(entity)/edit/devel pages are broken

Its working fine for me.

I can reproduce this issue on a drupal and devel HEAD version. It was introduced by #2273925: Ensure #markup is XSS escaped in Renderer::doRender(). I am studying how to fix it but for the moment the use of SafeMarkup::set() seems-the only way :(

@willzyx you need to tell the template that the markup is safe. Ideally you'd filter out anything harmful first if at all possible.

I think SafeMarkup::set() is what you have to use here. The only other approach you can take is using Twig_Markup object from Twig, which does the same thing if you are worried about making that safeStrings array any bigger.

Please document the hell out of using that variable though. Saying why it's safe and where the markup comes from.

If the JS can be #attached as a library that would be ideal for caching and other niceties.
But things like this are a bit inevitable in third party:

_ajaxHandler() {
...
		echo '<script>' . file_get_contents( $baseDir . 'kint.js' ) . '</script>'
			. '<style>' . file_get_contents( $cssFile ) . "</style>";

@joelpittet thanks for suggestions!

If the JS can be #attached as a library that would be ideal for caching and other niceties.

sure, but the owner of these assets is the thirdy part lib so there is not to much we can do

I tried SafeMarkup:set() approach and it solves the issue. It would be interesting to see how this approach impacts on memory usage

Yeah I understand, they have embedded the script tags in the output, not much you can do there.

They are set as array keys but keep tabs on @pwolanin's work on that memory, it's getting traded for cpu with a hash and once we fix the 1 failure we can performance test it.

#2503445: Modify SafeMarkup to use hashed strings from marked strings to minimize memory usage

Can you wrap the output in a Twig_Markup object? That will bypass the auto escape, and seems like it might be viable for a big bloc of html that doesn't need more processing and is known safe.

So - the patch here doesn't work for me with a minimal install - is something else happening in the theme?

So - the patch here doesn't work for me with a minimal install - is something else happening in the theme?

The patch in #5 seems to work for me even with minimal profile, the output is not processed and kint output is shown correctly.
Trying to wrap the output in a \Twig_Markup object (directly or with inline_template) the output is still processed and stripped and the result is the same of that shown in the IS

Can you provide more steps to show what you tried? Are you using the latest 8.0.x from git?

Are you using the latest 8.0.x from git?

sure, commit 77e9bbe983acecd227c4a470f94629f113ae090e

This is what I tried:

1) <script> tags are stripped

function kdevel_print_object($object, $prefix = NULL) {
   $dump = has_kint() ? '<div style="clear:both">' . @Kint::dump($object) . '</div>' : devel_print_object($object, $prefix);
   return new \Twig_Markup($dump, 'UTF-8');
}

2) <script> tags are stripped

function kdevel_print_object($object, $prefix = NULL) {
   $dump = has_kint() ? '<div style="clear:both">' . @Kint::dump($object) . '</div>' : devel_print_object($object, $prefix);
  $markup = new \Twig_Markup($dump, 'UTF-8');
  $build['rendering_call'] = array(
    '#type' => 'inline_template',
    '#template' => '{{ data }}', // even {{ data|raw }} not work
    '#context' => array(
      'data' => $markup,
    ),
  );
  return drupal_render($build);
}

In DevelController ::entityRender and ::entityLoad kdevel_print_object is used in this way

public function entityLoad(RouteMatchInterface $route_match) {
      ......
      $output = array('#markup' => kdevel_print_object($build));
      ......

      return $output;
}

probably I'm doing something wrong, I'm not very familiar with twig

ah, I didn't have kint module enabled, now I see it.

I guess at least add a @todo to come back to this

Adding the tag we use in core so I can find this again.

see: #2273925: Ensure #markup is XSS escaped in Renderer::doRender() for possibly why it's getting escaped now

correct me if I'm wrong:

• use '#markup' => new \Twig_Markup(...) doesn't work since there isn't a special handling for Twig_Markup in Renderer::doRender()
• use inline_template doesn't work because in twig env the variable autoescape is always TRUE so the output is escaped in any case

The only solution is use SafeMarkup::set(), right?

Since a lot of functionalities of devel are broken by this issue I'm commit patch in #5.
If you find a better and less memory hungry solution, you can open a followup

Thanks to everyone