diff --git a/core/includes/common.inc b/core/includes/common.inc index 18ed1d5..9680e7d 100644 --- a/core/includes/common.inc +++ b/core/includes/common.inc @@ -19,6 +19,7 @@ use Drupal\Component\Utility\String; use Drupal\Component\Utility\Tags; use Drupal\Component\Utility\UrlHelper; +use Drupal\Component\Utility\Xss; use Drupal\Core\Cache\Cache; use Drupal\Core\Language\LanguageInterface; use Drupal\Core\Site\Settings; @@ -3099,6 +3100,18 @@ function drupal_render(&$elements, $is_recursive_call = FALSE) { $elements['#markup'] = SafeMarkup::set($elements['#markup']); } + // Filtering keys which are expected to contain HTML. + $markup_keys = array( + '#description', + '#field_prefix', + '#field_suffix', + '#prefix', + '#suffix', + ); + foreach ($markup_keys as $key) { + $elements[$key] = isset($elements[$key]) ? Xss::filterAdmin($elements[$key]) : NULL; + } + // Assume that if #theme is set it represents an implemented hook. $theme_is_implemented = isset($elements['#theme']); @@ -3187,6 +3200,7 @@ function drupal_render(&$elements, $is_recursive_call = FALSE) { // #cache is disabled, #cache is enabled, there is a cache hit or miss. $prefix = isset($elements['#prefix']) ? $elements['#prefix'] : ''; $suffix = isset($elements['#suffix']) ? $elements['#suffix'] : ''; + $elements['#markup'] = $prefix . $elements['#children'] . $suffix; // Collect all #post_render_cache callbacks associated with this element when: diff --git a/core/modules/field_ui/src/Tests/FieldUiTestBase.php b/core/modules/field_ui/src/Tests/FieldUiTestBase.php index 6157893..421500c 100644 --- a/core/modules/field_ui/src/Tests/FieldUiTestBase.php +++ b/core/modules/field_ui/src/Tests/FieldUiTestBase.php @@ -78,6 +78,7 @@ function fieldUIAddNewField($bundle_path, $initial_edit, $field_edit = array(), // Second step : 'Field settings' form. $this->drupalPostForm(NULL, $field_edit, t('Save field settings')); + $this->assertNoRaw('&lt;', 'The page does not have double escaped HTML tags.'); $this->assertRaw(t('Updated field %label field settings.', array('%label' => $label)), 'Redirected to instance and widget settings page.'); // Third step : 'Instance settings' form. @@ -105,6 +106,7 @@ function fieldUIAddExistingField($bundle_path, $initial_edit, $instance_edit = a // First step : 'Re-use existing field' on the 'Manage fields' page. $this->drupalPostForm("$bundle_path/fields", $initial_edit, t('Save')); + $this->assertNoRaw('&lt;', 'The page does not have double escaped HTML tags.'); // Second step : 'Instance settings' form. $this->drupalPostForm(NULL, $instance_edit, t('Save settings')); diff --git a/core/modules/field_ui/src/Tests/ManageFieldsTest.php b/core/modules/field_ui/src/Tests/ManageFieldsTest.php index c137308..201f5f6 100644 --- a/core/modules/field_ui/src/Tests/ManageFieldsTest.php +++ b/core/modules/field_ui/src/Tests/ManageFieldsTest.php @@ -141,6 +141,7 @@ function updateField() { // Go to the field instance edit page. $this->drupalGet('admin/structure/types/manage/' . $this->type . '/fields/' . $instance_id); + $this->assertNoRaw('&lt;', 'The page does not have double escaped HTML tags.'); $edit = array( 'instance[settings][test_instance_setting]' => $string, ); @@ -221,6 +222,7 @@ protected function deleteFieldInstance() { // Delete the field instance. $instance_id = 'node.' . $this->type . '.' . $this->field_name; $this->drupalGet('admin/structure/types/manage/' . $this->type . '/fields/' . $instance_id); + $this->assertNoRaw('&lt;', 'The page does not have double escaped HTML tags.'); $this->drupalPostForm(NULL, array(), t('Delete field')); $this->assertResponse(200); } @@ -564,6 +566,9 @@ function testHelpDescriptions() { entity_get_form_display('node', 'article', 'default')->setComponent('field_image')->save(); + $this->drupalGet('admin/structure/types/manage/article/fields/node.article.field_image'); + $this->assertNoRaw('<div', 'Image fields do not have double escaped HTML tags.'); + $edit = array( 'instance[description]' => 'Test with an upload field.', ); diff --git a/core/modules/options/src/Tests/OptionsFieldUITest.php b/core/modules/options/src/Tests/OptionsFieldUITest.php index ebbba4b..70bf9d4 100644 --- a/core/modules/options/src/Tests/OptionsFieldUITest.php +++ b/core/modules/options/src/Tests/OptionsFieldUITest.php @@ -278,6 +278,7 @@ protected function createOptionsField($type) { function assertAllowedValuesInput($input_string, $result, $message) { $edit = array('field[settings][allowed_values]' => $input_string); $this->drupalPostForm($this->admin_path, $edit, t('Save field settings')); + $this->assertNoRaw('&lt;', 'The page does not have double escaped HTML tags.'); if (is_string($result)) { $this->assertText($result, $message);