -44,7 +45,8 @@ public function buildComponents(array &$build, array $entities, array $displays, ); $build[$id]['view_mode'] = array( '#weight' => -200, - '#markup' => SafeMarkup::checkPlain($view_mode), + '#markup' => $view_mode, + '#safe_strategy' => Markup::SAFE_STRATEGY_ESCAPE, ); } } diff --git a/core/modules/system/tests/modules/entity_test/src/EntityTestViewBuilderOverriddenView.php b/core/modules/system/tests/modules/entity_test/src/EntityTestViewBuilderOverriddenView.php index f4b719f..437fdfe 100644 --- a/core/modules/system/tests/modules/entity_test/src/EntityTestViewBuilderOverriddenView.php +++ b/core/modules/system/tests/modules/entity_test/src/EntityTestViewBuilderOverriddenView.php @@ -7,8 +7,8 @@ namespace Drupal\entity_test; -use Drupal\Component\Utility\SafeMarkup; use Drupal\Core\Entity\EntityInterface; +use Drupal\Core\Render\Element\Markup; /** * Provides a view builder that overrides ::view() and ::viewMultiple(). @@ -20,7 +20,10 @@ class EntityTestViewBuilderOverriddenView extends EntityTestViewBuilder { */ public function view(EntityInterface $entity, $view_mode = 'full', $langcode = NULL) { $build = []; - $build[$entity->id()]['#markup'] = SafeMarkup::checkPlain($entity->label()); + $build[$entity->id()] = [ + '#markup' => $entity->label(), + '#safe_strategy' => Markup::SAFE_STRATEGY_ESCAPE, + ]; return $build; } diff --git a/core/modules/system/tests/modules/form_test/src/Form/FormTestStorageForm.php b/core/modules/system/tests/modules/form_test/src/Form/FormTestStorageForm.php index 7f62557..3a6d1c5 100644 --- a/core/modules/system/tests/modules/form_test/src/Form/FormTestStorageForm.php +++ b/core/modules/system/tests/modules/form_test/src/Form/FormTestStorageForm.php @@ -7,7 +7,7 @@ namespace Drupal\form_test\Form; -use Drupal\Component\Utility\SafeMarkup; +use Drupal\Component\Utility\Html; use Drupal\Core\Form\FormBase; use Drupal\Core\Form\FormStateInterface; @@ -139,7 +139,7 @@ public function continueSubmitForm(array &$form, FormStateInterface $form_state) * {@inheritdoc} */ public function submitForm(array &$form, FormStateInterface $form_state) { - drupal_set_message("Title: " . SafeMarkup::checkPlain($form_state->getValue('title'))); + drupal_set_message("Title: " . Html::escape($form_state->getValue('title'))); drupal_set_message("Form constructions: " . $_SESSION['constructions']); if ($form_state->has(['thing', 'changed'])) { drupal_set_message("The thing has been changed."); diff --git a/core/modules/system/tests/modules/form_test/src/Form/FormTestStoragePageCacheForm.php b/core/modules/system/tests/modules/form_test/src/Form/FormTestStoragePageCacheForm.php index 9f3ab5a..76eb763 100644 --- a/core/modules/system/tests/modules/form_test/src/Form/FormTestStoragePageCacheForm.php +++ b/core/modules/system/tests/modules/form_test/src/Form/FormTestStoragePageCacheForm.php @@ -7,9 +7,9 @@ namespace Drupal\form_test\Form; -use Drupal\Component\Utility\SafeMarkup; use Drupal\Core\Form\FormBase; use Drupal\Core\Form\FormStateInterface; +use Drupal\Core\Render\Element\Markup; class FormTestStoragePageCacheForm extends FormBase { @@ -57,7 +57,10 @@ public function buildForm(array $form, FormStateInterface $form_state) { */ function form_test_storage_page_cache_old_build_id($form) { if (isset($form['#build_id_old'])) { - $form['test_build_id_old']['#markup'] = SafeMarkup::checkPlain($form['#build_id_old']); + $form['test_build_id_old'] = [ + '#markup' => $form['#build_id_old'], + '#safe_strategy' => Markup::SAFE_STRATEGY_ESCAPE, + ]; } return $form; } diff --git a/core/modules/system/tests/modules/form_test/src/FormTestArgumentsObject.php b/core/modules/system/tests/modules/form_test/src/FormTestArgumentsObject.php index a7fa82c..9c347be 100644 --- a/core/modules/system/tests/modules/form_test/src/FormTestArgumentsObject.php +++ b/core/modules/system/tests/modules/form_test/src/FormTestArgumentsObject.php @@ -7,7 +7,6 @@ namespace Drupal\form_test; -use Drupal\Component\Utility\SafeMarkup; use Drupal\Core\Form\ConfigFormBase; use Drupal\Core\Form\FormStateInterface; @@ -38,7 +37,7 @@ public function buildForm(array $form, FormStateInterface $form_state, $arg = NU $form['bananas'] = array( '#type' => 'textfield', - '#default_value' => SafeMarkup::checkPlain($arg), + '#default_value' => $arg, '#title' => $this->t('Bananas'), ); diff --git a/core/modules/system/tests/modules/test_page_test/src/Controller/Test.php b/core/modules/system/tests/modules/test_page_test/src/Controller/Test.php index b0d4136..d1a8fb0 100644 --- a/core/modules/system/tests/modules/test_page_test/src/Controller/Test.php +++ b/core/modules/system/tests/modules/test_page_test/src/Controller/Test.php @@ -7,7 +7,7 @@ namespace Drupal\test_page_test\Controller; -use Drupal\Component\Utility\SafeMarkup; +use Drupal\Core\Render\Element\Markup; /** * Defines a test controller for page titles. @@ -55,16 +55,23 @@ public function dynamicTitle() { * Defines a controller with a cached render array. * * @param bool $mark_safe - * Whether or not to mark the title as safe use SafeMarkup::checkPlain. + * If TRUE, use the Markup element's "escape" safe strategy to mark the + * string as safe. * * @return array * A render array */ public function controllerWithCache($mark_safe = FALSE) { $build = []; - $build['#title'] = 'Cached title'; if ($mark_safe) { - $build['#title'] = SafeMarkup::checkPlain($build['#title']); + $render = [ + '#markup' => 'Cached title', + '#safe_strategy' => Markup::SAFE_STRATEGY_ESCAPE, + ]; + $build['#title'] = \Drupal::service('renderer')->renderPlain($render); + } + else { + $build['#title'] = 'Cached title'; } $build['#cache']['keys'] = ['test_controller', 'with_title', $mark_safe]; diff --git a/core/modules/taxonomy/src/Plugin/EntityReferenceSelection/TermSelection.php b/core/modules/taxonomy/src/Plugin/EntityReferenceSelection/TermSelection.php index ddf99ca..28bddff 100644 --- a/core/modules/taxonomy/src/Plugin/EntityReferenceSelection/TermSelection.php +++ b/core/modules/taxonomy/src/Plugin/EntityReferenceSelection/TermSelection.php @@ -7,7 +7,6 @@ namespace Drupal\taxonomy\Plugin\EntityReferenceSelection; -use Drupal\Component\Utility\SafeMarkup; use Drupal\Core\Database\Query\SelectInterface; use Drupal\Core\Entity\Plugin\EntityReferenceSelection\SelectionBase; use Drupal\Core\Form\FormStateInterface; @@ -73,7 +72,7 @@ public function getReferenceableEntities($match = NULL, $match_operator = 'CONTA if ($vocabulary = Vocabulary::load($bundle)) { if ($terms = $this->entityManager->getStorage('taxonomy_term')->loadTree($vocabulary->id(), 0, NULL, TRUE)) { foreach ($terms as $term) { - $options[$vocabulary->id()][$term->id()] = str_repeat('-', $term->depth) . SafeMarkup::checkPlain($term->getName()); + $options[$vocabulary->id()][$term->id()] = str_repeat('-', $term->depth) . $term->getName(); } } } diff --git a/core/modules/taxonomy/src/Plugin/views/argument/IndexTid.php b/core/modules/taxonomy/src/Plugin/views/argument/IndexTid.php index 3b4798a..6018b06 100644 --- a/core/modules/taxonomy/src/Plugin/views/argument/IndexTid.php +++ b/core/modules/taxonomy/src/Plugin/views/argument/IndexTid.php @@ -9,7 +9,6 @@ use Drupal\taxonomy\Entity\Term; use Drupal\views\Plugin\views\argument\ManyToOne; -use Drupal\Component\Utility\SafeMarkup; /** * Allow taxonomy term ID(s) as argument. @@ -24,7 +23,7 @@ public function titleQuery() { $titles = array(); $terms = Term::loadMultiple($this->value); foreach ($terms as $term) { - $titles[] = SafeMarkup::checkPlain(\Drupal::entityManager()->getTranslationFromContext($term)->label()); + $titles[] = \Drupal::entityManager()->getTranslationFromContext($term)->label(); } return $titles; } diff --git a/core/modules/taxonomy/src/Plugin/views/argument/IndexTidDepth.php b/core/modules/taxonomy/src/Plugin/views/argument/IndexTidDepth.php index f5bd524..e2df37f 100644 --- a/core/modules/taxonomy/src/Plugin/views/argument/IndexTidDepth.php +++ b/core/modules/taxonomy/src/Plugin/views/argument/IndexTidDepth.php @@ -11,7 +11,6 @@ use Drupal\Core\Form\FormStateInterface; use Drupal\Core\Plugin\ContainerFactoryPluginInterface; use Drupal\views\Plugin\views\argument\ArgumentPluginBase; -use Drupal\Component\Utility\SafeMarkup; use Drupal\taxonomy\Entity\Term; use Symfony\Component\DependencyInjection\ContainerInterface; @@ -140,7 +139,7 @@ public function query($group_by = FALSE) { function title() { $term = $this->termStorage->load($this->argument); if (!empty($term)) { - return SafeMarkup::checkPlain($term->getName()); + return $term->getName(); } // TODO review text return $this->t('No name'); diff --git a/core/modules/taxonomy/src/Plugin/views/argument/Taxonomy.php b/core/modules/taxonomy/src/Plugin/views/argument/Taxonomy.php index ca36597..ecf27f9 100644 --- a/core/modules/taxonomy/src/Plugin/views/argument/Taxonomy.php +++ b/core/modules/taxonomy/src/Plugin/views/argument/Taxonomy.php @@ -10,7 +10,6 @@ use Drupal\Core\Entity\EntityStorageInterface; use Drupal\Core\Plugin\ContainerFactoryPluginInterface; use Drupal\views\Plugin\views\argument\NumericArgument; -use Drupal\Component\Utility\SafeMarkup; use Symfony\Component\DependencyInjection\ContainerInterface; /** @@ -56,7 +55,7 @@ function title() { if ($this->argument) { $term = $this->termStorage->load($this->argument); if (!empty($term)) { - return SafeMarkup::checkPlain($term->getName()); + return $term->getName(); } } // TODO review text diff --git a/core/modules/taxonomy/src/Plugin/views/argument/VocabularyVid.php b/core/modules/taxonomy/src/Plugin/views/argument/VocabularyVid.php index 7aedd51..80c27b8 100644 --- a/core/modules/taxonomy/src/Plugin/views/argument/VocabularyVid.php +++ b/core/modules/taxonomy/src/Plugin/views/argument/VocabularyVid.php @@ -8,7 +8,6 @@ namespace Drupal\taxonomy\Plugin\views\argument; use Drupal\views\Plugin\views\argument\NumericArgument; -use Drupal\Component\Utility\SafeMarkup; use Drupal\taxonomy\VocabularyStorageInterface; use Symfony\Component\DependencyInjection\ContainerInterface; @@ -63,7 +62,7 @@ public static function create(ContainerInterface $container, array $configuratio function title() { $vocabulary = $this->vocabularyStorage->load($this->argument); if ($vocabulary) { - return SafeMarkup::checkPlain($vocabulary->label()); + return $vocabulary->label(); } return $this->t('No vocabulary'); diff --git a/core/modules/taxonomy/src/Plugin/views/field/TaxonomyIndexTid.php b/core/modules/taxonomy/src/Plugin/views/field/TaxonomyIndexTid.php index 4fab01c..14426e4 100644 --- a/core/modules/taxonomy/src/Plugin/views/field/TaxonomyIndexTid.php +++ b/core/modules/taxonomy/src/Plugin/views/field/TaxonomyIndexTid.php @@ -11,7 +11,6 @@ use Drupal\views\ViewExecutable; use Drupal\views\Plugin\views\display\DisplayPluginBase; use Drupal\views\Plugin\views\field\PrerenderList; -use Drupal\Component\Utility\SafeMarkup; use Drupal\taxonomy\Entity\Vocabulary; use Symfony\Component\DependencyInjection\ContainerInterface; use Drupal\taxonomy\VocabularyStorageInterface; @@ -153,7 +152,7 @@ public function preRender(&$values) { $this->items[$node_nid][$tid]['name'] = \Drupal::entityManager()->getTranslationFromContext($term)->label(); $this->items[$node_nid][$tid]['tid'] = $tid; $this->items[$node_nid][$tid]['vocabulary_vid'] = $term->getVocabularyId(); - $this->items[$node_nid][$tid]['vocabulary'] = SafeMarkup::checkPlain($vocabularies[$term->getVocabularyId()]->label()); + $this->items[$node_nid][$tid]['vocabulary'] = $vocabularies[$term->getVocabularyId()]->label(); if (!empty($this->options['link_to_taxonomy'])) { $this->items[$node_nid][$tid]['make_link'] = TRUE; diff --git a/core/modules/taxonomy/src/Plugin/views/filter/TaxonomyIndexTid.php b/core/modules/taxonomy/src/Plugin/views/filter/TaxonomyIndexTid.php index 7adaa16..4a50d81 100644 --- a/core/modules/taxonomy/src/Plugin/views/filter/TaxonomyIndexTid.php +++ b/core/modules/taxonomy/src/Plugin/views/filter/TaxonomyIndexTid.php @@ -16,7 +16,6 @@ use Drupal\views\ViewExecutable; use Drupal\views\Plugin\views\display\DisplayPluginBase; use Drupal\views\Plugin\views\filter\ManyToOne; -use Drupal\Component\Utility\SafeMarkup; use Drupal\Component\Utility\Tags; use Symfony\Component\DependencyInjection\ContainerInterface; @@ -183,7 +182,7 @@ protected function valueForm(&$form, FormStateInterface $form_state) { if ($tree) { foreach ($tree as $term) { $choice = new \stdClass(); - $choice->option = array($term->id() => str_repeat('-', $term->depth) . SafeMarkup::checkPlain(\Drupal::entityManager()->getTranslationFromContext($term)->label())); + $choice->option = array($term->id() => str_repeat('-', $term->depth) . \Drupal::entityManager()->getTranslationFromContext($term)->label()); $options[] = $choice; } } @@ -201,7 +200,7 @@ protected function valueForm(&$form, FormStateInterface $form_state) { } $terms = Term::loadMultiple($query->execute()); foreach ($terms as $term) { - $options[$term->id()] = SafeMarkup::checkPlain(\Drupal::entityManager()->getTranslationFromContext($term)->label()); + $options[$term->id()] = \Drupal::entityManager()->getTranslationFromContext($term)->label(); } } @@ -359,7 +358,7 @@ public function adminSummary() { $this->value = array_filter($this->value); $terms = Term::loadMultiple($this->value); foreach ($terms as $term) { - $this->valueOptions[$term->id()] = SafeMarkup::checkPlain(\Drupal::entityManager()->getTranslationFromContext($term)->label()); + $this->valueOptions[$term->id()] = \Drupal::entityManager()->getTranslationFromContext($term)->label(); } } return parent::adminSummary(); diff --git a/core/modules/taxonomy/src/Tests/TokenReplaceTest.php b/core/modules/taxonomy/src/Tests/TokenReplaceTest.php index ff7c8ef..4fcb0f1 100644 --- a/core/modules/taxonomy/src/Tests/TokenReplaceTest.php +++ b/core/modules/taxonomy/src/Tests/TokenReplaceTest.php @@ -7,7 +7,7 @@ namespace Drupal\taxonomy\Tests; -use Drupal\Component\Utility\SafeMarkup; +use Drupal\Component\Utility\Html; use Drupal\Component\Utility\Xss; use Drupal\Core\Field\FieldStorageDefinitionInterface; use Drupal\Core\Render\BubbleableMetadata; @@ -86,13 +86,13 @@ function testTaxonomyTokenReplacement() { // Generate and test sanitized tokens for term1. $tests = array(); $tests['[term:tid]'] = $term1->id(); - $tests['[term:name]'] = SafeMarkup::checkPlain($term1->getName()); + $tests['[term:name]'] = Html::escape($term1->getName()); $tests['[term:description]'] = $term1->description->processed; $tests['[term:url]'] = $term1->url('canonical', array('absolute' => TRUE)); $tests['[term:node-count]'] = 0; $tests['[term:parent:name]'] = '[term:parent:name]'; - $tests['[term:vocabulary:name]'] = SafeMarkup::checkPlain($this->vocabulary->label()); - $tests['[term:vocabulary]'] = SafeMarkup::checkPlain($this->vocabulary->label()); + $tests['[term:vocabulary:name]'] = Html::escape($this->vocabulary->label()); + $tests['[term:vocabulary]'] = Html::escape($this->vocabulary->label()); $base_bubbleable_metadata = BubbleableMetadata::createFromObject($term1); @@ -117,14 +117,14 @@ function testTaxonomyTokenReplacement() { // Generate and test sanitized tokens for term2. $tests = array(); $tests['[term:tid]'] = $term2->id(); - $tests['[term:name]'] = SafeMarkup::checkPlain($term2->getName()); + $tests['[term:name]'] = Html::escape($term2->getName()); $tests['[term:description]'] = $term2->description->processed; $tests['[term:url]'] = $term2->url('canonical', array('absolute' => TRUE)); $tests['[term:node-count]'] = 1; - $tests['[term:parent:name]'] = SafeMarkup::checkPlain($term1->getName()); + $tests['[term:parent:name]'] = Html::escape($term1->getName()); $tests['[term:parent:url]'] = $term1->url('canonical', array('absolute' => TRUE)); $tests['[term:parent:parent:name]'] = '[term:parent:parent:name]'; - $tests['[term:vocabulary:name]'] = SafeMarkup::checkPlain($this->vocabulary->label()); + $tests['[term:vocabulary:name]'] = Html::escape($this->vocabulary->label()); // Test to make sure that we generated something for each token. $this->assertFalse(in_array(0, array_map('strlen', $tests)), 'No empty tokens generated.'); @@ -148,7 +148,7 @@ function testTaxonomyTokenReplacement() { // Generate and test sanitized tokens. $tests = array(); $tests['[vocabulary:vid]'] = $this->vocabulary->id(); - $tests['[vocabulary:name]'] = SafeMarkup::checkPlain($this->vocabulary->label()); + $tests['[vocabulary:name]'] = Html::escape($this->vocabulary->label()); $tests['[vocabulary:description]'] = Xss::filter($this->vocabulary->getDescription()); $tests['[vocabulary:node-count]'] = 1; $tests['[vocabulary:term-count]'] = 2; diff --git a/core/modules/taxonomy/taxonomy.tokens.inc b/core/modules/taxonomy/taxonomy.tokens.inc index 824116c..daf690b 100644 --- a/core/modules/taxonomy/taxonomy.tokens.inc +++ b/core/modules/taxonomy/taxonomy.tokens.inc @@ -5,7 +5,7 @@ * Builds placeholder replacement tokens for taxonomy terms and vocabularies. */ -use Drupal\Component\Utility\SafeMarkup; +use Drupal\Component\Utility\Html; use Drupal\Component\Utility\Xss; use Drupal\Core\Render\BubbleableMetadata; use Drupal\taxonomy\Entity\Vocabulary; @@ -109,7 +109,7 @@ function taxonomy_tokens($type, $tokens, array $data, array $options, Bubbleable break; case 'name': - $replacements[$original] = $sanitize ? SafeMarkup::checkPlain($term->getName()) : $term->getName(); + $replacements[$original] = $sanitize ? Html::escape($term->getName()) : $term->getName(); break; case 'description': @@ -131,14 +131,14 @@ function taxonomy_tokens($type, $tokens, array $data, array $options, Bubbleable case 'vocabulary': $vocabulary = Vocabulary::load($term->bundle()); $bubbleable_metadata->addCacheableDependency($vocabulary); - $replacements[$original] = SafeMarkup::checkPlain($vocabulary->label()); + $replacements[$original] = Html::escape($vocabulary->label()); break; case 'parent': if ($parents = $taxonomy_storage->loadParents($term->id())) { $parent = array_pop($parents); $bubbleable_metadata->addCacheableDependency($parent); - $replacements[$original] = SafeMarkup::checkPlain($parent->getName()); + $replacements[$original] = Html::escape($parent->getName()); } break; } @@ -165,7 +165,7 @@ function taxonomy_tokens($type, $tokens, array $data, array $options, Bubbleable break; case 'name': - $replacements[$original] = $sanitize ? SafeMarkup::checkPlain($vocabulary->label()) : $vocabulary->label(); + $replacements[$original] = $sanitize ? Html::escape($vocabulary->label()) : $vocabulary->label(); break; case 'description': diff --git a/core/modules/text/src/Plugin/Field/FieldType/TextItemBase.php b/core/modules/text/src/Plugin/Field/FieldType/TextItemBase.php index 13d15c9..410ee71 100644 --- a/core/modules/text/src/Plugin/Field/FieldType/TextItemBase.php +++ b/core/modules/text/src/Plugin/Field/FieldType/TextItemBase.php @@ -43,7 +43,7 @@ public static function propertyDefinitions(FieldStorageDefinitionInterface $fiel * {@inheritdoc} */ public function applyDefaultValue($notify = TRUE) { - // Default to a simple \Drupal\Component\Utility\SafeMarkup::checkPlain(). + // Default to a simple \Drupal\Component\Utility\Html::escape(). // @todo: Add in the filter default format here. $this->setValue(array('format' => NULL), $notify); return $this; diff --git a/core/modules/text/src/TextProcessed.php b/core/modules/text/src/TextProcessed.php index 364937b..d41cb92 100644 --- a/core/modules/text/src/TextProcessed.php +++ b/core/modules/text/src/TextProcessed.php @@ -49,8 +49,7 @@ public function getValue($langcode = NULL) { $item = $this->getParent(); $text = $item->{($this->definition->getSetting('text source'))}; - // Avoid running check_markup() or - // \Drupal\Component\Utility\SafeMarkup::checkPlain() on empty strings. + // Avoid running check_markup() on empty strings. if (!isset($text) || $text === '') { $this->processed = ''; } diff --git a/core/modules/toolbar/toolbar.module b/core/modules/toolbar/toolbar.module index d837b17..ccf1f9c 100644 --- a/core/modules/toolbar/toolbar.module +++ b/core/modules/toolbar/toolbar.module @@ -13,7 +13,6 @@ use Drupal\Core\Template\Attribute; use Drupal\Component\Datetime\DateTimePlus; use Drupal\Component\Utility\Crypt; -use Drupal\Component\Utility\SafeMarkup; use Drupal\Core\Url; /** @@ -265,7 +264,7 @@ function toolbar_menu_navigation_links(array $tree) { $element->options['attributes']['id'] = 'toolbar-link-' . $id; $element->options['attributes']['class'][] = 'toolbar-icon'; $element->options['attributes']['class'][] = 'toolbar-icon-' . strtolower(str_replace(array('.', ' ', '_'), array('-', '-', '-'), $definition['id'])); - $element->options['attributes']['title'] = SafeMarkup::checkPlain($link->getDescription()); + $element->options['attributes']['title'] = $link->getDescription(); } return $tree; } diff --git a/core/modules/tour/src/Plugin/tour/tip/TipPluginText.php b/core/modules/tour/src/Plugin/tour/tip/TipPluginText.php index c457beb..bedb4bd 100644 --- a/core/modules/tour/src/Plugin/tour/tip/TipPluginText.php +++ b/core/modules/tour/src/Plugin/tour/tip/TipPluginText.php @@ -8,7 +8,6 @@ namespace Drupal\tour\Plugin\tour\tip; use Drupal\Component\Utility\Html; -use Drupal\Component\Utility\SafeMarkup; use Drupal\Component\Utility\Xss; use Drupal\Core\Plugin\ContainerFactoryPluginInterface; use Drupal\Core\Utility\Token; @@ -121,7 +120,7 @@ public function getAttributes() { * {@inheritdoc} */ public function getOutput() { - $output = '

    ' . SafeMarkup::checkPlain($this->getLabel()) . '

    '; + $output = '

    ' . Html::escape($this->getLabel()) . '

    '; $output .= '

    ' . Xss::filterAdmin($this->token->replace($this->getBody())) . '

    '; return array('#markup' => $output); } diff --git a/core/modules/tour/tests/tour_test/src/Plugin/tour/tip/TipPluginImage.php b/core/modules/tour/tests/tour_test/src/Plugin/tour/tip/TipPluginImage.php index 5c683b9..503a909 100644 --- a/core/modules/tour/tests/tour_test/src/Plugin/tour/tip/TipPluginImage.php +++ b/core/modules/tour/tests/tour_test/src/Plugin/tour/tip/TipPluginImage.php @@ -7,7 +7,7 @@ namespace Drupal\tour_test\Plugin\tour\tip; -use Drupal\Component\Utility\SafeMarkup; +use Drupal\Component\Utility\Html; use Drupal\tour\TipPluginBase; /** @@ -40,7 +40,7 @@ class TipPluginImage extends TipPluginBase { * {@inheritdoc} */ public function getOutput() { - $prefix = '

    ' . SafeMarkup::checkPlain($this->get('label')) . '

    '; + $prefix = '

    ' . Html::escape($this->get('label')) . '

    '; $prefix .= '

    '; return [ '#prefix' => $prefix, diff --git a/core/modules/tracker/src/Controller/TrackerUserTab.php b/core/modules/tracker/src/Controller/TrackerUserTab.php index ae21548..3aca4c0 100644 --- a/core/modules/tracker/src/Controller/TrackerUserTab.php +++ b/core/modules/tracker/src/Controller/TrackerUserTab.php @@ -9,7 +9,6 @@ use Drupal\Core\Controller\ControllerBase; use Drupal\user\UserInterface; -use Drupal\Component\Utility\SafeMarkup; /** * Controller for tracker.user_tab route. @@ -28,6 +27,6 @@ public function getContent(UserInterface $user) { * Title callback for the tracker.user_tab route. */ public function getTitle(UserInterface $user) { - return SafeMarkup::checkPlain($user->getUsername()); + return $user->getUsername(); } } diff --git a/core/modules/tracker/tracker.pages.inc b/core/modules/tracker/tracker.pages.inc index 3be3966..5ff0e06 100644 --- a/core/modules/tracker/tracker.pages.inc +++ b/core/modules/tracker/tracker.pages.inc @@ -5,7 +5,6 @@ * User page callbacks for tracker.module. */ -use Drupal\Component\Utility\SafeMarkup; use Drupal\Core\Cache\Cache; use Drupal\node\Entity\Node; @@ -85,7 +84,7 @@ function tracker_page($account = NULL) { } $row = array( - 'type' => SafeMarkup::checkPlain(node_get_type_label($node)), + 'type' => node_get_type_label($node), 'title' => array( 'data' => array( '#type' => 'link', diff --git a/core/modules/update/src/Form/UpdateManagerUpdate.php b/core/modules/update/src/Form/UpdateManagerUpdate.php index f0f64ea..cafa4d1 100644 --- a/core/modules/update/src/Form/UpdateManagerUpdate.php +++ b/core/modules/update/src/Form/UpdateManagerUpdate.php @@ -7,7 +7,6 @@ namespace Drupal\update\Form; -use Drupal\Component\Utility\SafeMarkup; use Drupal\Core\Extension\ModuleHandlerInterface; use Drupal\Core\Form\FormBase; use Drupal\Core\Form\FormStateInterface; @@ -115,14 +114,14 @@ public function buildForm(array $form, FormStateInterface $form_state) { $project_name = $this->l($project['title'], Url::fromUri($project['link'])); } else { - $project_name = SafeMarkup::checkPlain($project['title']); + $project_name = $project['title']; } } elseif (!empty($project['info']['name'])) { - $project_name = SafeMarkup::checkPlain($project['info']['name']); + $project_name = $project['info']['name']; } else { - $project_name = SafeMarkup::checkPlain($name); + $project_name = $name; } if ($project['project_type'] == 'theme' || $project['project_type'] == 'theme-disabled') { $project_name .= ' ' . $this->t('(Theme)'); diff --git a/core/modules/user/src/AccountForm.php b/core/modules/user/src/AccountForm.php index 0bcfad9..2fdbcea 100644 --- a/core/modules/user/src/AccountForm.php +++ b/core/modules/user/src/AccountForm.php @@ -205,7 +205,7 @@ public function form(array $form, FormStateInterface $form_state) { '#access' => $admin, ); - $roles = array_map(array('\Drupal\Component\Utility\SafeMarkup', 'checkPlain'), user_role_names(TRUE)); + $roles = user_role_names(TRUE); $form['account']['roles'] = array( '#type' => 'checkboxes', diff --git a/core/modules/user/src/Form/UserPermissionsForm.php b/core/modules/user/src/Form/UserPermissionsForm.php index 0e0a01a..e96efda 100644 --- a/core/modules/user/src/Form/UserPermissionsForm.php +++ b/core/modules/user/src/Form/UserPermissionsForm.php @@ -7,7 +7,6 @@ namespace Drupal\user\Form; -use Drupal\Component\Utility\SafeMarkup; use Drupal\Core\Extension\ModuleHandlerInterface; use Drupal\Core\Form\FormBase; use Drupal\Core\Form\FormStateInterface; @@ -94,7 +93,7 @@ public function buildForm(array $form, FormStateInterface $form_state) { $admin_roles = array(); foreach ($this->getRoles() as $role_name => $role) { // Retrieve role names for columns. - $role_names[$role_name] = SafeMarkup::checkPlain($role->label()); + $role_names[$role_name] = $role->label(); // Fetch permissions for the roles. $role_permissions[$role_name] = $role->getPermissions(); $admin_roles[$role_name] = $role->isAdmin(); diff --git a/core/modules/user/src/Plugin/Condition/UserRole.php b/core/modules/user/src/Plugin/Condition/UserRole.php index 3316cbc..bd98a75 100644 --- a/core/modules/user/src/Plugin/Condition/UserRole.php +++ b/core/modules/user/src/Plugin/Condition/UserRole.php @@ -33,7 +33,7 @@ public function buildConfigurationForm(array $form, FormStateInterface $form_sta '#type' => 'checkboxes', '#title' => $this->t('When the user has the following roles'), '#default_value' => $this->configuration['roles'], - '#options' => array_map('\Drupal\Component\Utility\SafeMarkup::checkPlain', user_role_names()), + '#options' => user_role_names(), '#description' => $this->t('If you select no roles, the condition will evaluate to TRUE for all users.'), ); return parent::buildConfigurationForm($form, $form_state); diff --git a/core/modules/user/src/Plugin/views/access/Permission.php b/core/modules/user/src/Plugin/views/access/Permission.php index 0dc5165..fab8f88 100644 --- a/core/modules/user/src/Plugin/views/access/Permission.php +++ b/core/modules/user/src/Plugin/views/access/Permission.php @@ -7,7 +7,6 @@ namespace Drupal\user\Plugin\views\access; -use Drupal\Component\Utility\SafeMarkup; use Drupal\Core\Extension\ModuleHandlerInterface; use Drupal\Core\Form\FormStateInterface; use Drupal\Core\Session\AccountInterface; @@ -121,7 +120,7 @@ public function buildOptionsForm(&$form, FormStateInterface $form_state) { foreach ($permissions as $perm => $perm_item) { $provider = $perm_item['provider']; $display_name = $this->moduleHandler->getName($provider); - $perms[$display_name][$perm] = SafeMarkup::checkPlain(strip_tags($perm_item['title'])); + $perms[$display_name][$perm] = strip_tags($perm_item['title']); } $form['perm'] = array( diff --git a/core/modules/user/src/Plugin/views/access/Role.php b/core/modules/user/src/Plugin/views/access/Role.php index 4c2b732..360fe08 100644 --- a/core/modules/user/src/Plugin/views/access/Role.php +++ b/core/modules/user/src/Plugin/views/access/Role.php @@ -7,7 +7,6 @@ namespace Drupal\user\Plugin\views\access; -use Drupal\Component\Utility\SafeMarkup; use Drupal\Core\Form\FormStateInterface; use Drupal\user\RoleStorageInterface; use Drupal\views\Plugin\CacheablePluginInterface; @@ -97,7 +96,7 @@ public function summaryTitle() { else { $rids = user_role_names(); $rid = reset($this->options['role']); - return SafeMarkup::checkPlain($rids[$rid]); + return $rids[$rid]; } } @@ -115,7 +114,7 @@ public function buildOptionsForm(&$form, FormStateInterface $form_state) { '#type' => 'checkboxes', '#title' => $this->t('Role'), '#default_value' => $this->options['role'], - '#options' => array_map('\Drupal\Component\Utility\SafeMarkup::checkPlain', user_role_names()), + '#options' => user_role_names(), '#description' => $this->t('Only the checked roles will be able to access this display.'), ); } diff --git a/core/modules/user/src/Plugin/views/argument/RolesRid.php b/core/modules/user/src/Plugin/views/argument/RolesRid.php index 7fd209d..c43989c 100644 --- a/core/modules/user/src/Plugin/views/argument/RolesRid.php +++ b/core/modules/user/src/Plugin/views/argument/RolesRid.php @@ -7,7 +7,6 @@ namespace Drupal\user\Plugin\views\argument; -use Drupal\Component\Utility\SafeMarkup; use Drupal\Core\Entity\EntityManagerInterface; use Drupal\views\Plugin\views\argument\ManyToOne; use Symfony\Component\DependencyInjection\ContainerInterface; @@ -60,7 +59,7 @@ public function title_query() { $entities = $this->roleStorage->loadMultiple($this->value); $titles = array(); foreach ($entities as $entity) { - $titles[] = SafeMarkup::checkPlain($entity->label()); + $titles[] = $entity->label(); } return $titles; } diff --git a/core/modules/user/src/Plugin/views/argument/Uid.php b/core/modules/user/src/Plugin/views/argument/Uid.php index c365009..1cd76e9 100644 --- a/core/modules/user/src/Plugin/views/argument/Uid.php +++ b/core/modules/user/src/Plugin/views/argument/Uid.php @@ -7,7 +7,6 @@ namespace Drupal\user\Plugin\views\argument; -use Drupal\Component\Utility\SafeMarkup; use Drupal\Core\Entity\EntityStorageInterface; use Drupal\views\Plugin\views\argument\NumericArgument; use Symfony\Component\DependencyInjection\ContainerInterface; @@ -61,7 +60,7 @@ public static function create(ContainerInterface $container, array $configuratio */ public function titleQuery() { return array_map(function($account) { - return SafeMarkup::checkPlain($account->label()); + return $account->label(); }, $this->storage->loadMultiple($this->value)); } diff --git a/core/modules/user/src/Plugin/views/argument_validator/User.php b/core/modules/user/src/Plugin/views/argument_validator/User.php index ede8dd5..49277c8 100644 --- a/core/modules/user/src/Plugin/views/argument_validator/User.php +++ b/core/modules/user/src/Plugin/views/argument_validator/User.php @@ -65,7 +65,7 @@ public function buildOptionsForm(&$form, FormStateInterface $form_state) { $form['roles'] = array( '#type' => 'checkboxes', '#title' => $this->t('Restrict to the selected roles'), - '#options' => array_map(array('\Drupal\Component\Utility\SafeMarkup', 'checkPlain'), user_role_names(TRUE)), + '#options' => user_role_names(TRUE), '#default_value' => $this->options['roles'], '#description' => $this->t('If no roles are selected, users from any role will be allowed.'), '#states' => array( diff --git a/core/modules/user/src/Plugin/views/field/Roles.php b/core/modules/user/src/Plugin/views/field/Roles.php index 403e9a4..9f8bfe2 100644 --- a/core/modules/user/src/Plugin/views/field/Roles.php +++ b/core/modules/user/src/Plugin/views/field/Roles.php @@ -7,7 +7,6 @@ namespace Drupal\user\Plugin\views\field; -use Drupal\Component\Utility\SafeMarkup; use Drupal\Core\Database\Connection; use Drupal\views\Plugin\views\display\DisplayPluginBase; use Drupal\views\ViewExecutable; @@ -81,7 +80,7 @@ public function preRender(&$values) { $roles = user_roles(); $result = $this->database->query('SELECT u.entity_id as uid, u.roles_target_id as rid FROM {user__roles} u WHERE u.entity_id IN ( :uids[] ) AND u.roles_target_id IN ( :rids[] )', array(':uids[]' => $uids, ':rids[]' => array_keys($roles))); foreach ($result as $role) { - $this->items[$role->uid][$role->rid]['role'] = SafeMarkup::checkPlain($roles[$role->rid]->label()); + $this->items[$role->uid][$role->rid]['role'] = $roles[$role->rid]->label(); $this->items[$role->uid][$role->rid]['rid'] = $role->rid; } // Sort the roles for each user by role weight. diff --git a/core/modules/user/src/Plugin/views/filter/Permissions.php b/core/modules/user/src/Plugin/views/filter/Permissions.php index a637705..f38344b 100644 --- a/core/modules/user/src/Plugin/views/filter/Permissions.php +++ b/core/modules/user/src/Plugin/views/filter/Permissions.php @@ -7,7 +7,6 @@ namespace Drupal\user\Plugin\views\filter; -use Drupal\Component\Utility\SafeMarkup; use Drupal\Core\Extension\ModuleHandlerInterface; use Drupal\user\PermissionHandlerInterface; use Drupal\views\Plugin\views\filter\ManyToOne; @@ -76,7 +75,7 @@ public function getValueOptions() { foreach ($permissions as $perm => $perm_item) { $provider = $perm_item['provider']; $display_name = $this->moduleHandler->getName($provider); - $this->valueOptions[$display_name][$perm] = SafeMarkup::checkPlain(strip_tags($perm_item['title'])); + $this->valueOptions[$display_name][$perm] = strip_tags($perm_item['title']); } } else { diff --git a/core/modules/user/src/Tests/UserTokenReplaceTest.php b/core/modules/user/src/Tests/UserTokenReplaceTest.php index 508275c..661ce2f 100644 --- a/core/modules/user/src/Tests/UserTokenReplaceTest.php +++ b/core/modules/user/src/Tests/UserTokenReplaceTest.php @@ -7,7 +7,7 @@ namespace Drupal\user\Tests; -use Drupal\Component\Utility\SafeMarkup; +use Drupal\Component\Utility\Html; use Drupal\Core\Render\BubbleableMetadata; use Drupal\language\Entity\ConfigurableLanguage; use Drupal\simpletest\WebTestBase; @@ -57,15 +57,15 @@ function testUserTokenReplacement() { // Generate and test sanitized tokens. $tests = array(); $tests['[user:uid]'] = $account->id(); - $tests['[user:name]'] = SafeMarkup::checkPlain(user_format_name($account)); - $tests['[user:mail]'] = SafeMarkup::checkPlain($account->getEmail()); + $tests['[user:name]'] = Html::escape(user_format_name($account)); + $tests['[user:mail]'] = Html::escape($account->getEmail()); $tests['[user:url]'] = $account->url('canonical', $url_options); $tests['[user:edit-url]'] = $account->url('edit-form', $url_options); $tests['[user:last-login]'] = format_date($account->getLastLoginTime(), 'medium', '', NULL, $language_interface->getId()); $tests['[user:last-login:short]'] = format_date($account->getLastLoginTime(), 'short', '', NULL, $language_interface->getId()); $tests['[user:created]'] = format_date($account->getCreatedTime(), 'medium', '', NULL, $language_interface->getId()); $tests['[user:created:short]'] = format_date($account->getCreatedTime(), 'short', '', NULL, $language_interface->getId()); - $tests['[current-user:name]'] = SafeMarkup::checkPlain(user_format_name($global_account)); + $tests['[current-user:name]'] = Html::escape(user_format_name($global_account)); $base_bubbleable_metadata = BubbleableMetadata::createFromObject($account); $metadata_tests = []; @@ -101,7 +101,7 @@ function testUserTokenReplacement() { $anonymous_user = User::load(0); $tests = []; $tests['[user:uid]'] = t('not yet assigned'); - $tests['[user:name]'] = SafeMarkup::checkPlain(user_format_name($anonymous_user)); + $tests['[user:name]'] = Html::escape(user_format_name($anonymous_user)); $base_bubbleable_metadata = BubbleableMetadata::createFromObject($anonymous_user); $metadata_tests = []; diff --git a/core/modules/user/src/Tests/Views/AccessPermissionTest.php b/core/modules/user/src/Tests/Views/AccessPermissionTest.php index 3e77e2a..8ac018b 100644 --- a/core/modules/user/src/Tests/Views/AccessPermissionTest.php +++ b/core/modules/user/src/Tests/Views/AccessPermissionTest.php @@ -35,7 +35,9 @@ function testAccessPerm() { $access_plugin = $view->display_handler->getPlugin('access'); $this->assertTrue($access_plugin instanceof Permission, 'Make sure the right class got instantiated.'); - $this->assertEqual($access_plugin->pluginTitle(), t('Permission')); + // The plugin title will be a tranlsation wrapper, cast to a string to test + // the value. + $this->assertEqual((string) $access_plugin->pluginTitle(), t('Permission')); $this->assertFalse($view->display_handler->access($this->webUser)); $this->assertTrue($view->display_handler->access($this->normalUser)); diff --git a/core/modules/user/src/Tests/Views/HandlerFilterPermissionTest.php b/core/modules/user/src/Tests/Views/HandlerFilterPermissionTest.php index 5ea1b0f..3521f68 100644 --- a/core/modules/user/src/Tests/Views/HandlerFilterPermissionTest.php +++ b/core/modules/user/src/Tests/Views/HandlerFilterPermissionTest.php @@ -7,7 +7,6 @@ namespace Drupal\user\Tests\Views; -use Drupal\Component\Utility\SafeMarkup; use Drupal\views\Views; /** @@ -86,7 +85,7 @@ public function testFilterPermission() { } foreach (array('system' => 'System', 'user' => 'User') as $module => $title) { $expected = array_map(function ($permission) { - return SafeMarkup::checkPlain(strip_tags($permission['title'])); + return strip_tags($permission['title']); }, $permission_by_module[$module]); $this->assertEqual($expected, $value_options[$title], 'Ensure the all permissions are available'); diff --git a/core/modules/user/src/UserListBuilder.php b/core/modules/user/src/UserListBuilder.php index 7575b86..85b52f2 100644 --- a/core/modules/user/src/UserListBuilder.php +++ b/core/modules/user/src/UserListBuilder.php @@ -138,7 +138,7 @@ public function buildRow(EntityInterface $entity) { ); $row['status'] = $entity->isActive() ? $this->t('active') : $this->t('blocked'); - $roles = array_map('\Drupal\Component\Utility\SafeMarkup::checkPlain', user_role_names(TRUE)); + $roles = user_role_names(TRUE); unset($roles[RoleInterface::AUTHENTICATED_ID]); $users_roles = array(); foreach ($entity->getRoles() as $role) { diff --git a/core/modules/user/tests/src/Unit/Views/Argument/RolesRidTest.php b/core/modules/user/tests/src/Unit/Views/Argument/RolesRidTest.php index 3a4db29..57699fb 100644 --- a/core/modules/user/tests/src/Unit/Views/Argument/RolesRidTest.php +++ b/core/modules/user/tests/src/Unit/Views/Argument/RolesRidTest.php @@ -7,7 +7,6 @@ namespace Drupal\Tests\user\Unit\Views\Argument; -use Drupal\Component\Utility\SafeMarkup; use Drupal\Core\DependencyInjection\ContainerBuilder; use Drupal\Tests\UnitTestCase; use Drupal\user\Entity\Role; @@ -81,7 +80,7 @@ public function testTitleQuery() { $roles_rid_argument->value = array('test_rid_1', 'test_rid_2'); $titles = $roles_rid_argument->title_query(); - $this->assertEquals(array('test rid 1', SafeMarkup::checkPlain('test rid 2')), $titles); + $this->assertEquals(array('test rid 1', 'test rid 2'), $titles); } } diff --git a/core/modules/user/user.module b/core/modules/user/user.module index 5f990ca..2009857 100644 --- a/core/modules/user/user.module +++ b/core/modules/user/user.module @@ -1,7 +1,6 @@ hasPermission('access user profiles'); $external = FALSE; diff --git a/core/modules/user/user.tokens.inc b/core/modules/user/user.tokens.inc index 582c1cd..9cb61f6 100644 --- a/core/modules/user/user.tokens.inc +++ b/core/modules/user/user.tokens.inc @@ -5,7 +5,7 @@ * Builds placeholder replacement tokens for user-related data. */ -use Drupal\Component\Utility\SafeMarkup; +use Drupal\Component\Utility\Html; use Drupal\Core\Datetime\Entity\DateFormat; use Drupal\Core\Render\BubbleableMetadata; use Drupal\user\Entity\User; @@ -97,11 +97,11 @@ function user_tokens($type, $tokens, array $data, array $options, BubbleableMeta if ($account->isAnonymous()) { $bubbleable_metadata->addCacheableDependency(\Drupal::config('user.settings')); } - $replacements[$original] = $sanitize ? SafeMarkup::checkPlain($name) : $name; + $replacements[$original] = $sanitize ? Html::escape($name) : $name; break; case 'mail': - $replacements[$original] = $sanitize ? SafeMarkup::checkPlain($account->getEmail()) : $account->getEmail(); + $replacements[$original] = $sanitize ? Html::escape($account->getEmail()) : $account->getEmail(); break; case 'url': diff --git a/core/modules/views/src/Plugin/views/HandlerBase.php b/core/modules/views/src/Plugin/views/HandlerBase.php index f2e5604..a891fbf 100644 --- a/core/modules/views/src/Plugin/views/HandlerBase.php +++ b/core/modules/views/src/Plugin/views/HandlerBase.php @@ -7,7 +7,7 @@ namespace Drupal\views\Plugin\views; -use Drupal\Component\Utility\SafeMarkup; +use Drupal\Component\Utility\Html; use Drupal\Component\Utility\Unicode; use Drupal\Component\Utility\UrlHelper; use Drupal\Component\Utility\Xss; @@ -181,8 +181,7 @@ protected function defineOptions() { */ public function adminLabel($short = FALSE) { if (!empty($this->options['admin_label'])) { - $title = SafeMarkup::checkPlain($this->options['admin_label']); - return $title; + return $this->options['admin_label']; } $title = ($short && isset($this->definition['title short'])) ? $this->definition['title short'] : $this->definition['title']; return $this->t('!group: !title', array('!group' => $this->definition['group'], '!title' => $title)); @@ -230,10 +229,10 @@ public function sanitizeValue($value, $type = NULL) { $value = Xss::filterAdmin($value); break; case 'url': - $value = SafeMarkup::checkPlain(UrlHelper::stripDangerousProtocols($value)); + $value = Html::escape(UrlHelper::stripDangerousProtocols($value)); break; default: - $value = SafeMarkup::checkPlain($value); + $value = Html::escape($value); break; } return $value; diff --git a/core/modules/views/src/Plugin/views/PluginBase.php b/core/modules/views/src/Plugin/views/PluginBase.php index e56dcae..6811136 100644 --- a/core/modules/views/src/Plugin/views/PluginBase.php +++ b/core/modules/views/src/Plugin/views/PluginBase.php @@ -8,7 +8,7 @@ namespace Drupal\views\Plugin\views; use Drupal\Component\Plugin\DependentPluginInterface; -use Drupal\Component\Utility\SafeMarkup; +use Drupal\Component\Utility\Html; use Drupal\Component\Utility\Xss; use Drupal\Core\Form\FormStateInterface; use Drupal\Core\Language\LanguageInterface; @@ -314,9 +314,9 @@ public function summaryTitle() { public function pluginTitle() { // Short_title is optional so its defaults to an empty string. if (!empty($this->definition['short_title'])) { - return SafeMarkup::checkPlain($this->definition['short_title']); + return $this->definition['short_title']; } - return SafeMarkup::checkPlain($this->definition['title']); + return $this->definition['title']; } /** @@ -365,7 +365,8 @@ protected function viewsTokenReplace($text, $tokens) { if (strpos($token, '{{') !== FALSE) { // Twig wants a token replacement array stripped of curly-brackets. $token = trim(str_replace(array('{', '}'), '', $token)); - $twig_tokens[$token] = $replacement; + // Twig will auto-escape any encoded HTML entities. + $twig_tokens[$token] = Html::decodeEntities($replacement); } else { $other_tokens[$token] = $replacement; diff --git a/core/modules/views/src/Plugin/views/ViewsHandlerInterface.php b/core/modules/views/src/Plugin/views/ViewsHandlerInterface.php index 1775d99..6916fbb 100644 --- a/core/modules/views/src/Plugin/views/ViewsHandlerInterface.php +++ b/core/modules/views/src/Plugin/views/ViewsHandlerInterface.php @@ -72,7 +72,8 @@ public function getJoin(); * @param $value * The value being rendered. * @param $type - * The type of sanitization needed. If not provided, SafeMarkup::checkPlain() is used. + * The type of sanitization needed. If not provided, + * \Drupal\Component\Utility\Html::escape() is used. * * @return string * Returns the safe value. diff --git a/core/modules/views/src/Plugin/views/area/Result.php b/core/modules/views/src/Plugin/views/area/Result.php index 02017e3..3079f0d 100644 --- a/core/modules/views/src/Plugin/views/area/Result.php +++ b/core/modules/views/src/Plugin/views/area/Result.php @@ -7,7 +7,7 @@ namespace Drupal\views\Plugin\views\area; -use Drupal\Component\Utility\SafeMarkup; +use Drupal\Component\Utility\Html; use Drupal\Component\Utility\Xss; use Drupal\Core\Form\FormStateInterface; use Drupal\views\Plugin\views\style\DefaultSummary; @@ -87,7 +87,7 @@ public function render($empty = FALSE) { // @TODO: Maybe use a possible is views empty functionality. // Not every view has total_rows set, use view->result instead. $total = isset($this->view->total_rows) ? $this->view->total_rows : count($this->view->result); - $label = SafeMarkup::checkPlain($this->view->storage->label()); + $label = Html::escape($this->view->storage->label()); if ($per_page === 0) { $page_count = 1; $start = 1; diff --git a/core/modules/views/src/Plugin/views/argument/ArgumentPluginBase.php b/core/modules/views/src/Plugin/views/argument/ArgumentPluginBase.php index a1f1c5e..b95e942 100644 --- a/core/modules/views/src/Plugin/views/argument/ArgumentPluginBase.php +++ b/core/modules/views/src/Plugin/views/argument/ArgumentPluginBase.php @@ -10,7 +10,6 @@ use Drupal\Component\Plugin\DependentPluginInterface; use Drupal\Component\Utility\Html; use Drupal\Component\Utility\NestedArray; -use Drupal\Component\Utility\SafeMarkup; use Drupal\Core\Form\FormStateInterface; use Drupal\Core\Render\Element; use Drupal\views\Plugin\CacheablePluginInterface; @@ -882,7 +881,7 @@ public function summaryName($data) { if (empty($value) && !empty($this->definition['empty field name'])) { $value = $this->definition['empty field name']; } - return SafeMarkup::checkPlain($value); + return $value; } /** @@ -901,7 +900,7 @@ public function query($group_by = FALSE) { * This usually needs to be overridden to provide a proper title. */ function title() { - return SafeMarkup::checkPlain($this->argument); + return $this->argument; } /** diff --git a/core/modules/views/src/Plugin/views/argument/FieldList.php b/core/modules/views/src/Plugin/views/argument/FieldList.php index 9764f0f..b149cd0 100644 --- a/core/modules/views/src/Plugin/views/argument/FieldList.php +++ b/core/modules/views/src/Plugin/views/argument/FieldList.php @@ -7,7 +7,6 @@ namespace Drupal\views\Plugin\views\argument; -use Drupal\Component\Utility\SafeMarkup; use Drupal\Core\Field\AllowedTagsXssTrait; use Drupal\Core\Form\FormStateInterface; use Drupal\views\ViewExecutable; @@ -74,7 +73,7 @@ public function summaryName($data) { } // else fallback to the key. else { - return SafeMarkup::checkPlain($value); + return $value; } } diff --git a/core/modules/views/src/Plugin/views/argument/ListString.php b/core/modules/views/src/Plugin/views/argument/ListString.php index 202d070..6ee549c 100644 --- a/core/modules/views/src/Plugin/views/argument/ListString.php +++ b/core/modules/views/src/Plugin/views/argument/ListString.php @@ -7,7 +7,6 @@ namespace Drupal\views\Plugin\views\argument; -use Drupal\Component\Utility\SafeMarkup; use Drupal\Core\Field\AllowedTagsXssTrait; use Drupal\Core\Form\FormStateInterface; use Drupal\views\ViewExecutable; @@ -76,7 +75,7 @@ public function summaryName($data) { } // else fallback to the key. else { - return $this->caseTransform(SafeMarkup::checkPlain($value), $this->options['case']); + return $this->caseTransform($value, $this->options['case']); } } diff --git a/core/modules/views/src/Plugin/views/argument/StringArgument.php b/core/modules/views/src/Plugin/views/argument/StringArgument.php index d417e81..a9c146d 100644 --- a/core/modules/views/src/Plugin/views/argument/StringArgument.php +++ b/core/modules/views/src/Plugin/views/argument/StringArgument.php @@ -317,7 +317,7 @@ function title() { * Override for specific title lookups. */ public function titleQuery() { - return array_map('\Drupal\Component\Utility\SafeMarkup::checkPlain', array_combine($this->value, $this->value)); + return array_combine($this->value, $this->value); } public function summaryName($data) { diff --git a/core/modules/views/src/Plugin/views/display/Attachment.php b/core/modules/views/src/Plugin/views/display/Attachment.php index dcc4282..8a36066 100644 --- a/core/modules/views/src/Plugin/views/display/Attachment.php +++ b/core/modules/views/src/Plugin/views/display/Attachment.php @@ -7,7 +7,6 @@ namespace Drupal\views\Plugin\views\display; -use Drupal\Component\Utility\SafeMarkup; use Drupal\Core\Form\FormStateInterface; use Drupal\views\ViewExecutable; @@ -92,7 +91,7 @@ public function optionsSummary(&$categories, &$options) { elseif (count($displays) == 1) { $display = array_shift($displays); if ($display = $this->view->storage->getDisplay($display)) { - $attach_to = SafeMarkup::checkPlain($display['display_title']); + $attach_to = $display['display_title']; } } diff --git a/core/modules/views/src/Plugin/views/display/Block.php b/core/modules/views/src/Plugin/views/display/Block.php index 411c50e..08e4467 100644 --- a/core/modules/views/src/Plugin/views/display/Block.php +++ b/core/modules/views/src/Plugin/views/display/Block.php @@ -7,7 +7,6 @@ namespace Drupal\views\Plugin\views\display; -use Drupal\Component\Utility\SafeMarkup; use Drupal\Core\Entity\EntityManagerInterface; use Drupal\Core\Form\FormStateInterface; use Drupal\views\Plugin\Block\ViewsBlock; @@ -149,7 +148,7 @@ public function optionsSummary(&$categories, &$options) { if (empty($block_description)) { $block_description = $this->t('None'); } - $block_category = SafeMarkup::checkPlain($this->getOption('block_category')); + $block_category = $this->getOption('block_category'); $options['block_description'] = array( 'category' => 'block', diff --git a/core/modules/views/src/Plugin/views/display/DisplayPluginBase.php b/core/modules/views/src/Plugin/views/display/DisplayPluginBase.php index f9ae57a..708f67a 100644 --- a/core/modules/views/src/Plugin/views/display/DisplayPluginBase.php +++ b/core/modules/views/src/Plugin/views/display/DisplayPluginBase.php @@ -1062,7 +1062,7 @@ public function getArgumentsTokens() { } // Use strip tags as there should never be HTML in the path. // However, we need to preserve special characters like " that - // were removed by SafeMarkup::checkPlain(). + // were removed by \Drupal\Component\Utility\Html::escape(). $tokens["!$count"] = isset($this->view->args[$count - 1]) ? strip_tags(Html::decodeEntities($this->view->args[$count - 1])) : ''; } @@ -1394,7 +1394,7 @@ public function buildOptionsForm(&$form, FormStateInterface $form_state) { if ($this->defaultableSections($section)) { views_ui_standard_display_dropdown($form, $form_state, $section); } - $form['#title'] = SafeMarkup::checkPlain($this->display['display_title']) . ': '; + $form['#title'] = $this->display['display_title'] . ': '; // Set the 'section' to highlight on the form. // If it's the item we're looking at is pulling from the default display, diff --git a/core/modules/views/src/Plugin/views/display/Feed.php b/core/modules/views/src/Plugin/views/display/Feed.php index e4da10e..f42f892 100644 --- a/core/modules/views/src/Plugin/views/display/Feed.php +++ b/core/modules/views/src/Plugin/views/display/Feed.php @@ -7,10 +7,10 @@ namespace Drupal\views\Plugin\views\display; -use Drupal\Component\Utility\SafeMarkup; use Drupal\Core\Cache\CacheableMetadata; use Drupal\Core\Cache\CacheableResponse; use Drupal\Core\Form\FormStateInterface; +use Drupal\Core\Render\Element\Markup; use Drupal\views\ViewExecutable; use Drupal\views\Views; use Symfony\Component\HttpFoundation\Response; @@ -99,7 +99,12 @@ public function preview() { if (!empty($this->view->live_preview)) { $output = array( '#prefix' => '

    ',
-        '#markup' => SafeMarkup::checkPlain(drupal_render_root($output)),
+        // Cast the result of rendering to a string so it loses its
+        // SafeStringInterface object wrapper. Do this so that the
+        // #safe_strategy takes effect and escapes the markup. Unlike most
+        // things this intends to display the actual markup.
+        '#markup' => (string) drupal_render_root($output),
+        '#safe_strategy' => Markup::SAFE_STRATEGY_ESCAPE,
         '#suffix' => '
    ', ); } @@ -204,7 +209,7 @@ public function optionsSummary(&$categories, &$options) { $display = array_shift($displays); $displays = $this->view->storage->get('display'); if (!empty($displays[$display])) { - $attach_to = SafeMarkup::checkPlain($displays[$display]['display_title']); + $attach_to = $displays[$display]['display_title']; } } diff --git a/core/modules/views/src/Plugin/views/exposed_form/ExposedFormPluginBase.php b/core/modules/views/src/Plugin/views/exposed_form/ExposedFormPluginBase.php index d17f70c..d4eb125 100644 --- a/core/modules/views/src/Plugin/views/exposed_form/ExposedFormPluginBase.php +++ b/core/modules/views/src/Plugin/views/exposed_form/ExposedFormPluginBase.php @@ -7,7 +7,6 @@ namespace Drupal\views\Plugin\views\exposed_form; -use Drupal\Component\Utility\SafeMarkup; use Drupal\Core\Form\FormState; use Drupal\Core\Form\FormStateInterface; use Drupal\views\Form\ViewsExposedForm; @@ -211,7 +210,7 @@ public function exposedFormAlter(&$form, FormStateInterface $form_state) { $exposed_sorts = array(); foreach ($this->view->sort as $id => $handler) { if ($handler->canExpose() && $handler->isExposed()) { - $exposed_sorts[$id] = SafeMarkup::checkPlain($handler->options['expose']['label']); + $exposed_sorts[$id] = $handler->options['expose']['label']; } } diff --git a/core/modules/views/src/Plugin/views/field/FieldPluginBase.php b/core/modules/views/src/Plugin/views/field/FieldPluginBase.php index 310997c..64e4501 100644 --- a/core/modules/views/src/Plugin/views/field/FieldPluginBase.php +++ b/core/modules/views/src/Plugin/views/field/FieldPluginBase.php @@ -1395,7 +1395,7 @@ protected function renderAsLink($alter, $text, $tokens) { // Use strip tags as there should never be HTML in the path. // However, we need to preserve special characters like " that - // were removed by SafeMarkup::checkPlain(). + // were removed by \Drupal\Component\Utility\Html::escape(). $path = strip_tags(Html::decodeEntities($this->viewsTokenReplace($path, $tokens))); if (!empty($alter['path_case']) && $alter['path_case'] != 'none' && !$alter['url']->isRouted()) { @@ -1481,8 +1481,7 @@ protected function renderAsLink($alter, $text, $tokens) { $options['attributes']['rel'] = $rel; } - // Not sure if this SafeMarkup::checkPlain() is needed here? - $target = SafeMarkup::checkPlain(trim($this->viewsTokenReplace($alter['target'], $tokens))); + $target = trim($this->viewsTokenReplace($alter['target'], $tokens)); if (!empty($target)) { $options['attributes']['target'] = $target; } @@ -1564,7 +1563,7 @@ public function getRenderTokens($item) { // Use strip tags as there should never be HTML in the path. // However, we need to preserve special characters like " that - // were removed by SafeMarkup::checkPlain(). + // were removed by \Drupal\Component\Utility\Html::escape(). $tokens['!' . $count] = isset($this->view->args[$count - 1]) ? strip_tags(Html::decodeEntities($this->view->args[$count - 1])) : ''; } diff --git a/core/modules/views/src/Plugin/views/field/MachineName.php b/core/modules/views/src/Plugin/views/field/MachineName.php index 0c289cd..55ab72b 100644 --- a/core/modules/views/src/Plugin/views/field/MachineName.php +++ b/core/modules/views/src/Plugin/views/field/MachineName.php @@ -7,7 +7,6 @@ namespace Drupal\views\Plugin\views\field; -use Drupal\Component\Utility\SafeMarkup; use Drupal\Core\Form\FormStateInterface; use Drupal\views\ResultRow; @@ -83,7 +82,7 @@ public function preRender(&$values) { public function render(ResultRow $values) { $value = $values->{$this->field_alias}; if (!empty($this->options['machine_name']) || !isset($this->valueOptions[$value])) { - $result = SafeMarkup::checkPlain($value); + $result = $value; } else { $result = $this->valueOptions[$value]; diff --git a/core/modules/views/src/Plugin/views/field/Serialized.php b/core/modules/views/src/Plugin/views/field/Serialized.php index f7f5a22..796440b 100644 --- a/core/modules/views/src/Plugin/views/field/Serialized.php +++ b/core/modules/views/src/Plugin/views/field/Serialized.php @@ -7,7 +7,6 @@ namespace Drupal\views\Plugin\views\field; -use Drupal\Component\Utility\SafeMarkup; use Drupal\Core\Form\FormStateInterface; use Drupal\views\ResultRow; @@ -76,11 +75,11 @@ public function render(ResultRow $values) { $value = $values->{$this->field_alias}; if ($this->options['format'] == 'unserialized') { - return SafeMarkup::checkPlain(print_r(unserialize($value), TRUE)); + return print_r(unserialize($value), TRUE); } elseif ($this->options['format'] == 'key' && !empty($this->options['key'])) { $value = (array) unserialize($value); - return SafeMarkup::checkPlain($value[$this->options['key']]); + return $value[$this->options['key']]; } return $value; diff --git a/core/modules/views/src/Plugin/views/filter/FilterPluginBase.php b/core/modules/views/src/Plugin/views/filter/FilterPluginBase.php index d2e9fe8..96121f7 100644 --- a/core/modules/views/src/Plugin/views/filter/FilterPluginBase.php +++ b/core/modules/views/src/Plugin/views/filter/FilterPluginBase.php @@ -14,7 +14,6 @@ use Drupal\views\Plugin\CacheablePluginInterface; use Drupal\views\Plugin\views\HandlerBase; use Drupal\Component\Utility\Html; -use Drupal\Component\Utility\SafeMarkup; use Drupal\views\Plugin\views\display\DisplayPluginBase; use Drupal\views\ViewExecutable; @@ -172,7 +171,7 @@ protected function defineOptions() { * Display the filter on the administrative summary */ public function adminSummary() { - return SafeMarkup::checkPlain((string) $this->operator) . ' ' . SafeMarkup::checkPlain((string) $this->value); + return Html::escape((string) $this->operator) . ' ' . Html::escape((string) $this->value); } /** @@ -595,7 +594,7 @@ public function buildExposeForm(&$form, FormStateInterface $form_state) { '#default_value' => $this->options['expose']['remember'], ); - $role_options = array_map('\Drupal\Component\Utility\SafeMarkup::checkPlain', user_role_names()); + $role_options = user_role_names(); $form['expose']['remember_roles'] = array( '#type' => 'checkboxes', '#title' => $this->t('User roles'), @@ -766,7 +765,7 @@ public function groupForm(&$form, FormStateInterface $form_state) { $value = $this->options['group_info']['identifier']; $form[$value] = array( - '#title' => SafeMarkup::checkPlain($this->options['group_info']['label']), + '#title' => $this->options['group_info']['label'], '#type' => $this->options['group_info']['widget'], '#default_value' => $this->group_info, '#options' => $groups, diff --git a/core/modules/views/src/Plugin/views/filter/InOperator.php b/core/modules/views/src/Plugin/views/filter/InOperator.php index d08aa00..469974c 100644 --- a/core/modules/views/src/Plugin/views/filter/InOperator.php +++ b/core/modules/views/src/Plugin/views/filter/InOperator.php @@ -7,7 +7,7 @@ namespace Drupal\views\Plugin\views\filter; -use Drupal\Component\Utility\SafeMarkup; +use Drupal\Component\Utility\Html; use Drupal\Component\Utility\Unicode; use Drupal\Core\Form\FormStateInterface; use Drupal\views\Plugin\views\display\DisplayPluginBase; @@ -335,7 +335,7 @@ public function adminSummary() { return; } - $operator = SafeMarkup::checkPlain($info[$this->operator]['short']); + $operator = $info[$this->operator]['short']; $values = ''; if (in_array($this->operator, $this->operatorValues(1))) { // Remove every element which is not known. @@ -351,13 +351,13 @@ public function adminSummary() { else if (count($this->value) == 1) { // If any, use the 'single' short name of the operator instead. if (isset($info[$this->operator]['short_single'])) { - $operator = SafeMarkup::checkPlain($info[$this->operator]['short_single']); + $operator = $info[$this->operator]['short_single']; } $keys = $this->value; $value = array_shift($keys); if (isset($this->valueOptions[$value])) { - $values = SafeMarkup::checkPlain($this->valueOptions[$value]); + $values = $this->valueOptions[$value]; } else { $values = ''; @@ -373,13 +373,13 @@ public function adminSummary() { break; } if (isset($this->valueOptions[$value])) { - $values .= SafeMarkup::checkPlain($this->valueOptions[$value]); + $values .= $this->valueOptions[$value]; } } } } - return $operator . (($values !== '') ? ' ' . $values : ''); + return Html::escape($operator . (($values !== '') ? ' ' . $values : '')); } public function query() { diff --git a/core/modules/views/src/Plugin/views/filter/NumericFilter.php b/core/modules/views/src/Plugin/views/filter/NumericFilter.php index f88e3a6..51bd8f7 100644 --- a/core/modules/views/src/Plugin/views/filter/NumericFilter.php +++ b/core/modules/views/src/Plugin/views/filter/NumericFilter.php @@ -7,7 +7,6 @@ namespace Drupal\views\Plugin\views\filter; -use Drupal\Component\Utility\SafeMarkup; use Drupal\Core\Database\Database; use Drupal\Core\Form\FormStateInterface; @@ -292,12 +291,12 @@ public function adminSummary() { } $options = $this->operatorOptions('short'); - $output = SafeMarkup::checkPlain($options[$this->operator]); + $output = $options[$this->operator]; if (in_array($this->operator, $this->operatorValues(2))) { $output .= ' ' . $this->t('@min and @max', array('@min' => $this->value['min'], '@max' => $this->value['max'])); } elseif (in_array($this->operator, $this->operatorValues(1))) { - $output .= ' ' . SafeMarkup::checkPlain($this->value['value']); + $output .= ' ' . $this->value['value']; } return $output; } diff --git a/core/modules/views/src/Plugin/views/filter/StringFilter.php b/core/modules/views/src/Plugin/views/filter/StringFilter.php index 9713351..972aa3c 100644 --- a/core/modules/views/src/Plugin/views/filter/StringFilter.php +++ b/core/modules/views/src/Plugin/views/filter/StringFilter.php @@ -7,7 +7,7 @@ namespace Drupal\views\Plugin\views\filter; -use Drupal\Component\Utility\SafeMarkup; +use Drupal\Component\Utility\Html; use Drupal\Core\Database\Database; use Drupal\Core\Form\FormStateInterface; @@ -162,10 +162,10 @@ public function adminSummary() { $options = $this->operatorOptions('short'); $output = ''; if (!empty($options[$this->operator])) { - $output = SafeMarkup::checkPlain($options[$this->operator]); + $output = Html::escape($options[$this->operator]); } if (in_array($this->operator, $this->operatorValues(1))) { - $output .= ' ' . SafeMarkup::checkPlain($this->value); + $output .= ' ' . Html::escape($this->value); } return $output; } diff --git a/core/modules/views/src/Plugin/views/row/EntityRow.php b/core/modules/views/src/Plugin/views/row/EntityRow.php index e95e5fa..ae6ee35 100644 --- a/core/modules/views/src/Plugin/views/row/EntityRow.php +++ b/core/modules/views/src/Plugin/views/row/EntityRow.php @@ -7,7 +7,7 @@ namespace Drupal\views\Plugin\views\row; -use Drupal\Component\Utility\SafeMarkup; +use Drupal\Component\Utility\Html; use Drupal\Core\Entity\EntityManagerInterface; use Drupal\Core\Form\FormStateInterface; use Drupal\Core\Language\LanguageManagerInterface; @@ -160,7 +160,7 @@ public function buildOptionsForm(&$form, FormStateInterface $form_state) { public function summaryTitle() { $options = \Drupal::entityManager()->getViewModeOptions($this->entityTypeId); if (isset($options[$this->options['view_mode']])) { - return SafeMarkup::checkPlain($options[$this->options['view_mode']]); + return Html::escape($options[$this->options['view_mode']]); } else { return $this->t('No view mode selected'); diff --git a/core/modules/views/src/Tests/SearchIntegrationTest.php b/core/modules/views/src/Tests/SearchIntegrationTest.php index 2edd22d..78c43ac 100644 --- a/core/modules/views/src/Tests/SearchIntegrationTest.php +++ b/core/modules/views/src/Tests/SearchIntegrationTest.php @@ -108,15 +108,16 @@ public function testSearchIntegration() { 'type' => $type->id(), ]; $this->drupalCreateNode($node); - $node['title'] = "Drupal's search rocks really rocks!"; + $node['title'] = "Drupal's search rocks really rocks!"; $this->drupalCreateNode($node); $this->cronRun(); $this->drupalGet('test-arg/rocks'); $xpath = '//div[@class="views-row"]//a'; /** @var \SimpleXMLElement[] $results */ $results = $this->xpath($xpath); - $this->assertEqual((string) $results[0], "Drupal's search rocks really rocks!"); + $this->assertEqual((string) $results[0], "Drupal's search rocks really rocks!"); $this->assertEqual((string) $results[1], "Drupal's search rocks."); + $this->assertEscaped("Drupal's search rocks really rocks!"); // Test sorting with another set of titles. $node = [ diff --git a/core/modules/views/src/Views.php b/core/modules/views/src/Views.php index 33570ae..6f11b4a 100644 --- a/core/modules/views/src/Views.php +++ b/core/modules/views/src/Views.php @@ -7,8 +7,6 @@ namespace Drupal\views; -use Drupal\Component\Utility\SafeMarkup; - /** * Static service container wrapper for views. */ @@ -398,8 +396,8 @@ public static function pluginList() { if (!isset($plugins[$key])) { $plugins[$key] = array( 'type' => $type, - 'title' => SafeMarkup::checkPlain($info[$name]['title']), - 'provider' => SafeMarkup::checkPlain($info[$name]['provider']), + 'title' => $info[$name]['title'], + 'provider' => $info[$name]['provider'], 'views' => array(), ); } diff --git a/core/modules/views/views.module b/core/modules/views/views.module index b321940..fee9570 100644 --- a/core/modules/views/views.module +++ b/core/modules/views/views.module @@ -66,8 +66,8 @@ function views_views_pre_render($view) { 'views_dom_id:' . $view->dom_id => array( 'view_name' => $view->storage->id(), 'view_display_id' => $view->current_display, - 'view_args' => SafeMarkup::checkPlain(implode('/', $view->args)), - 'view_path' => SafeMarkup::checkPlain(Url::fromRoute('')->toString()), + 'view_args' => Html::escape(implode('/', $view->args)), + 'view_path' => Html::escape(Url::fromRoute('')->toString()), 'view_base_path' => $view->getPath(), 'view_dom_id' => $view->dom_id, // To fit multiple views on a page, the programmer may have diff --git a/core/modules/views/views.theme.inc b/core/modules/views/views.theme.inc index 4853613..42c38df 100644 --- a/core/modules/views/views.theme.inc +++ b/core/modules/views/views.theme.inc @@ -469,7 +469,7 @@ function template_preprocess_views_view_table(&$variables) { // Render the header labels. if ($field == $column && empty($fields[$field]->options['exclude'])) { - $label = SafeMarkup::checkPlain(!empty($fields[$field]) ? $fields[$field]->label() : ''); + $label = !empty($fields[$field]) ? $fields[$field]->label() : ''; if (empty($options['info'][$field]['sortable']) || !$fields[$field]->clickSortable()) { $variables['header'][$field]['content'] = $label; } @@ -857,7 +857,7 @@ function template_preprocess_views_view_rss(&$variables) { // The RSS 2.0 "spec" doesn't indicate HTML can be used in the description. // We strip all HTML tags, but need to prevent double encoding from properly // escaped source data (such as & becoming &amp;). - $variables['description'] = SafeMarkup::checkPlain(Html::decodeEntities(strip_tags($style->getDescription()))); + $variables['description'] = Html::decodeEntities(strip_tags($style->getDescription())); if ($view->display_handler->getOption('sitename_title')) { $title = $config->get('name'); @@ -868,7 +868,7 @@ function template_preprocess_views_view_rss(&$variables) { else { $title = $view->getTitle(); } - $variables['title'] = SafeMarkup::checkPlain($title); + $variables['title'] = $title; // Figure out which display which has a path we're using for this feed. If // there isn't one, use the global $base_url @@ -894,7 +894,7 @@ function template_preprocess_views_view_rss(&$variables) { $variables['link'] = $url_string; } - $variables['langcode'] = SafeMarkup::checkPlain(\Drupal::languageManager()->getCurrentLanguage()->getId()); + $variables['langcode'] = \Drupal::languageManager()->getCurrentLanguage()->getId(); $variables['namespaces'] = new Attribute($style->namespaces); $variables['items'] = $items; $variables['channel_elements'] = \Drupal::service('renderer')->render($style->channel_elements); @@ -959,7 +959,7 @@ function template_preprocess_views_view_opml(&$variables) { else { $title = $view->getTitle(); } - $variables['title'] = SafeMarkup::checkPlain($title); + $variables['title'] = $title; $variables['items'] = $items; $variables['updated'] = gmdate(DATE_RFC2822, REQUEST_TIME); diff --git a/core/modules/views/views.tokens.inc b/core/modules/views/views.tokens.inc index eb766bc..33d162b 100644 --- a/core/modules/views/views.tokens.inc +++ b/core/modules/views/views.tokens.inc @@ -5,7 +5,7 @@ * Token integration for the views module. */ -use Drupal\Component\Utility\SafeMarkup; +use Drupal\Component\Utility\Html; use Drupal\Core\Render\BubbleableMetadata; /** @@ -87,11 +87,11 @@ function views_tokens($type, $tokens, array $data, array $options, BubbleableMet foreach ($tokens as $name => $original) { switch ($name) { case 'label': - $replacements[$original] = $sanitize ? SafeMarkup::checkPlain($view->storage->label()) : $view->storage->label(); + $replacements[$original] = $sanitize ? Html::escape($view->storage->label()) : $view->storage->label(); break; case 'description': - $replacements[$original] = $sanitize ? SafeMarkup::checkPlain($view->storage->get('description')) : $view->storage->get('description'); + $replacements[$original] = $sanitize ? Html::escape($view->storage->get('description')) : $view->storage->get('description'); break; case 'id': @@ -100,7 +100,7 @@ function views_tokens($type, $tokens, array $data, array $options, BubbleableMet case 'title': $title = $view->getTitle(); - $replacements[$original] = $sanitize ? SafeMarkup::checkPlain($title) : $title; + $replacements[$original] = $sanitize ? Html::escape($title) : $title; break; case 'url': diff --git a/core/modules/views_ui/src/Controller/ViewsUIController.php b/core/modules/views_ui/src/Controller/ViewsUIController.php index b40bfc8..1463d37 100644 --- a/core/modules/views_ui/src/Controller/ViewsUIController.php +++ b/core/modules/views_ui/src/Controller/ViewsUIController.php @@ -89,7 +89,7 @@ public function reportFields() { $header = array(t('Field name'), t('Used in')); $rows = array(); foreach ($fields as $field_name => $views) { - $rows[$field_name]['data'][0] = SafeMarkup::checkPlain($field_name); + $rows[$field_name]['data'][0] = $field_name; foreach ($views as $view) { $rows[$field_name]['data'][1][] = $this->l($view, new Url('entity.view.edit_form', array('view' => $view))); } diff --git a/core/modules/views_ui/src/Form/Ajax/RearrangeFilter.php b/core/modules/views_ui/src/Form/Ajax/RearrangeFilter.php index 06bbd0a..fcd5584 100644 --- a/core/modules/views_ui/src/Form/Ajax/RearrangeFilter.php +++ b/core/modules/views_ui/src/Form/Ajax/RearrangeFilter.php @@ -7,7 +7,6 @@ namespace Drupal\views_ui\Form\Ajax; -use Drupal\Component\Utility\SafeMarkup; use Drupal\Core\Form\FormStateInterface; use Drupal\views\ViewExecutable; @@ -52,7 +51,7 @@ public function buildForm(array $form, FormStateInterface $form_state) { return $form; } $display = $executable->displayHandlers->get($display_id); - $form['#title'] = SafeMarkup::checkPlain($display->display['display_title']) . ': '; + $form['#title'] = $display->display['display_title'] . ': '; $form['#title'] .= $this->t('Rearrange @type', array('@type' => $types[$type]['ltitle'])); $form['#section'] = $display_id . 'rearrange-item'; diff --git a/core/modules/views_ui/src/Tests/XssTest.php b/core/modules/views_ui/src/Tests/XssTest.php index 21080cb..36b227c 100644 --- a/core/modules/views_ui/src/Tests/XssTest.php +++ b/core/modules/views_ui/src/Tests/XssTest.php @@ -23,14 +23,14 @@ class XssTest extends UITestBase { public function testViewsUi() { $this->drupalGet('admin/structure/views'); - $this->assertRaw('<script>alert("foo");</script>, <marquee>test</marquee>', 'The view tag is properly escaped.'); + $this->assertEscaped(', test', 'The view tag is properly escaped.'); $this->drupalGet('admin/structure/views/view/sa_contrib_2013_035'); - $this->assertRaw('&lt;marquee&gt;test&lt;/marquee&gt;', 'Field admin label is properly escaped.'); + $this->assertEscaped('test', 'Field admin label is properly escaped.'); $this->drupalGet('admin/structure/views/nojs/handler/sa_contrib_2013_035/page_1/header/area'); - $this->assertRaw('[title] == &lt;marquee&gt;test&lt;/marquee&gt;', 'Token label is properly escaped.'); - $this->assertRaw('[title_1] == &lt;script&gt;alert(&quot;XSS&quot;)&lt;/script&gt;', 'Token label is properly escaped.'); + $this->assertEscaped('[title] == test', 'Token label is properly escaped.'); + $this->assertEscaped('[title_1] == ', 'Token label is properly escaped.'); } } diff --git a/core/modules/views_ui/src/ViewEditForm.php b/core/modules/views_ui/src/ViewEditForm.php index 8cd4e7b..48d6d6d 100644 --- a/core/modules/views_ui/src/ViewEditForm.php +++ b/core/modules/views_ui/src/ViewEditForm.php @@ -494,7 +494,7 @@ public function getDisplayDetails($view, $display) { $build['top']['display_title'] = array( '#theme' => 'views_ui_display_tab_setting', '#description' => $this->t('Display name'), - '#link' => $view->getExecutable()->displayHandlers->get($display['id'])->optionLink(SafeMarkup::checkPlain($display_title), 'display_title'), + '#link' => $view->getExecutable()->displayHandlers->get($display['id'])->optionLink(Html::escape($display_title), 'display_title'), ); } @@ -1062,7 +1062,7 @@ public function getFormBucket(ViewUI $view, $type, $display) { continue; } - $field_name = SafeMarkup::checkPlain($handler->adminLabel(TRUE)); + $field_name = $handler->adminLabel(TRUE); if (!empty($field['relationship']) && !empty($relationships[$field['relationship']])) { $field_name = '(' . $relationships[$field['relationship']] . ') ' . $field_name; } diff --git a/core/modules/views_ui/src/ViewListBuilder.php b/core/modules/views_ui/src/ViewListBuilder.php index 00be178..44fc3ae 100644 --- a/core/modules/views_ui/src/ViewListBuilder.php +++ b/core/modules/views_ui/src/ViewListBuilder.php @@ -13,6 +13,7 @@ use Drupal\Core\Config\Entity\ConfigEntityListBuilder; use Drupal\Core\Entity\EntityStorageInterface; use Drupal\Core\Entity\EntityTypeInterface; +use Drupal\Core\Render\Element\Markup; use Drupal\Core\Url; use Symfony\Component\DependencyInjection\ContainerInterface; @@ -108,7 +109,8 @@ public function buildRow(EntityInterface $view) { ), 'description' => array( 'data' => array( - '#markup' => SafeMarkup::checkPlain($view->get('description')), + '#markup' => $view->get('description'), + '#safe_strategy' => Markup::SAFE_STRATEGY_ESCAPE, ), 'class' => array('views-table-filter-text-source'), ), @@ -278,7 +280,7 @@ protected function getDisplayPaths(EntityInterface $view) { $all_paths[] = \Drupal::l('/' . $path, Url::fromUserInput('/' . $path)); } else { - $all_paths[] = SafeMarkup::checkPlain('/' . $path); + $all_paths[] = '/' . $path; } } } diff --git a/core/tests/Drupal/KernelTests/KernelTestBase.php b/core/tests/Drupal/KernelTests/KernelTestBase.php index 376fed2..f235839 100644 --- a/core/tests/Drupal/KernelTests/KernelTestBase.php +++ b/core/tests/Drupal/KernelTests/KernelTestBase.php @@ -7,6 +7,7 @@ namespace Drupal\KernelTests; +use Drupal\Component\Utility\Html; use Drupal\Component\Utility\SafeMarkup; use Drupal\Core\Config\ConfigImporter; use Drupal\Core\Config\StorageComparer; @@ -844,7 +845,7 @@ protected function render(array &$elements) { $content = $this->container->get('renderer')->render($elements); drupal_process_attached($elements); $this->setRawContent($content); - $this->verbose('
    ' . SafeMarkup::checkPlain($content));
+    $this->verbose('
    ' . Html::escape($content));
     return $content;
   }
 
diff --git a/core/tests/Drupal/Tests/Component/Utility/HtmlTest.php b/core/tests/Drupal/Tests/Component/Utility/HtmlTest.php
index 178a662..28a2846 100644
--- a/core/tests/Drupal/Tests/Component/Utility/HtmlTest.php
+++ b/core/tests/Drupal/Tests/Component/Utility/HtmlTest.php
@@ -231,7 +231,7 @@ public function testDecodeEntities($text, $expected) {
   /**
    * Data provider for testDecodeEntities().
    *
-   * @see testCheckPlain()
+   * @see testDecodeEntities()
    */
   public function providerDecodeEntities() {
     return array(
@@ -272,7 +272,7 @@ public function testEscape($expected, $text) {
   /**
    * Data provider for testEscape().
    *
-   * @see testCheckPlain()
+   * @see testEscape()
    */
   public function providerEscape() {
     return array(
diff --git a/core/tests/Drupal/Tests/Component/Utility/SafeMarkupTest.php b/core/tests/Drupal/Tests/Component/Utility/SafeMarkupTest.php
index 366e8b9..d473c72 100644
--- a/core/tests/Drupal/Tests/Component/Utility/SafeMarkupTest.php
+++ b/core/tests/Drupal/Tests/Component/Utility/SafeMarkupTest.php
@@ -115,44 +115,6 @@ public function testInvalidSetMultiple() {
   }
 
   /**
-   * Tests SafeMarkup::checkPlain().
-   *
-   * @dataProvider providerCheckPlain
-   * @covers ::checkPlain
-   *
-   * @param string $text
-   *   The text to provide to SafeMarkup::checkPlain().
-   * @param string $expected
-   *   The expected output from the function.
-   * @param string $message
-   *   The message to provide as output for the test.
-   * @param bool $ignorewarnings
-   *   Whether or not to ignore PHP 5.3+ invalid multibyte sequence warnings.
-   */
-  function testCheckPlain($text, $expected, $message, $ignorewarnings = FALSE) {
-    $result = $ignorewarnings ? @SafeMarkup::checkPlain($text) : SafeMarkup::checkPlain($text);
-    $this->assertEquals($expected, $result, $message);
-  }
-
-  /**
-   * Data provider for testCheckPlain().
-   *
-   * @see testCheckPlain()
-   */
-  function providerCheckPlain() {
-    // Checks that invalid multi-byte sequences are escaped.
-    $tests[] = array("Foo\xC0barbaz", 'Foo�barbaz', 'SafeMarkup::checkPlain() escapes invalid sequence "Foo\xC0barbaz"', TRUE);
-    $tests[] = array("\xc2\"", '�"', 'SafeMarkup::checkPlain() escapes invalid sequence "\xc2\""', TRUE);
-    $tests[] = array("Fooÿñ", "Fooÿñ", 'SafeMarkup::checkPlain() does not escape valid sequence "Fooÿñ"');
-
-    // Checks that special characters are escaped.
-    $tests[] = array("