Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
I have a theme function that transforms a part of a form into table.
The rows look like this:
$row[] = drupal_render($items[$key]['thumbnail']);
$row[] = drupal_render($items[$key]['label']) . drupal_render($items[$key]['note']);
$row[] = drupal_render($items[$key]['value']);
$row[] = drupal_render($items[$key]['operations']) . drupal_render($items[$key]);
Note the second and last rows - they combine multiple fields into one row.
These cells will get double escaped by Twig autoescape.
The rows with only one item gets rendered just fine.
This is due to the fact that each render is marked as safe separately. But when they are put together they make up a new and unique string which is not present in SafeMarkup's static cache and therefore it's not treated as safe.
Simple solution for tables is to put the data into separate cells and use colspan.
Comments
Comment #1
Anonymous (not verified) CreditAttribution: Anonymous commentedComment #2
Anonymous (not verified) CreditAttribution: Anonymous commentedComment #3
tim.plunkettSeems like user error. Can you paste the rest of the relevant code?
Comment #4
Anonymous (not verified) CreditAttribution: Anonymous commentedIt's not a user error. That's the way the theme functions(mostly aimed at transforming forms into tables) were always done.
But I see now(
theme_book_admin_table
) thatSafeMarkup::set(drupal_render($items[$key]['label']) . drupal_render($items[$key]['note']))
is the new way.I guess there isn't a better way to do this right now but to duplicate the code in SafeMarkup's static cache.
Comment #5
chx CreditAttribution: chx commentedAbsolutely not. The way is to use #type inline_template. Change notice https://www.drupal.org/node/2311123 here.
Comment #6
jibran