--- render-xss-2273925.197.patch 2015-05-15 23:49:57.000000000 -0700 +++ render-xss-2273925.206.patch 2015-05-17 12:46:54.894298568 -0700 @@ -1,20 +1,20 @@ diff --git a/core/lib/Drupal/Component/Utility/SafeMarkup.php b/core/lib/Drupal/Component/Utility/SafeMarkup.php -index 172a323..6257f98 100644 +index 172a323..d32ac6d 100644 --- a/core/lib/Drupal/Component/Utility/SafeMarkup.php +++ b/core/lib/Drupal/Component/Utility/SafeMarkup.php -@@ -282,4 +282,49 @@ public static function placeholder($text) { +@@ -282,4 +282,51 @@ public static function placeholder($text) { return $string; } + /** + * Replace all occurrences of the search string with the replacement string. + * -+ * Functions identically to str_replace, but marks the returned output as safe ++ * Functions identically to str_replace(), but marks the returned output as safe + * if all the inputs and the subject have also been marked as safe. + * + * @param string|array $search -+ * The value being searched for, an array may be used to designate multiple -+ * values. ++ * The value being searched for. An array may be used to designate multiple ++ * values to search for. + * @param string|array $replace + * The replacement value that replaces found search values. An array may be + * used to designate multiple replacements. @@ -33,6 +33,8 @@ + } + } + else { ++ // If any replacement is unsafe, then the output is also unsafe, so just ++ // return the output. + foreach ($replace as $replacement) { + if (!SafeMarkup::isSafe($replacement)) { + return $output; @@ -43,11 +45,11 @@ + // If we have reached this point, then all replacements were safe, and + // therefore if the subject was also safe, then the entire output is also + // safe, and should be marked as such. -+ if (SafeMarkup::isSafe($subject)) { -+ return SafeMarkup::set($output); ++ if (!SafeMarkup::isSafe($subject)) { ++ return $output; + } + else { -+ return $output; ++ return SafeMarkup::set($output); + } + } + @@ -93,7 +95,7 @@ } diff --git a/core/modules/contextual/src/Element/ContextualLinksPlaceholder.php b/core/modules/contextual/src/Element/ContextualLinksPlaceholder.php -index d10078b..e148a1b 100644 +index d10078b..5c54ab9 100644 --- a/core/modules/contextual/src/Element/ContextualLinksPlaceholder.php +++ b/core/modules/contextual/src/Element/ContextualLinksPlaceholder.php @@ -9,6 +9,7 @@ @@ -104,21 +106,20 @@ /** * Provides a contextual_links_placeholder element. -@@ -47,7 +48,11 @@ public function getInfo() { +@@ -47,7 +48,10 @@ public function getInfo() { * @see _contextual_links_to_id() */ public static function preRenderPlaceholder(array $element) { - $element['#markup'] = ' $element['#id'])) . '>'; -+ // Because the only arguments to this markup will be instance of ++ // This markup is safe because the only arguments will be instances of + // \Drupal\Core\Template\AttributeString, which is passed through + // \Drupal\Component\Utility\SafeMarkup::checkPlain() before being output -+ // this markup is safe, and is marked as such. + $element['#markup'] = SafeMarkup::set(' $element['#id'])) . '>'); return $element; } diff --git a/core/modules/filter/src/Element/ProcessedText.php b/core/modules/filter/src/Element/ProcessedText.php -index d007b5f..4851a22 100644 +index d007b5f..51c8b83 100644 --- a/core/modules/filter/src/Element/ProcessedText.php +++ b/core/modules/filter/src/Element/ProcessedText.php @@ -8,6 +8,7 @@ @@ -136,8 +137,8 @@ - // Filtering done, store in #markup, set the updated bubbleable rendering - // metadata, and set the text format's cache tag. - $element['#markup'] = $text; -+ // Filtering and sanitizing has been done in -+ // \Drupal\filter\Plugin\FilterInterface. Store its content in #markup, ++ // Filtering and sanitizing have been done in ++ // \Drupal\filter\Plugin\FilterInterface. Store the content in #markup, + // set the updated bubbleable rendering metadata, and set the text format's + // cache tag. + $element['#markup'] = SafeMarkup::set($text);