diff -u b/core/includes/theme.inc b/core/includes/theme.inc
--- b/core/includes/theme.inc
+++ b/core/includes/theme.inc
@@ -1066,7 +1066,6 @@
}
}
-
/**
* Prepares variables for inline list templates.
*
@@ -1075,15 +1074,17 @@
* @param array $variables
* An associative array containing:
* - items: An array of items to be displayed in the list.
+ * - separator: A string to separate list items.
+ * - empty: A message to display when there are no items.
*
* @see https://www.drupal.org/node/1842756
*/
function template_preprocess_inline_list(&$variables) {
- // Since the separator may be user-specified, it must be sanitized.
+ // Since the separator may be user-specified, it must be filtered to permit
+ // some HTML (such as
) to pass through.
$variables['separator'] = SafeString::create(Xss::filterAdmin($variables['separator']));
}
-
/**
* Returns HTML for an indentation div; used for drag and drop tables.
*
diff -u b/core/modules/system/src/Tests/Theme/FunctionsTest.php b/core/modules/system/src/Tests/Theme/FunctionsTest.php
--- b/core/modules/system/src/Tests/Theme/FunctionsTest.php
+++ b/core/modules/system/src/Tests/Theme/FunctionsTest.php
@@ -185,8 +185,8 @@
// Verify that empty text is not displayed when there are list items.
$variables = array();
$variables['empty'] = 'No items found.';
- $variables['items'] = array('Un', 'Deux', 'Trois');
- $expected = 'Un, Deux, Trois';
+ $variables['items'] = array('Rabbit', 'rabbit', 'rabbit');
+ $expected = 'Rabbit, rabbit, rabbit';
$this->assertThemeOutput('inline_list', $variables, $expected, '%callback does not print empty text when there are list items.');
// Verify that a non-default separator is rendered
@@ -198,9 +198,9 @@
// Verify that HTML separators are properly rendered
$variables = array();
- $variables['items'] = array('Un', 'Deux', 'Trois');
+ $variables['items'] = array('Doe', 'Buck', 'Kit');
$variables['separator'] = '
';
- $expected = 'Un
Deux
Trois';
+ $expected = 'Doe
Buck
Kit';
$this->assertThemeOutput('inline_list', $variables, $expected, '%callback allows HTML in user-provided separators.');
// Verify that the separator is sanitized