interdiff impossible; taking evasive action reverted: --- b/core/includes/common.inc +++ a/core/includes/common.inc @@ -20,7 +20,6 @@ use Drupal\Component\Utility\String; use Drupal\Component\Utility\Tags; use Drupal\Component\Utility\UrlHelper; -use Drupal\Component\Utility\Xss; use Drupal\Core\Cache\Cache; use Drupal\Core\Language\LanguageInterface; use Drupal\Core\Render\RenderStackFrame; @@ -2766,22 +2765,6 @@ $elements += element_info($elements['#type']); } - // Filtering keys which are expected to contain HTML. - $markup_keys = array( - '#description', - '#field_prefix', - '#field_suffix', - '#prefix', - '#suffix', - ); - foreach ($markup_keys as $key) { - // If it's not scalar it can deal with itself through __toString() - // or drupal_render(). - if (!empty($elements[$key]) && is_scalar($elements[$key]) && !SafeMarkup::isSafe($elements[$key])) { - $elements[$key] = Xss::filterAdmin($elements[$key]); - } - } - // Make any final changes to the element before it is rendered. This means // that the $element or the children can be altered or corrected before the // element is rendered into the final text. @@ -2913,7 +2896,6 @@ // #cache is disabled, #cache is enabled, there is a cache hit or miss. $prefix = isset($elements['#prefix']) ? $elements['#prefix'] : ''; $suffix = isset($elements['#suffix']) ? $elements['#suffix'] : ''; - $elements['#markup'] = $prefix . $elements['#children'] . $suffix; // We've rendered this element (and its subtree!), now update the stack. unchanged: --- a/core/includes/common.inc +++ b/core/includes/common.inc @@ -20,6 +20,7 @@ use Drupal\Component\Utility\String; use Drupal\Component\Utility\Tags; use Drupal\Component\Utility\UrlHelper; +use Drupal\Component\Utility\Xss; use Drupal\Core\Cache\Cache; use Drupal\Core\Language\LanguageInterface; use Drupal\Core\Render\RenderStackFrame; @@ -2777,6 +2778,22 @@ function drupal_render(&$elements, $is_recursive_call = FALSE) { } } + // Filtering keys which are expected to contain HTML. + $markup_keys = array( + '#description', + '#field_prefix', + '#field_suffix', + '#prefix', + '#suffix', + ); + foreach ($markup_keys as $key) { + // If it's not scalar it can deal with itself through __toString() + // or drupal_render(). + if (!empty($elements[$key]) && is_scalar($elements[$key]) && !SafeMarkup::isSafe($elements[$key])) { + $elements[$key] = SafeMarkup::set(Xss::filterAdmin($elements[$key])); + } + } + // Defaults for bubbleable rendering metadata. $elements['#cache']['tags'] = isset($elements['#cache']['tags']) ? $elements['#cache']['tags'] : array(); $elements['#attached'] = isset($elements['#attached']) ? $elements['#attached'] : array(); @@ -2896,6 +2913,7 @@ function drupal_render(&$elements, $is_recursive_call = FALSE) { // #cache is disabled, #cache is enabled, there is a cache hit or miss. $prefix = isset($elements['#prefix']) ? $elements['#prefix'] : ''; $suffix = isset($elements['#suffix']) ? $elements['#suffix'] : ''; + $elements['#markup'] = $prefix . $elements['#children'] . $suffix; // We've rendered this element (and its subtree!), now update the stack. diff -u b/core/modules/system/src/Tests/Common/RenderTest.php b/core/modules/system/src/Tests/Common/RenderTest.php --- b/core/modules/system/src/Tests/Common/RenderTest.php +++ b/core/modules/system/src/Tests/Common/RenderTest.php @@ -9,7 +9,6 @@ use Drupal\Component\Serialization\Json; use Drupal\Component\Utility\Html; -use Drupal\Component\Utility\SafeMarkup; use Drupal\Core\Render\Element; use Drupal\simpletest\DrupalUnitTestBase; @@ -783,10 +782,10 @@ ), ), '#markup' => $placeholder, - '#prefix' => SafeMarkup::set(''), - '#suffix' => SafeMarkup::set(''), + '#prefix' => '

',
+      '#suffix' => '

', ); - $expected_output = '' . $context['bar'] . ''; + $expected_output = '

' . $context['bar'] . '

'; // #cache disabled. $element = $test_element; @@ -827,7 +826,7 @@ $this->assertIdentical($token, $expected_token, 'The tokens are identical'); // Verify the token is in the cached element. $expected_element = array( - '#markup' => '

', + '#markup' => '

', '#attached' => array(), '#post_render_cache' => array( 'common_test_post_render_cache_placeholder' => array( @@ -870,11 +869,11 @@ ], ], '#markup' => $placeholder, - '#prefix' => '', - '#suffix' => '' + '#prefix' => '

',
+        '#suffix' => '

' ], ]; - $expected_output = '' . $context['bar'] . '' . "\n"; + $expected_output = '

' . $context['bar'] . '

' . "\n"; // #cache disabled. $element = $test_element; @@ -918,7 +917,7 @@ $this->assertIdentical($token, $expected_token, 'The tokens are identical for the child element'); // Verify the token is in the cached element. $expected_element = array( - '#markup' => '

', + '#markup' => '

', '#attached' => array(), '#post_render_cache' => array( 'common_test_post_render_cache_placeholder' => array( @@ -944,7 +943,7 @@ $this->assertIdentical($token, $expected_token, 'The tokens are identical for the parent element'); // Verify the token is in the cached element. $expected_element = array( - '#markup' => '

' . "\n", + '#markup' => '

' . "\n", '#attached' => array(), '#post_render_cache' => array( 'common_test_post_render_cache_placeholder' => array( @@ -974,7 +973,7 @@ $this->assertIdentical($token, $expected_token, 'The tokens are identical for the child element'); // Verify the token is in the cached element. $expected_element = array( - '#markup' => '

', + '#markup' => '

', '#attached' => array(), '#post_render_cache' => array( 'common_test_post_render_cache_placeholder' => array( only in patch2: unchanged: --- a/core/lib/Drupal/Core/Form/FormBuilder.php +++ b/core/lib/Drupal/Core/Form/FormBuilder.php @@ -10,8 +10,10 @@ use Drupal\Component\Utility\Crypt; use Drupal\Component\Utility\Html; use Drupal\Component\Utility\NestedArray; +use Drupal\Component\Utility\SafeMarkup; use Drupal\Component\Utility\String; use Drupal\Component\Utility\UrlHelper; +use Drupal\Component\Utility\Xss; use Drupal\Core\Access\CsrfTokenGenerator; use Drupal\Core\DependencyInjection\ClassResolverInterface; use Drupal\Core\Extension\ModuleHandlerInterface; @@ -679,6 +681,20 @@ public function doBuildForm($form_id, &$element, FormStateInterface &$form_state '#errors' => NULL, ); + // Filtering keys which are expected to contain HTML. + $markup_keys = array( + '#description', + '#field_prefix', + '#field_suffix', + '#prefix', + '#suffix', + ); + foreach ($markup_keys as $key) { + if (!empty($element[$key]) && is_scalar($element[$key]) && SafeMarkup::isSafe($element[$key])) { + $element[$key] = SafeMarkup::set(Xss::filterAdmin($element[$key])); + } + } + // Special handling if we're on the top level form element. if (isset($element['#type']) && $element['#type'] == 'form') { if (!empty($element['#https']) && Settings::get('mixed_mode_sessions', FALSE) &&