diff -u b/core/includes/common.inc b/core/includes/common.inc
--- b/core/includes/common.inc
+++ b/core/includes/common.inc
@@ -2734,22 +2734,6 @@
$elements += element_info($elements['#type']);
}
- // Filtering keys which are expected to contain HTML.
- $markup_keys = array(
- '#description',
- '#field_prefix',
- '#field_suffix',
- '#prefix',
- '#suffix',
- );
- foreach ($markup_keys as $key) {
- // If it's not scalar it can deal with itself through __toString()
- // or drupal_render().
- if (!empty($elements[$key]) && is_scalar($elements[$key])) {
- $elements[$key] = Xss::filterAdmin($elements[$key]);
- }
- }
-
// Make any final changes to the element before it is rendered. This means
// that the $element or the children can be altered or corrected before the
// element is rendered into the final text.
@@ -2782,6 +2766,22 @@
$elements += element_info($elements['#type']);
}
+ // Filtering keys which are expected to contain HTML.
+ $markup_keys = array(
+ '#description',
+ '#field_prefix',
+ '#field_suffix',
+ '#prefix',
+ '#suffix',
+ );
+ foreach ($markup_keys as $key) {
+ // If it's not scalar it can deal with itself through __toString()
+ // or drupal_render().
+ if (!empty($elements[$key]) && is_scalar($elements[$key]) && !SafeMarkup::isSafe($elements[$key])) {
+ $elements[$key] = Xss::filterAdmin($elements[$key]);
+ }
+ }
+
// Make any final changes to the element before it is rendered. This means
// that the $element or the children can be altered or corrected before the
// element is rendered into the final text.
@@ -2881,7 +2881,6 @@
// #cache is disabled, #cache is enabled, there is a cache hit or miss.
$prefix = isset($elements['#prefix']) ? $elements['#prefix'] : '';
$suffix = isset($elements['#suffix']) ? $elements['#suffix'] : '';
-
$elements['#markup'] = $prefix . $elements['#children'] . $suffix;
// We've rendered this element (and its subtree!), now update the stack.
@@ -2914,6 +2913,7 @@
// #cache is disabled, #cache is enabled, there is a cache hit or miss.
$prefix = isset($elements['#prefix']) ? $elements['#prefix'] : '';
$suffix = isset($elements['#suffix']) ? $elements['#suffix'] : '';
+
$elements['#markup'] = $prefix . $elements['#children'] . $suffix;
// We've rendered this element (and its subtree!), now update the stack.
only in patch2:
unchanged:
--- a/core/modules/rdf/rdf.module
+++ b/core/modules/rdf/rdf.module
@@ -506,7 +506,7 @@ function rdf_preprocess_comment(&$variables) {
'#theme' => 'rdf_metadata',
'#metadata' => $variables['rdf_metadata_attributes'],
);
- $variables['content']['comment_body']['#prefix'] = drupal_render($rdf_metadata) . $variables['content']['comment_body']['#prefix'];
+ $variables['content']['comment_body']['#prefix'] = SafeMarkup::set(drupal_render($rdf_metadata) . $variables['content']['comment_body']['#prefix']);
}
}
only in patch2:
unchanged:
--- a/core/modules/system/src/Tests/Common/RenderTest.php
+++ b/core/modules/system/src/Tests/Common/RenderTest.php
@@ -9,6 +9,7 @@
use Drupal\Component\Serialization\Json;
use Drupal\Component\Utility\Html;
+use Drupal\Component\Utility\SafeMarkup;
use Drupal\Core\Render\Element;
use Drupal\simpletest\DrupalUnitTestBase;
@@ -782,14 +783,15 @@ function testDrupalRenderRenderCachePlaceholder() {
),
),
'#markup' => $placeholder,
- '#prefix' => '',
- '#suffix' => ''
+ '#prefix' => SafeMarkup::set(''),
+ '#suffix' => SafeMarkup::set(''),
);
$expected_output = '' . $context['bar'] . '';
// #cache disabled.
$element = $test_element;
$output = drupal_render($element);
+ $this->verbose($output);
$this->assertIdentical($output, $expected_output, 'Placeholder was replaced in output');
$expected_js = [
['type' => 'setting', 'data' => ['common_test' => $context]],