template_preprocess_views_view_table calls SafeMarkup::set() which is meant to be for internal use only.
- Remove the call by refactoring the code. (COMPLETED)
If refactoring is not possible, thoroughly document where the string is coming from and why it is safe, and why SafeMarkup::set() is required.
- To test the conversion to a render array: Edit the content admin page view, and edit one of the fields, and customize the field HTML element (under Style settings)
Evaluate whether the string can be refactored to one of the formats outlined in this change record: https://www.drupal.org/node/2311123COMPLETED Identify whether there is existing automated test coverage for the sanitization of the string. If there is, list the test in the issue summary. If there isn't, add an automated test for it.COMPLETED If the string cannot be refactored, the SafeMarkup::set() usage needs to be thoroughly audited and documented.NOT APPLICABLE
Manual testing steps (for double escaping)
Do these steps both with HEAD and with the patch applied:
- Clean install of Drupal 8.
- Visit the content admin page at admin/content
- Compare the output above in HEAD and with the patch applied. Confirm that there is no double-escaping.
User interface changes
PASSED: [[SimpleTest]]: [PHP 5.5 MySQL] 106,933 pass(es). View
PASSED: [[SimpleTest]]: [PHP 5.5 MySQL] 106,884 pass(es). View