rdf_preprocess_comment() calls SafeMarkup::set() which is meant to be for internal use only.
Move markup created inside PHP into template.
- ✔ Evaluate whether the string can be refactored to one of the formats outlined in this change record: https://www.drupal.org/node/2311123
- ✔ Manual testing and screenshots
- ✔ Identify whether there is existing automated test coverage for the sanitization of the string. If there is, list the test in the issue summary. If there isn't, add an automated test for it.
Manual testing steps (for XSS and double escaping)
Do these steps both with HEAD and with the patch applied:
- Clean install of Drupal 8.
- Enable RDF and comment modules (already enabled in standard install)
- Add a comment to a node (article)
- Find the RDF markup next to author and submitted
- make sure it's in the output from comment.html.twig, twig_debug is helpful for verifying
- Compare the output above in HEAD and with the patch applied. Confirm that there is no double-escaping.
Screenshot before patch:
Screenshot after patch:
User interface changes
PASSED: [[SimpleTest]]: [PHP 5.5 MySQL] 103,229 pass(es). View
PASSED: [[SimpleTest]]: [PHP 5.5 MySQL] 103,200 pass(es). View
PASSED: [[SimpleTest]]: [PHP 5.5 MySQL] 103,218 pass(es). View