The $text parameter of Token::replace() is documented as follows:
The caller is responsible for calling \Drupal\Component\Utility\Html::escape() in case the $text was plain text.
There are instances in core where this does not happen, which means that plain text that resembles HTML would be corrupted. For example an Email action with subject What do you think of the <blink> tag? would get corrupted to What do you think of the tag?.
When fixing this bug, we need to consider that sites might have observed this bug and compensated for it, by setting their subject to What do you think of the <blink> tag?. If we fix this bug, these sites would start sending emails without decoding those escaped entities. However it's hard to see how to fix the bug without this problem, so perhaps we just have to document it clearly in the release notes.
This issue was split off from #2580723: Fix token system confusion, with new function Token::replacePlain(), see lengthy discussion there for further background.
Use the Token::replacePlain() method.
| Comment | File | Size | Author |
|---|---|---|---|
| #2 | token-corrupt.3264453-2.patch | 6.31 KB | adamps |
Comments
Comment #2
adamps commentedThis patch will apply after #2580723: Fix token system confusion, with new function Token::replacePlain() is fixed. It probably makes sense to postpone this one until after the other.
Comment #6
adamps commentedComment #7
adamps commentedComment #8
smustgrave commentedThank you for reporting.
As a bug will also need a test case showing this issue.
Comment #9
adamps commentedSure however before spending time on that please can we get agreement that this would be accepted and committed?
Comment #10
larowlanI think a release manager would be the best person to answer the question in #9 as (per the issue summary) there's a possible impact on existing sites here.