diff -u b/core/lib/Drupal/Component/Utility/String.php b/core/lib/Drupal/Component/Utility/String.php --- b/core/lib/Drupal/Component/Utility/String.php +++ b/core/lib/Drupal/Component/Utility/String.php @@ -74,19 +74,14 @@ * any key in $args are replaced with the corresponding value, after * optional sanitization and formatting. The type of sanitization and * formatting depends on the first character of the key: - * - @variable: Escaped to HTML using String::checkPlain(). Use this as the - * default choice for anything displayed on a page on the site. - * - %variable: Escaped to HTML and formatted using String::placeholder(), - * which makes the following HTML code: + * - @variable: Autoescaped to HTML using SafeMarkup::escape(). Use this as + * the default choice for anything displayed on a page on the site. + * - %variable: Escaped to HTML using String::checkPlain() and formatted + * using String::placeholder(), which makes the following HTML code: * @code * text output here. * @endcode - * - !variable: Inserted as is, if the text has already been prepared for - * HTML display (for example, user-supplied text that has already been - * run through String::checkPlain() previously, or is expected to contain - * some limited HTML tags and has already been run through - * \Drupal\Component\Utility\Xss::filter() previously). Otherwise, it is - * escaped to HTML using String::checkPlain(), just like @variable. + * - !variable: Identical to @variable. Deprecated. * * @return mixed * The formatted string, or FALSE if no args specified. @@ -100,8 +95,9 @@ foreach ($args as $key => $value) { switch ($key[0]) { case '@': + case '!': // Escaped only. - $args[$key] = static::checkPlain($value); + $args[$key] = SafeMarkup::escape($value); break; case '%': @@ -109,10 +105,6 @@ // Escaped and placeholder. $args[$key] = static::placeholder($value); break; - - case '!': - // Escaped only if not previously escaped. - $args[$key] = SafeMarkup::escape($value); } } return SafeMarkup::set(strtr($string, $args));