diff --git a/core/modules/filter/filter.module b/core/modules/filter/filter.module
index c05d639b335..96d988b459d 100644
--- a/core/modules/filter/filter.module
+++ b/core/modules/filter/filter.module
@@ -469,6 +469,7 @@ function template_preprocess_filter_tips(&$variables) {
foreach ($variables['tips'] as $name => $tiplist) {
foreach ($tiplist as $tip_key => $tip) {
$tiplist[$tip_key]['attributes'] = new Attribute();
+ $tiplist[$tip_key]['tip'] = Xss::filterAdmin($tiplist[$tip_key]['tip']);
}
$variables['tips'][$name] = array(
diff --git a/core/modules/filter/src/Plugin/Filter/FilterHtml.php b/core/modules/filter/src/Plugin/Filter/FilterHtml.php
index 3df9f28db13..dd39623c13c 100644
--- a/core/modules/filter/src/Plugin/Filter/FilterHtml.php
+++ b/core/modules/filter/src/Plugin/Filter/FilterHtml.php
@@ -144,8 +144,8 @@ class FilterHtml extends FilterBase {
if (!empty($tips[$tag])) {
$rows[] = array(
array('data' => $tips[$tag][0], 'class' => array('description')),
- array('data' => '' . SafeMarkup::checkPlain($tips[$tag][1]) . '', 'class' => array('type')),
- array('data' => $tips[$tag][1], 'class' => array('get'))
+ array('data' => SafeMarkup::format('@var', array('@var' => $tips[$tag][1])), 'class' => array('type')),
+ array('data' => SafeMarkup::format($tips[$tag][1]), 'class' => array('get'))
);
}
else {
@@ -175,8 +175,8 @@ class FilterHtml extends FilterBase {
foreach ($entities as $entity) {
$rows[] = array(
array('data' => $entity[0], 'class' => array('description')),
- array('data' => '' . SafeMarkup::checkPlain($entity[1]) . '', 'class' => array('type')),
- array('data' => $entity[1], 'class' => array('get'))
+ array('data' => SafeMarkup::format('@var', array('@var' => $entity[1])), 'class' => array('type')),
+ array('data' => SafeMarkup::format($entity[1]), 'class' => array('get'))
);
}
$table = array(
diff --git a/core/modules/filter/src/Tests/FilterAdminTest.php b/core/modules/filter/src/Tests/FilterAdminTest.php
index 2cd5bd1e807..1dccd5d48fc 100644
--- a/core/modules/filter/src/Tests/FilterAdminTest.php
+++ b/core/modules/filter/src/Tests/FilterAdminTest.php
@@ -361,4 +361,26 @@ class FilterAdminTest extends WebTestBase {
$this->assertNoRaw(t('The text format %format has been updated.', array('%format' => 'Basic HTML')));
}
+ /**
+ * Tests whether filter tips page is not HTML escaped.
+ */
+ function testFilterTipHtmlEscape() {
+ $this->drupalLogin($this->adminUser);
+ global $base_url;
+
+ // It is not possible to test the whole filter tip page.
+ // Therefore we test only some parts.
+ $link = '' . SafeMarkup::checkPlain(\Drupal::config('system.site')->get('name')) . '';
+ $ampersand = '&';
+ $link_as_code = '' . $link . '';
+ $ampersand_as_code = '' . $ampersand . '';
+
+ $this->drupalGet('filter/tips');
+
+ $this->assertRaw('' . $link_as_code . ' | ');
+ $this->assertRaw('' . $link . ' | ');
+ $this->assertRaw('' . $ampersand_as_code . ' | ');
+ $this->assertRaw('' . $ampersand . ' | ');
+ }
+
}