diff --git a/core/includes/theme.inc b/core/includes/theme.inc index 723ae63..70ac796 100644 --- a/core/includes/theme.inc +++ b/core/includes/theme.inc @@ -382,6 +382,19 @@ function _theme($hook, $variables = array()) { drupal_render($preprocess_attached, TRUE); } } + // Check the elements for insecure HTML and pass through sanitization. + if (isset($variables['element'])) { + $markup_keys = array( + '#description', + '#field_prefix', + '#field_suffix', + ); + foreach ($markup_keys as $key) { + if (!empty($variables['element'][$key]) && is_scalar($variables['element'][$key])) { + $variables['element'][$key] = SafeMarkup::checkAdminXss($variables['element'][$key]); + } + } + } // Generate the output using either a function or a template. $output = ''; diff --git a/core/lib/Drupal/Core/Form/FormBuilder.php b/core/lib/Drupal/Core/Form/FormBuilder.php index 6e13cb2..da6d8ad 100644 --- a/core/lib/Drupal/Core/Form/FormBuilder.php +++ b/core/lib/Drupal/Core/Form/FormBuilder.php @@ -865,33 +865,6 @@ public function doBuildForm($form_id, &$element, FormStateInterface &$form_state $form_state->setValue($triggering_element['#name'], $triggering_element['#value']); } } - // Make sure each form element is checked for safe markup and - // they are properly escaped. - $element = $this->formSafeCheck($element); - return $element; - } - - /** - * Method to ensure every form element pass the safe check. - * - * @param array $element - * - The form element. - * - * @return array - * - The form element marked as safe. - */ - protected function formSafeCheck(array $element) { - // Filtering keys which are expected to contain HTML. - $markup_keys = array( - '#description', - '#field_prefix', - '#field_suffix', - ); - foreach ($markup_keys as $key) { - if (!empty($element[$key]) && is_scalar($element[$key])) { - $element[$key] = SafeMarkup::checkAdminXss($element[$key]); - } - } return $element; }