commit d335364e506bf09a10b599713979df460335864e Author: Joel Pittet Date: Sat Jun 6 14:52:25 2015 -0400 remove safe markup set with format diff --git a/core/lib/Drupal/Core/Render/Renderer.php b/core/lib/Drupal/Core/Render/Renderer.php index 9847855..8a6b87a 100644 --- a/core/lib/Drupal/Core/Render/Renderer.php +++ b/core/lib/Drupal/Core/Render/Renderer.php @@ -608,14 +608,11 @@ protected function createPlaceholder(array $element) { $attributes['callback'] = $placeholder_render_array['#lazy_builder'][0]; $attributes['arguments'] = UrlHelper::buildQuery($placeholder_render_array['#lazy_builder'][1]); $attributes['token'] = hash('sha1', serialize($placeholder_render_array)); - $placeholder_markup = ''; + $placeholder_markup = SafeMarkup::format('', ['@attributes' => $attributes]); // Build the placeholder element to return. $placeholder_element = []; - // A placeholder should not be removed by SafeMarkup::checkAdminXss(), so - // mark it as safe markup. We have complete control over its generation so - // know it is safe. - $placeholder_element['#markup'] = SafeMarkup::set($placeholder_markup); + $placeholder_element['#markup'] = $placeholder_markup; $placeholder_element['#attached']['placeholders'][$placeholder_markup] = $placeholder_render_array; return $placeholder_element; } diff --git a/core/tests/Drupal/Tests/Core/Render/RendererTest.php b/core/tests/Drupal/Tests/Core/Render/RendererTest.php index 04eb1e6..a2f91ea 100644 --- a/core/tests/Drupal/Tests/Core/Render/RendererTest.php +++ b/core/tests/Drupal/Tests/Core/Render/RendererTest.php @@ -84,7 +84,7 @@ public function providerTestRenderBasic() { $data[] = [[ 'child' => ['#markup' => "This is test"], ], "This is alert('XSS') test"]; - // Ensure non XSS tags are not filtered out. + // Ensure non-XSS tags are not filtered out. $data[] = [[ 'child' => ['#markup' => "This is test"], ], "This is alert('not a giraffe') test"];