The SafeMarkup::xssFilter() method has been removed from Drupal 8 Core (see: https://www.drupal.org/node/2549395 ), as well as several other SafeMarkup methods. This is causing fatal PHP errors when using the Features UI on the Dev branch of D8 (and future beta releases).

All calls to the following methods need to be replaced:

  • SafeMarkup::replace() - there is no direct replacement for this. A generic function to handle this was problematic - code that needs to do something like this must handle the problem itself. See views_pre_render_views_form_views_form().
  • SafeMarkup::xssFilter() - see https://www.drupal.org/node/2549395
  • SafeMarkup::placeholder() - there is no direct replacement for this. Use \Drupal\Component\Utility\SafeMarkup::format() with $args = ['%placeholder' => 'thing to be placeholdered']
  • SafeMarkup::escape() - The same as SafeMarkup::checkPlain() applies here: rely on Twig's auto-escaping feature, use the #plain_text key in a render array. If neither are those are possible and you require explicit escaping, use Html::escape().
    Note that SafeMarkup::escape() only used to escape strings that were marked as unsafe, so Html::escape() is not a direct equivalent. Use SafeMarkup::isSafe() if you want to check for safeness before escaping.
  • SafeMarkup::set() - use one of the strategies in https://www.drupal.org/node/2311123

Note also that SafeMarkup::checkPlain() has been deprecated, and is scheduled to be removed before 8.0.0 is released.

CommentFileSizeAuthor
#4 several_safemarkup-2560661-3.patch4.56 KBhampercm

Comments

hampercm created an issue. See original summary.

hampercm’s picture

hampercm commented
Title: SafeMarkup::xssFilter() removed from Core, causing Fatal PHP errors » Several SafeMarkup methods removed from Core, causing Fatal PHP errors
hampercm’s picture

hampercm commented
Assigned: Unassigned » hampercm

Working on a patch for this...

hampercm’s picture

hampercm commented
Status: Active » Needs review
StatusFileSize
new several_safemarkup-2560661-3.patch4.56 KB

This patch replaces all calls to removed SafeMarkup methods with recommended equivalents.

anavarre’s picture

anavarre
Primary language French
Location 🇪🇺
commented

Applied the patch and it does fix the PHP Fatal errors. Poked around and there's nothing that I see that is broken in the UI.

mpotter’s picture

mpotter commented

Thanks for the help on this!

Lol, seems like I just *added* the SafeMarkup stuff recently. The fact that D8 is using the Twig auto-escape can make life difficult, although I understand the rational.

So, the test for this is to add italic or strong tags within the description of a Feature. That is where the previous xssFilter wasn't working (it would show the explicit tags in the description).

The SafeMarkup::format stuff all looks reasonable, so it's only the final xssFilter of the description that still needs checking.

  • mpotter committed 0cd5be6 on 8.x-3.x authored by hampercm 
    Issue #2560661 by hampercm: Several SafeMarkup methods removed from Core...
mpotter’s picture

mpotter commented
Status: Needs review » Fixed

So I was correct that this patch broke HTML in Feature description text. However, using #markup I was able to adjust that. So I've committed this patch with the additional change to handling the description in 0cd5be6.

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.