interdiff impossible; taking evasive action
reverted:
--- b/core/includes/common.inc
+++ a/core/includes/common.inc
@@ -20,7 +20,6 @@
use Drupal\Component\Utility\String;
use Drupal\Component\Utility\Tags;
use Drupal\Component\Utility\UrlHelper;
-use Drupal\Component\Utility\Xss;
use Drupal\Core\Cache\Cache;
use Drupal\Core\Language\LanguageInterface;
use Drupal\Core\Render\RenderStackFrame;
@@ -2766,22 +2765,6 @@
$elements += element_info($elements['#type']);
}
- // Filtering keys which are expected to contain HTML.
- $markup_keys = array(
- '#description',
- '#field_prefix',
- '#field_suffix',
- '#prefix',
- '#suffix',
- );
- foreach ($markup_keys as $key) {
- // If it's not scalar it can deal with itself through __toString()
- // or drupal_render().
- if (!empty($elements[$key]) && is_scalar($elements[$key]) && !SafeMarkup::isSafe($elements[$key])) {
- $elements[$key] = Xss::filterAdmin($elements[$key]);
- }
- }
-
// Make any final changes to the element before it is rendered. This means
// that the $element or the children can be altered or corrected before the
// element is rendered into the final text.
@@ -2913,7 +2896,6 @@
// #cache is disabled, #cache is enabled, there is a cache hit or miss.
$prefix = isset($elements['#prefix']) ? $elements['#prefix'] : '';
$suffix = isset($elements['#suffix']) ? $elements['#suffix'] : '';
-
$elements['#markup'] = $prefix . $elements['#children'] . $suffix;
// We've rendered this element (and its subtree!), now update the stack.
unchanged:
--- a/core/includes/common.inc
+++ b/core/includes/common.inc
@@ -20,6 +20,7 @@
use Drupal\Component\Utility\String;
use Drupal\Component\Utility\Tags;
use Drupal\Component\Utility\UrlHelper;
+use Drupal\Component\Utility\Xss;
use Drupal\Core\Cache\Cache;
use Drupal\Core\Language\LanguageInterface;
use Drupal\Core\Render\RenderStackFrame;
@@ -2777,6 +2778,22 @@ function drupal_render(&$elements, $is_recursive_call = FALSE) {
}
}
+ // Filtering keys which are expected to contain HTML.
+ $markup_keys = array(
+ '#description',
+ '#field_prefix',
+ '#field_suffix',
+ '#prefix',
+ '#suffix',
+ );
+ foreach ($markup_keys as $key) {
+ // If it's not scalar it can deal with itself through __toString()
+ // or drupal_render().
+ if (!empty($elements[$key]) && is_scalar($elements[$key]) && !SafeMarkup::isSafe($elements[$key])) {
+ $elements[$key] = SafeMarkup::set(Xss::filterAdmin($elements[$key]));
+ }
+ }
+
// Defaults for bubbleable rendering metadata.
$elements['#cache']['tags'] = isset($elements['#cache']['tags']) ? $elements['#cache']['tags'] : array();
$elements['#attached'] = isset($elements['#attached']) ? $elements['#attached'] : array();
@@ -2896,6 +2913,7 @@ function drupal_render(&$elements, $is_recursive_call = FALSE) {
// #cache is disabled, #cache is enabled, there is a cache hit or miss.
$prefix = isset($elements['#prefix']) ? $elements['#prefix'] : '';
$suffix = isset($elements['#suffix']) ? $elements['#suffix'] : '';
+
$elements['#markup'] = $prefix . $elements['#children'] . $suffix;
// We've rendered this element (and its subtree!), now update the stack.
diff -u b/core/modules/system/src/Tests/Common/RenderTest.php b/core/modules/system/src/Tests/Common/RenderTest.php
--- b/core/modules/system/src/Tests/Common/RenderTest.php
+++ b/core/modules/system/src/Tests/Common/RenderTest.php
@@ -9,7 +9,6 @@
use Drupal\Component\Serialization\Json;
use Drupal\Component\Utility\Html;
-use Drupal\Component\Utility\SafeMarkup;
use Drupal\Core\Render\Element;
use Drupal\simpletest\DrupalUnitTestBase;
@@ -783,10 +782,10 @@
),
),
'#markup' => $placeholder,
- '#prefix' => SafeMarkup::set('
', + '#suffix' => '', ); - $expected_output = '
'; // #cache disabled. $element = $test_element; @@ -827,7 +826,7 @@ $this->assertIdentical($token, $expected_token, 'The tokens are identical'); // Verify the token is in the cached element. $expected_element = array( - '#markup' => '' . $context['bar'] . '
', '#attached' => array(), '#post_render_cache' => array( 'common_test_post_render_cache_placeholder' => array( @@ -870,11 +869,11 @@ ], ], '#markup' => $placeholder, - '#prefix' => '
', + '#suffix' => '' ], ]; - $expected_output = '
' . "\n"; // #cache disabled. $element = $test_element; @@ -918,7 +917,7 @@ $this->assertIdentical($token, $expected_token, 'The tokens are identical for the child element'); // Verify the token is in the cached element. $expected_element = array( - '#markup' => '' . $context['bar'] . '
', '#attached' => array(), '#post_render_cache' => array( 'common_test_post_render_cache_placeholder' => array( @@ -944,7 +943,7 @@ $this->assertIdentical($token, $expected_token, 'The tokens are identical for the parent element'); // Verify the token is in the cached element. $expected_element = array( - '#markup' => '
' . "\n", '#attached' => array(), '#post_render_cache' => array( 'common_test_post_render_cache_placeholder' => array( @@ -974,7 +973,7 @@ $this->assertIdentical($token, $expected_token, 'The tokens are identical for the child element'); // Verify the token is in the cached element. $expected_element = array( - '#markup' => '
', '#attached' => array(), '#post_render_cache' => array( 'common_test_post_render_cache_placeholder' => array( only in patch2: unchanged: --- a/core/lib/Drupal/Core/Form/FormBuilder.php +++ b/core/lib/Drupal/Core/Form/FormBuilder.php @@ -10,8 +10,10 @@ use Drupal\Component\Utility\Crypt; use Drupal\Component\Utility\Html; use Drupal\Component\Utility\NestedArray; +use Drupal\Component\Utility\SafeMarkup; use Drupal\Component\Utility\String; use Drupal\Component\Utility\UrlHelper; +use Drupal\Component\Utility\Xss; use Drupal\Core\Access\CsrfTokenGenerator; use Drupal\Core\DependencyInjection\ClassResolverInterface; use Drupal\Core\Extension\ModuleHandlerInterface; @@ -679,6 +681,20 @@ public function doBuildForm($form_id, &$element, FormStateInterface &$form_state '#errors' => NULL, ); + // Filtering keys which are expected to contain HTML. + $markup_keys = array( + '#description', + '#field_prefix', + '#field_suffix', + '#prefix', + '#suffix', + ); + foreach ($markup_keys as $key) { + if (!empty($element[$key]) && is_scalar($element[$key]) && SafeMarkup::isSafe($element[$key])) { + $element[$key] = SafeMarkup::set(Xss::filterAdmin($element[$key])); + } + } + // Special handling if we're on the top level form element. if (isset($element['#type']) && $element['#type'] == 'form') { if (!empty($element['#https']) && Settings::get('mixed_mode_sessions', FALSE) &&