_batch_test_finished_helper() calls SafeMarkup::set() which is meant to be for internal use only.
Pattern is Imploding/concatenating in a loop
- Remove the call by refactoring the code.
If refactoring is not possible, thoroughly document where the string is coming from and why it is safe, and why SafeMarkup::set() is required.
Evaluate whether the string can be refactored to one of the formats outlined in this change record: https://www.drupal.org/node/2311123
Code should be refactored for removal of SafeMarkup::set()
Identify whether there is existing automated test coverage for the sanitization of the string. If there is, list the test in the issue summary. If there isn't, add an automated test for it.The SafeMarkup::Set() already occurs inside of an automated test, so an additional one is not necessary. If the string cannot be refactored, the SafeMarkup::set() usage needs to be thoroughly audited and documented.
Manual testing steps (for XSS and double escaping)
Do these steps both with HEAD and with the patch applied: Manual testing should not be necessary since the SafeMarkup::set() occurs inside an automated test. The test(s) should fail if string is improperly escaped. Clean install of Drupal 8. Compare the output above in HEAD and with the patch applied. Confirm that there is no double-escaping. If there is any user or calling code input in the string, submit
and ensure that it is sanitized.
User interface changes
PASSED: [[SimpleTest]]: [PHP 5.5 MySQL] 106,862 pass(es). View