In \Drupal\Core\Render\Element\HtmlTag::preRenderHtmlTag() assembles HTML markup based on input and it is subsequently marked as safe. However, there is no guarantee that the rendered markup is actually safe.,
This is not a security regression because the same is true in HEAD;
HtmlTag::preRenderHtmlTag() will render whatever the caller tells it to, so it's the caller's responsibility to sanitize the input. However, this is one of the only places that we are marking as safe markup strings that are not explicitly known to be safe.
- (done) Evaluate whether the string can be refactored to one of the formats outlined in this change record: https://www.drupal.org/node/2311123
- (done) Identify whether there is existing automated test coverage for the sanitization of the string. If there is, list the test in the issue summary. If there isn't, add an automated test for it.
If the string cannot be refactored, the SafeMarkup::set() usage needs to be thoroughly audited and documented.
Manual testing steps
Do these steps both with HEAD and with the patch applied:
- Install Drupal 8.
- Log into Drupal.
- Review the HTML of the
- Compare the output above in HEAD and with the patch applied. Confirm that the HTML is identical.
User interface changes
PASSED: [[SimpleTest]]: [PHP 5.5 MySQL] 101,664 pass(es). View
PASSED: [[SimpleTest]]: [PHP 5.5 MySQL] 101,644 pass(es). View
PASSED: [[SimpleTest]]: [PHP 5.5 MySQL] 101,588 pass(es). View