diff --git a/core/lib/Drupal/Core/Render/Element/HtmlTag.php b/core/lib/Drupal/Core/Render/Element/HtmlTag.php index 5dc3afe..3d4bec9 100644 --- a/core/lib/Drupal/Core/Render/Element/HtmlTag.php +++ b/core/lib/Drupal/Core/Render/Element/HtmlTag.php @@ -80,26 +80,19 @@ public static function preRenderHtmlTag($element) { // Construct a void element. if (in_array($element['#tag'], self::$voidElements)) { - // This function is intended for internal use, so we assume that no unsafe - // values are passed in #tag. The attributes are already safe because - // Attribute output is already automatically sanitized. - // @todo Escape this properly instead? https://www.drupal.org/node/2296101 - $markup = SafeMarkup::set('<' . $element['#tag'] . $attributes . " />\n"); + $markup = SafeMarkup::format("<@tag@attributes />\n", ['@tag' => $element['#tag'], '@attributes' => $attributes]); } // Construct all other elements. else { - $markup = '<' . $element['#tag'] . $attributes . '>'; - if (isset($element['#value_prefix'])) { - $markup .= $element['#value_prefix']; - } - $markup .= $element['#value']; - if (isset($element['#value_suffix'])) { - $markup .= $element['#value_suffix']; - } - $markup .= '\n"; - // @todo We cannot actually guarantee this markup is safe. Consider a fix - // in: https://www.drupal.org/node/2296101 - $markup = SafeMarkup::set($markup); + $value_prefix = (isset($element['#value_prefix'])) ? $element['#value_prefix'] : ''; + $value_suffix = (isset($element['#value_suffix'])) ? $element['#value_suffix'] : ''; + $markup = SafeMarkup::format("<@tag@attributes>@value_prefix@value@value_suffix\n", [ + '@tag' => $element['#tag'], + '@attributes' => $attributes, + '@value_prefix' => SafeMarkup::checkAdminXss($value_prefix), + '@value' => SafeMarkup::checkAdminXss($element['#value']), + '@value_suffix' => SafeMarkup::checkAdminXss($value_suffix), + ]); } if (!empty($element['#noscript'])) { $element['#markup'] = SafeMarkup::format('', ['@markup' => $markup]);