Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Problem/Motivation
#1830588: [META] remove drupal_set_title() and drupal_get_title() removed drupal_set_title(). However the solution of adding #title in controllers missing the sanity check that drupal_set_title provided.So all #title taking care of String::checkPlain, if no 2nd param passed in drupal_set_title.
Proposed resolution
This can be fixed by a static method in Drupal, say Drupal::formatTitle() (may be with) below functionality.
public static function formatTitle($title = NULL, $output = CHECK_PLAIN) {
$stored_title = &drupal_static(__FUNCTION__);
if (isset($title)) {
$stored_title = ($output == PASS_THROUGH) ? $title : String::checkPlain($title);
}
return $stored_title;
}
Remaining tasks
Discuss
patch
test
User interface changes
No
API changes
No
Related Issues
#1830588: [META] remove drupal_set_title() and drupal_get_title()
Comments
Comment #1
DamienMcKennaThis is a dependency for the Metatag port to D8: #2052441: Port Metatag to Drupal 8
Comment #2
DamienMcKennaIt seems that the final page title is output by \Drupal\Core\Render\MainContent\HtmlRenderer::renderResponse(), if the method's first argument contains an element '#title' it is used, otherwise it looks for a TitleResolver object.
Comment #3
BerdirI don't think this issue is really related to your problem, this is about checkPlain/security, which has been solved differently now I think.
I guess we need a new issue, agreed that it is a problem, there might be already one, we should check with @dawehner.
Personally, I thought for a while that there should be a hook or even that allows to alter the response returned by the controller, when it is a render array at least. That would allow me to remove some tricky route alters as well.
Looking a bit closer, it might be possible, the interesting part is actually MainContentViewSubscriber, which then calls the responsible renderer based on the format. And that itself is a KernelEvents::VIEW event, but without an explicit priority. We should be able to add an event listener for that that runs first, does the same check (whether getControllerResult() is an array) and then you can change #title there. Or anything else.
Comment #4
DamienMcKennaOK, ISWYM. I opened #2472011: Provide module/controller-independent method of changing a page's title so I can dig into it.
Comment #5
vijaycs85Just had a word with @dawehner and looks like we are doing a check at output level and I don't see a reason why we should not check markup.