Problem/Motivation
Follow-up for #2273925: Ensure #markup is XSS escaped in Renderer::doRender()
It would seem sane to add documentation that #markup goes through checkAdminXss(), wherever we document #markup. Which appears to be in theme.api.php in the theme and render topic group, and took me ages to find. (I looked in ElementInfoManagerInterface::getInfo() and ElementInterface and Renderer and RendererInterface and several other places
Can we consolidate links to all the things and add references from the places I originally looked back to this topic? And shouldn't #markup be documented/mentioned somehow wherever the magic happens, rather than only in the topic documentation?
Proposed resolution
Document
Remaining tasks
Do it
User interface changes
None
API changes
None
Comments
Comment #1
star-szrThanks for creating the issue! We likely also need to update the FAPI docs in the documentation project.
Comment #2
xjmThanks @larowlan! The scope I had in mind was a bit broader; adding some more quotage.
Comment #3
xjmComment #4
joelpittet@xjm Could be just coincidence but noticed this a couple of times, seems that broadening issues seems to stall them, have you noticed that too? Though I'm a bit unsure where to start with this myself... so I just skip it.
Reason I bring it up is I'm triaging again;)
One thing that may help is flush out a couple of the Remaining tasks.
Also I think @jhodgdon was working on something very similar at badcamp 2015 IIRC and it looked super helpful in the render API docs(on her computer.