Drupal
/
drupal
mirror of https://git.drupalcode.org/project/drupal.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Issue #2089351 by thedavidmeister, meba: Convert all calls to check_plain() in core to Drupal\Component\Utility\String::checkPlain() in core/includes.

8.0.x
webchick 2013-10-06 22:34:09 -07:00
parent 707ff33d0d
commit 5dc3a2f37f
9 changed files with 60 additions and 46 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
core/includes/bootstrap.inc
View File

@ -1467,7 +1467,9 @@ function watchdog_exception($type, Exception $exception, $message = NULL, $varia
// Use a default value if $message is not set.
if (empty($message)) {
// The exception message is run through check_plain() by _drupal_decode_exception().
// The exception message is run through
// \Drupal\Component\Utility\String::checkPlain() by
// _drupal_decode_exception().
$message = '%type: !message in %function (line %line of %file).';
}
// $variables must be an array so that we can add the exception information.
@ -1672,7 +1674,7 @@ function drupal_get_title() {
// During a bootstrap, menu.inc is not included and thus we cannot provide a title.
if (!isset($title) && function_exists('menu_get_active_title')) {
$title = check_plain(menu_get_active_title());
$title = String::checkPlain(menu_get_active_title());
}
return $title;
@ -1689,7 +1691,8 @@ function drupal_get_title() {
* @param $output
* Optional flag - normally should be left as Title::CHECK_PLAIN. Only set to
* PASS_THROUGH if you have already removed any possibly dangerous code
* from $title using a function like check_plain() or filter_xss(). With this
* from $title using a function like
* \Drupal\Component\Utility\String::checkPlain() or filter_xss(). With this
* flag the string will be passed through unchanged.
*
* @return
@ -1699,7 +1702,7 @@ function drupal_set_title($title = NULL, $output = Title::CHECK_PLAIN) {
$stored_title = &drupal_static(__FUNCTION__);
if (isset($title)) {
$stored_title = ($output == PASS_THROUGH) ? $title : check_plain($title);
$stored_title = ($output == PASS_THROUGH) ? $title : String::checkPlain($title);
}
return $stored_title;

36
core/includes/common.inc
View File

@ -700,7 +700,7 @@ function valid_number_step($value, $step, $offset = 0.0) {
* string, so this function can be called independently when the output needs to
* be a plain-text string for passing to t(), l(),
* Drupal\Core\Template\Attribute, or another function that will call
* check_plain() separately.
* \Drupal\Component\Utility\String::checkPlain() separately.
*
* @param $uri
* A plain-text URI that might contain dangerous protocols.
@ -708,8 +708,8 @@ function valid_number_step($value, $step, $offset = 0.0) {
* @return
* A plain-text URI stripped of dangerous protocols. As with all plain-text
* strings, this return value must not be output to an HTML page without
* check_plain() being called on it. However, it can be passed to functions
* expecting plain-text strings.
* \Drupal\Component\Utility\String::checkPlain() being called on it. However,
* it can be passed to functions expecting plain-text strings.
*
* @see \Drupal\Component\Utility\Url::stripDangerousProtocols()
*/
@ -744,7 +744,8 @@ function check_url($uri) {
*
* Use only for fields where it is impractical to use the
* whole filter system, but where some (mainly inline) mark-up
* is desired (so check_plain() is not acceptable).
* is desired (so \Drupal\Component\Utility\String::checkPlain() is not
* acceptable).
*
* Allows all tags that can be used inside an HTML body, save
* for scripts and styles.
@ -826,14 +827,14 @@ function format_rss_channel($title, $link, $description, $items, $langcode = NUL
$langcode = $langcode ? $langcode : language(Language::TYPE_CONTENT)->id;
$output = "<channel>\n";
$output .= ' <title>' . check_plain($title) . "</title>\n";
$output .= ' <title>' . String::checkPlain($title) . "</title>\n";
$output .= ' <link>' . check_url($link) . "</link>\n";
// The RSS 2.0 "spec" doesn't indicate HTML can be used in the description.
// We strip all HTML tags, but need to prevent double encoding from properly
// escaped source data (such as &amp becoming &amp;amp;).
$output .= ' <description>' . check_plain(decode_entities(strip_tags($description))) . "</description>\n";
$output .= ' <language>' . check_plain($langcode) . "</language>\n";
$output .= ' <description>' . String::checkPlain(decode_entities(strip_tags($description))) . "</description>\n";
$output .= ' <language>' . String::checkPlain($langcode) . "</language>\n";
$output .= format_xml_elements($args);
$output .= $items;
$output .= "</channel>\n";
@ -848,9 +849,9 @@ function format_rss_channel($title, $link, $description, $items, $langcode = NUL
*/
function format_rss_item($title, $link, $description, $args = array()) {
$output = "<item>\n";
$output .= ' <title>' . check_plain($title) . "</title>\n";
$output .= ' <title>' . String::checkPlain($title) . "</title>\n";
$output .= ' <link>' . check_url($link) . "</link>\n";
$output .= ' <description>' . check_plain($description) . "</description>\n";
$output .= ' <description>' . String::checkPlain($description) . "</description>\n";
$output .= format_xml_elements($args);
$output .= "</item>\n";
@ -882,7 +883,7 @@ function format_xml_elements($array) {
}
if (isset($value['value']) && $value['value'] != '') {
$output .= '>' . (is_array($value['value']) ? format_xml_elements($value['value']) : check_plain($value['value'])) . '</' . $value['key'] . ">\n";
$output .= '>' . (is_array($value['value']) ? format_xml_elements($value['value']) : String::checkPlain($value['value'])) . '</' . $value['key'] . ">\n";
}
else {
$output .= " />\n";
@ -890,7 +891,7 @@ function format_xml_elements($array) {
}
}
else {
$output .= ' <' . $key . '>' . (is_array($value) ? format_xml_elements($value) : check_plain($value)) . "</$key>\n";
$output .= ' <' . $key . '>' . (is_array($value) ? format_xml_elements($value) : String::checkPlain($value)) . "</$key>\n";
}
}
return $output;
@ -1285,8 +1286,9 @@ function drupal_http_header_attributes(array $attributes = array()) {
* The internal path or external URL being linked to, such as "node/34" or
* "http://example.com/foo". After the url() function is called to construct
* the URL from $path and $options, the resulting URL is passed through
* check_plain() before it is inserted into the HTML anchor tag, to ensure
* well-formed HTML. See url() for more information and notes.
* \Drupal\Component\Utility\String::checkPlain() before it is inserted into
* the HTML anchor tag, to ensure well-formed HTML. See url() for more
* information and notes.
* @param array $options
* An associative array of additional options. Defaults to an empty array. It
* may contain the following elements.
@ -1379,10 +1381,10 @@ function l($text, $path, array $options = array()) {
// The result of url() is a plain-text URL. Because we are using it here
// in an HTML argument context, we need to encode it properly.
$url = check_plain(url($variables['path'], $variables['options']));
$url = String::checkPlain(url($variables['path'], $variables['options']));
// Sanitize the link text if necessary.
$text = $variables['options']['html'] ? $variables['text'] : check_plain($variables['text']);
$text = $variables['options']['html'] ? $variables['text'] : String::checkPlain($variables['text']);
return '<a href="' . $url . '"' . $attributes . '>' . $text . '</a>';
}
@ -1481,7 +1483,7 @@ function drupal_add_html_head_link($attributes, $header = FALSE) {
if ($header) {
// Also add a HTTP header "Link:".
$href = '<' . check_plain($attributes['href']) . '>;';
$href = '<' . String::checkPlain($attributes['href']) . '>;';
unset($attributes['href']);
$element['#attached']['drupal_add_http_header'][] = array('Link', $href . drupal_http_header_attributes($attributes), TRUE);
}
@ -4864,7 +4866,7 @@ function _drupal_flush_css_js() {
*/
function debug($data, $label = NULL, $print_r = FALSE) {
// Print $data contents to string.
$string = check_plain($print_r ? print_r($data, TRUE) : var_export($data, TRUE));
$string = String::checkPlain($print_r ? print_r($data, TRUE) : var_export($data, TRUE));
// Display values with pre-formatting to increase readability.
$string = '<pre>' . $string . '</pre>';

5
core/includes/errors.inc
View File

@ -5,6 +5,7 @@
* Functions for error handling.
*/
use Drupal\Component\Utility\String;
use Symfony\Component\HttpFoundation\Response;
/**
@ -117,7 +118,7 @@ function _drupal_decode_exception($exception) {
'%type' => get_class($exception),
// The standard PHP exception handler considers that the exception message
// is plain-text. We mimick this behavior here.
'!message' => check_plain($message),
'!message' => String::checkPlain($message),
'%function' => $caller['function'],
'%file' => $caller['file'],
'%line' => $caller['line'],
@ -138,7 +139,7 @@ function _drupal_decode_exception($exception) {
function _drupal_render_exception_safe($exception) {
$decode = _drupal_decode_exception($exception);
unset($decode['backtrace']);
return check_plain(strtr('%type: !message in %function (line %line of %file).', $decode));
return String::checkPlain(strtr('%type: !message in %function (line %line of %file).', $decode));
}
/**

3
core/includes/file.inc
View File

@ -7,6 +7,7 @@
use Drupal\Core\StreamWrapper\LocalStream;
use Drupal\Component\PhpStorage\MTimeProtectedFastFileStorage;
use Drupal\Component\Utility\String;
use Drupal\Core\StreamWrapper\PublicStream;
/**
@ -561,7 +562,7 @@ function file_save_htaccess($directory, $private = TRUE) {
drupal_chmod($htaccess_path, 0444);
}
else {
$variables = array('%directory' => $directory, '!htaccess' => '<br />' . nl2br(check_plain($htaccess_lines)));
$variables = array('%directory' => $directory, '!htaccess' => '<br />' . nl2br(String::checkPlain($htaccess_lines)));
watchdog('security', "Security warning: Couldn't write .htaccess file. Please create a .htaccess file in your %directory directory which contains the following lines: <code>!htaccess</code>", $variables, WATCHDOG_ERROR);
}
}

19
core/includes/form.inc
View File

@ -7,6 +7,7 @@
use Drupal\Component\Utility\Crypt;
use Drupal\Component\Utility\NestedArray;
use Drupal\Component\Utility\String;
use Drupal\Core\Form\FormInterface;
use Drupal\Core\Form\BaseFormIdInterface;
use Drupal\Core\Database\Database;
@ -2824,7 +2825,7 @@ function form_select_options($element, $choices = NULL) {
else {
$selected = '';
}
$options .= '<option value="' . check_plain($key) . '"' . $selected . '>' . check_plain($choice) . '</option>';
$options .= '<option value="' . String::checkPlain($key) . '"' . $selected . '>' . String::checkPlain($choice) . '</option>';
}
}
return $options;
@ -4569,7 +4570,7 @@ function theme_textarea($variables) {
}
$output = '<div' . new Attribute($wrapper_attributes) . '>';
$output .= '<textarea' . new Attribute($element['#attributes']) . '>' . check_plain($element['#value']) . '</textarea>';
$output .= '<textarea' . new Attribute($element['#attributes']) . '>' . String::checkPlain($element['#value']) . '</textarea>';
$output .= '</div>';
return $output;
}
@ -4932,9 +4933,9 @@ function _drupal_form_send_response(Response $response) {
* Note: if the batch 'title', 'init_message', 'progress_message', or
* 'error_message' could contain any user input, it is the responsibility of
* the code calling batch_set() to sanitize them first with a function like
* check_plain() or filter_xss(). Furthermore, if the batch operation
* returns any user input in the 'results' or 'message' keys of $context,
* it must also sanitize them first.
* \Drupal\Component\Utility\String::checkPlain() or filter_xss(). Furthermore,
* if the batch operation returns any user input in the 'results' or 'message'
* keys of $context, it must also sanitize them first.
*
* Sample batch operations:
* @code
@ -4958,8 +4959,8 @@ function _drupal_form_send_response(Response $response) {
*
* $nodes = entity_load_multiple_by_properties('node', array('uid' => $uid, 'type' => $type));
* $node = reset($nodes);
* $context['results'][] = $node->id() . ' : ' . check_plain($node->label());
* $context['message'] = check_plain($node->label());
* $context['results'][] = $node->id() . ' : ' . String::checkPlain($node->label());
* $context['message'] = String::checkPlain($node->label());
* }
*
* // A more advanced example is a multi-step operation that loads all rows,
@ -4978,10 +4979,10 @@ function _drupal_form_send_response(Response $response) {
* ->range(0, $limit)
* ->execute();
* foreach ($result as $row) {
* $context['results'][] = $row->id . ' : ' . check_plain($row->title);
* $context['results'][] = $row->id . ' : ' . String:checkPlain($row->title);
* $context['sandbox']['progress']++;
* $context['sandbox']['current_id'] = $row->id;
* $context['message'] = check_plain($row->title);
* $context['message'] = String:checkPlain($row->title);
* }
* if ($context['sandbox']['progress'] != $context['sandbox']['max']) {
* $context['finished'] = $context['sandbox']['progress'] / $context['sandbox']['max'];

5
core/includes/menu.inc
View File

@ -6,6 +6,7 @@
*/
use Drupal\Component\Utility\NestedArray;
use Drupal\Component\Utility\String;
use Drupal\Core\Cache\CacheBackendInterface;
use Drupal\Core\Language\Language;
use Drupal\Core\Routing\RequestHelper;
@ -1728,10 +1729,10 @@ function theme_menu_local_task($variables) {
// Add text to indicate active tab for non-visual users.
$active = '<span class="visually-hidden">' . t('(active tab)') . '</span>';
// If the link does not contain HTML already, check_plain() it now.
// If the link does not contain HTML already, String::checkPlain() it now.
// After we set 'html'=TRUE the link will not be sanitized by l().
if (empty($link['localized_options']['html'])) {
$link['title'] = check_plain($link['title']);
$link['title'] = String::checkPlain($link['title']);
}
$link['localized_options']['html'] = TRUE;
$link_text = t('!local-task-title!active', array('!local-task-title' => $link['title'], '!active' => $active));

3
core/includes/schema.inc
View File

@ -232,7 +232,8 @@ function drupal_install_schema($module) {
* @return array
* An array of arrays with the following key/value pairs:
* - success: a boolean indicating whether the query succeeded.
* - query: the SQL query(s) executed, passed through check_plain().
* - query: the SQL query(s) executed, passed through
* \Drupal\Component\Utility\String::checkPlain().
*/
function drupal_uninstall_schema($module) {
$schema = drupal_get_schema_unprocessed($module);

17
core/includes/theme.inc
View File

@ -1616,7 +1616,8 @@ function template_preprocess_status_messages(&$variables) {
* - href: The link URL. If omitted, the 'title' is shown as a plain text
* item in the links list.
* - html: (optional) Whether or not 'title' is HTML. If set, the title
* will not be passed through check_plain().
* will not be passed through
* \Drupal\Component\Utility\String::checkPlain().
* - attributes: (optional) Attributes for the anchor, or for the <span>
* tag used in its place if no 'href' is supplied. If element 'class' is
* included, it must be an array of one or more class names.
@ -1666,7 +1667,7 @@ function theme_links($variables) {
}
$output .= '<' . $heading['level'] . new Attribute($heading['attributes']) . '>';
$output .= check_plain($heading['text']);
$output .= String::checkPlain($heading['text']);
$output .= '</' . $heading['level'] . '>';
}
@ -1721,7 +1722,7 @@ function theme_links($variables) {
$link += array(
'html' => FALSE,
);
$item = ($link['html'] ? $link['title'] : check_plain($link['title']));
$item = ($link['html'] ? $link['title'] : String::checkPlain($link['title']));
if (isset($link['attributes'])) {
$item = '<span' . new Attribute($link['attributes']) . '>' . $item . '</span>';
}
@ -2567,11 +2568,11 @@ function template_preprocess_html(&$variables) {
elseif (drupal_get_title()) {
$head_title = array(
'title' => strip_tags(drupal_get_title()),
'name' => check_plain($site_config->get('name')),
'name' => String::checkPlain($site_config->get('name')),
);
}
else {
$head_title = array('name' => check_plain($site_config->get('name')));
$head_title = array('name' => String::checkPlain($site_config->get('name')));
if ($site_config->get('slogan')) {
$head_title['slogan'] = strip_tags(filter_xss_admin($site_config->get('slogan')));
}
@ -2679,7 +2680,7 @@ function template_preprocess_page(&$variables) {
$variables['main_menu'] = theme_get_setting('features.main_menu') ? menu_main_menu() : array();
$variables['secondary_menu'] = theme_get_setting('features.secondary_menu') ? menu_secondary_menu() : array();
$variables['action_links'] = menu_get_local_actions();
$variables['site_name'] = (theme_get_setting('features.name') ? check_plain($site_config->get('name')) : '');
$variables['site_name'] = (theme_get_setting('features.name') ? String::checkPlain($site_config->get('name')) : '');
$variables['site_slogan'] = (theme_get_setting('features.slogan') ? filter_xss_admin($site_config->get('slogan')) : '');
$variables['tabs'] = menu_local_tabs();
@ -2873,7 +2874,7 @@ function template_preprocess_maintenance_page(&$variables) {
);
}
else {
$head_title = array('name' => check_plain($site_name));
$head_title = array('name' => String::checkPlain($site_name));
if ($site_slogan) {
$head_title['slogan'] = strip_tags(filter_xss_admin($site_slogan));
}
@ -2907,7 +2908,7 @@ function template_preprocess_maintenance_page(&$variables) {
$variables['messages'] = $variables['show_messages'] ? theme('status_messages') : '';
$variables['main_menu'] = array();
$variables['secondary_menu'] = array();
$variables['site_name'] = (theme_get_setting('features.name') ? check_plain($site_name) : '');
$variables['site_name'] = (theme_get_setting('features.name') ? String::checkPlain($site_name) : '');
$variables['site_slogan'] = (theme_get_setting('features.slogan') ? filter_xss_admin($site_slogan) : '');
$variables['tabs'] = '';

7
core/includes/update.inc
View File

@ -10,6 +10,7 @@
use Drupal\Component\Graph\Graph;
use Drupal\Component\Utility\Settings;
use Drupal\Component\Utility\String;
use Drupal\Core\Config\FileStorage;
use Drupal\Core\Config\ConfigException;
use Drupal\Core\DrupalKernel;
@ -813,7 +814,9 @@ function update_do_one($module, $number, $dependency_map, &$context) {
require_once __DIR__ . '/errors.inc';
$variables = _drupal_decode_exception($e);
unset($variables['backtrace']);
// The exception message is run through check_plain() by _drupal_decode_exception().
// The exception message is run through
// \Drupal\Component\Utility\String::checkPlain() by
// _drupal_decode_exception().
$ret['#abort'] = array('success' => FALSE, 'query' => t('%type: !message in %function (line %line of %file).', $variables));
}
}
@ -841,7 +844,7 @@ function update_do_one($module, $number, $dependency_map, &$context) {
drupal_set_installed_schema_version($module, $number);
}
$context['message'] = 'Updating ' . check_plain($module) . ' module';
$context['message'] = 'Updating ' . String::checkPlain($module) . ' module';
}
/**