diff -u b/core/includes/errors.inc b/core/includes/errors.inc --- b/core/includes/errors.inc +++ b/core/includes/errors.inc @@ -68,7 +68,7 @@ '%type' => isset($types[$error_level]) ? $severity_msg : 'Unknown error', // The standard PHP error handler considers that the error messages // are HTML. We mimick this behavior here. - '@message' => Xss::filterAdmin($message), + '@message' => SafeMarkup::xssFilter($message, Xss::getAdminTagList()), '%function' => $caller['function'], '%file' => $caller['file'], '%line' => $caller['line'], diff -u b/core/modules/system/src/Tests/System/ErrorHandlerTest.php b/core/modules/system/src/Tests/System/ErrorHandlerTest.php --- b/core/modules/system/src/Tests/System/ErrorHandlerTest.php +++ b/core/modules/system/src/Tests/System/ErrorHandlerTest.php @@ -8,6 +8,8 @@ namespace Drupal\system\Tests\System; use Drupal\simpletest\WebTestBase; +use Drupal\Component\Utility\SafeMarkup; +use Drupal\Component\Utility\Xss; /** * Performs tests on the Drupal error and exception handler. @@ -42,7 +44,7 @@ ); $error_user_notice = array( '%type' => 'User warning', - '@message' => 'Drupal is awesome', + '@message' => 'Drupal is <awesome>', '%function' => 'Drupal\error_test\Controller\ErrorTestController->generateWarnings()', '%file' => drupal_get_path('module', 'error_test') . '/error_test.module', ); @@ -181,14 +183,16 @@ */ function assertErrorMessage(array $error) { + $error['@message'] = SafeMarkup::xssFilter($error['@message'], Xss::getAdminTagList()); $message = t('%type: @message in %function (line ', $error); - $this->assertRaw($message, format_string('Found error message: @message.', array('@message' => $message))); + $this->assertRaw($message, format_string('Found error message: !message.', array('!message' => $message))); } /** * Helper function: assert that the error message is not found. */ function assertNoErrorMessage(array $error) { + $error['@message'] = SafeMarkup::xssFilter($error['@message'], Xss::getAdminTagList()); $message = t('%type: @message in %function (line ', $error); - $this->assertNoRaw($message, format_string('Did not find error message: @message.', array('@message' => $message))); + $this->assertNoRaw($message, format_string('Did not find error message: @message.', array('!message' => $message))); } } only in patch2: unchanged: --- a/core/modules/system/tests/modules/error_test/src/Controller/ErrorTestController.php +++ b/core/modules/system/tests/modules/error_test/src/Controller/ErrorTestController.php @@ -52,7 +52,7 @@ public function generateWarnings($collect_errors = FALSE) { // This will generate a warning. $awesomely_big = 1/0; // This will generate a user error. - trigger_error("Drupal is awesome", E_USER_WARNING); + trigger_error("Drupal is <awesome>", E_USER_WARNING); return []; }