locale_string_is_safe fails on valid safe html [#3586472]

Problem/Motivation

A translation sting can have a <br /> tag but <br/> (without the space) fails the check in locale_string_is_safe.

The problem arises because Xss::filter reassembles the html with the one space.

Steps to reproduce

The real use case is described in #3538468: Please consider removing <br/> tags from translatable strings to avoid import errors

or check:

locale_string_is_safe('hello<br/>drupal'); // FALSE
locale_string_is_safe('hello<br />drupal'); // TRUE
locale_string_is_safe('hello<br  />drupal'); // FALSE

Proposed resolution

Remaining tasks

User interface changes

Introduced terminology

API changes

Data model changes

Release notes snippet

Issue fork drupal-3586472

Show commands

Start within a Git clone of the project using the version control instructions.

Add & fetch this issue fork’s repository

Or, if you do not have SSH keys set up on git.drupalcode.org:

Add & fetch this issue fork’s repository

3586472-localestringissafe-fails-on changes, plain diff MR !15564
Check out this branch for the first time

Check out existing branch, if you already have it locally

About issue forks

Comments

Comment #1

23 April 2026 at 11:30

bircher created an issue. See original summary.

Comment #2

24 April 2026 at 11:43

bircher opened merge request !15564

Comment #3

bircher

🇨🇿

commented 24 April 2026 at 11:47

Status:

Active

» Needs review

We can just disregard spaces when doing the comparison between the filtered and non filtered version of the string.

Comment #4

bircher

🇨🇿

commented 24 April 2026 at 11:47

Issue tags:

+DevDaysAthens2026

Comment #5

dcam commented 24 April 2026 at 17:16

Status:

Needs review

» Needs work

I left a few suggestions on the MR. The change to the anonymous function is kind of a subjective code-style change. Take it or leave it. But I do feel like the comment move is appropriate. Please consider them.

locale_string_is_safe fails on valid safe html