twig_engine::twig_render_template calls SafeMarkup::set() which is meant to be for internal use only.
Starting with #56 this issue also addresses where the problem/motivation was:
FieldPluginBase:advancedRender calls SafeMarkup::set() which is meant to be for internal use only.
- (done) Remove the call by refactoring the code.
- (SafeString::create() has been documented) If refactoring is not possible, thoroughly document where the string is coming from and why it is safe, and why SafeMarkup::set() is required.
- (done) Have ThemeManager return a SafeString object.
- (done) Ensure that SafeString objects are preserved in
Why does this patch touch so much code
- Views is relying on the SafeMarkup::set() calls in twig_render_template() and ThemeManager to convey safeness - on converting them to SafeString objects needs to be able to pass this on up to the render system. Views interrupts the render pipeline to do it's stuff.
- Views also uses the fact that $element is passed by reference to the render system. It extracts #markup from $element to fast render fields. This exposes a bug in HEAD where the render creates a SafeString hence the changes to doRender. See #57 for where this causes fails.
- (done) Evaluate whether the string can be refactored to one of the formats outlined in this change record: https://www.drupal.org/node/2311123
- (done. changes were made in ThemeTest.php) Identify whether there is existing automated test coverage for the sanitization of the string. If there is, list the test in the issue summary. If there isn't, add an automated test for it.
- (done) If the string cannot be refactored, the SafeMarkup::set() usage needs to be thoroughly audited and documented.
User interface changes
- ThemeManager::render() can return a SafeString object
- FieldPluginBase::advancedRender() can return a SafeString object
- FieldPluginBase::renderText() can return a SafeString object
- twig_render_template() can return a SafeString object
FieldPluginBase::renderTrimText()- nothing should be calling this externally
PASSED: [[SimpleTest]]: [PHP 5.5 MySQL] 102,453 pass(es). View
PASSED: [[SimpleTest]]: [PHP 5.5 MySQL] 101,657 pass(es). View
FAILED: [[SimpleTest]]: [PHP 5.5 MySQL] 101,628 pass(es), 18 fail(s), and 0 exception(s). View
PASSED: [[SimpleTest]]: [PHP 5.5 MySQL] 101,562 pass(es). View