diff --git a/core/includes/batch.inc b/core/includes/batch.inc
index 9a1c7a3..905fb83 100644
--- a/core/includes/batch.inc
+++ b/core/includes/batch.inc
@@ -103,8 +103,11 @@ function _batch_do() {
// Perform actual processing.
list($percentage, $message, $label) = _batch_process();
- // Escape unsafe $message or $label variables before they are sent
- // to JavaScript.
+ // Escape unsafe variables before they are sent to JavaScript. Escaping on
+ // the javascript layer would be more complex, because we would need to
+ // transport the safeness of particular strings, so that safe strings aren't
+ // escaped accidentally, which would be more complex than escaping plain text
+ // strings here.
if (!SafeMarkup::isSafe($message)) {
$message = Html::escape($message);
}
@@ -176,11 +179,14 @@ function _batch_progress_page() {
$url = $batch['url']->toString(TRUE)->getGeneratedUrl();
- // Ensure messages sent to markup are safe.
+ // Escape unsafe variables before they are sent to JavaScript. Escaping on
+ // the javascript layer would be more complex, because we would need to
+ // transport the safeness of particular strings, so that safe strings aren't
+ // escaped accidentally, which would be more complex than escaping plain text
+ // strings here.
if (!SafeMarkup::isSafe($current_set['init_message'])) {
$current_set['init_message'] = Html::escape($current_set['init_message']);
}
-
if (!SafeMarkup::isSafe($current_set['error_message'])) {
$current_set['error_message'] = Html::escape($current_set['error_message']);
}
@@ -335,7 +341,11 @@ function _batch_process() {
$progress_message = $old_set['progress_message'];
}
- // Ensure the message safeness or escape for HTML usage.
+ // Escape unsafe variables before they are sent to JavaScript. Escaping on
+ // the javascript layer would be more complex, because we would need to
+ // transport the safeness of particular strings, so that safe strings aren't
+ // escaped accidentally, which would be more complex than escaping plain text
+ // strings here.
if (!SafeMarkup::isSafe($progress_message)) {
$progress_message = Html::escape($progress_message);
}
diff --git a/core/includes/form.inc b/core/includes/form.inc
index b895b4e..61e3aa1 100644
--- a/core/includes/form.inc
+++ b/core/includes/form.inc
@@ -5,6 +5,7 @@
* Functions for form and batch generation and processing.
*/
+use Drupal\Component\Utility\FormattableString;
use Drupal\Component\Utility\NestedArray;
use Drupal\Component\Utility\SafeMarkup;
use Drupal\Component\Utility\UrlHelper;
@@ -743,7 +744,7 @@ function batch_set($batch_definition) {
// Tweak init_message to avoid the bottom of the page flickering down after
// init phase.
- $batch_set['init_message'] = SafeMarkup::format('@message
', ['@message' => $batch_set['init_message']]);;
+ $batch_set['init_message'] = new FormattableString('@message
', ['@message' => $batch_set['init_message']]);;
// The non-concurrent workflow of batch execution allows us to save
// numberOfItems() queries by handling our own counter.