Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
By dawehner on
Change record status:
Published (View all published change records)
Project:
Introduced in branch:
8.0.x
Introduced in version:
8.0.0-beta16
Issue links:
Description:
As of #2567257: hook_tokens() $sanitize option incompatible with Html sanitisation requirements token API got a couple of changes:
hook_tokens()
implementors are no longer responsible for "sanitization". If the token value is plain text, just return the string.
If the token value is supposed to be HTML aMarkupInterface
object should be returned, for example by using$renderer->renderPlain(['#markup' => $string]);
. There's an issue to improve the DX for this usage (see #2577827: Add a XssFilteredMarkup).
Token::replace()
escapes automatically, so API users don't need to take care about that.$options['sanitize']
is removed completely fromhook_tokens()
.$options['sanitize']
is removed completely fromToken::replace()
.Token::replace()
now callsHtml::escape()
on each token value, unless it is an HTML markup string (i.e. an instance ofMarkupInterface
).- The result of
Token::replace()
is now HTML markup as a string. If the caller wants to use it outside of HTML, it needs to be converted to the appropriate format, for instance to plain text viaPlainTextOutput::renderFromHtml()
.
Impacts:
Module developers