diff --git a/core/lib/Drupal/Component/Utility/SafeMarkup.php b/core/lib/Drupal/Component/Utility/SafeMarkup.php index 6257f98..7da361f 100644 --- a/core/lib/Drupal/Component/Utility/SafeMarkup.php +++ b/core/lib/Drupal/Component/Utility/SafeMarkup.php @@ -285,12 +285,12 @@ public static function placeholder($text) { /** * Replace all occurrences of the search string with the replacement string. * - * Functions identically to str_replace, but marks the returned output as safe - * if all the inputs and the subject have also been marked as safe. + * Functions identically to str_replace(), but marks the returned output as + * safe if all the inputs and the subject have also been marked as safe. * * @param string|array $search - * The value being searched for, an array may be used to designate multiple - * values. + * The value being searched for. An array may be used to designate multiple + * values to search for. * @param string|array $replace * The replacement value that replaces found search values. An array may be * used to designate multiple replacements. @@ -309,6 +309,8 @@ public static function replace($search, $replace, $subject) { } } else { + // If any replacement is unsafe, then the output is also unsafe, so just + // return the output. foreach ($replace as $replacement) { if (!SafeMarkup::isSafe($replacement)) { return $output; @@ -319,11 +321,11 @@ public static function replace($search, $replace, $subject) { // If we have reached this point, then all replacements were safe, and // therefore if the subject was also safe, then the entire output is also // safe, and should be marked as such. - if (SafeMarkup::isSafe($subject)) { - return SafeMarkup::set($output); + if (!SafeMarkup::isSafe($subject)) { + return $output; } else { - return $output; + return SafeMarkup::set($output); } } diff --git a/core/modules/contextual/src/Element/ContextualLinksPlaceholder.php b/core/modules/contextual/src/Element/ContextualLinksPlaceholder.php index e148a1b..a0c2739 100644 --- a/core/modules/contextual/src/Element/ContextualLinksPlaceholder.php +++ b/core/modules/contextual/src/Element/ContextualLinksPlaceholder.php @@ -48,10 +48,9 @@ public function getInfo() { * @see _contextual_links_to_id() */ public static function preRenderPlaceholder(array $element) { - // Because the only arguments to this markup will be instance of + // This markup is safe because the arguments will always be instances of // \Drupal\Core\Template\AttributeString, which is passed through - // \Drupal\Component\Utility\SafeMarkup::checkPlain() before being output - // this markup is safe, and is marked as such. + // \Drupal\Component\Utility\SafeMarkup::checkPlain() before being output. $element['#markup'] = SafeMarkup::set(' $element['#id'])) . '>'); return $element; } diff --git a/core/modules/filter/src/Element/ProcessedText.php b/core/modules/filter/src/Element/ProcessedText.php index 4851a22..51c8b83 100644 --- a/core/modules/filter/src/Element/ProcessedText.php +++ b/core/modules/filter/src/Element/ProcessedText.php @@ -119,8 +119,8 @@ public static function preRenderText($element) { } } - // Filtering and sanitizing has been done in - // \Drupal\filter\Plugin\FilterInterface. Store its content in #markup, + // Filtering and sanitizing have been done in + // \Drupal\filter\Plugin\FilterInterface. Store the content in #markup, // set the updated bubbleable rendering metadata, and set the text format's // cache tag. $element['#markup'] = SafeMarkup::set($text);