diff --git a/core/includes/file.inc b/core/includes/file.inc
index 142bd206be1..c5027c02365 100644
--- a/core/includes/file.inc
+++ b/core/includes/file.inc
@@ -371,8 +371,8 @@ function file_save_htaccess($directory, $private = TRUE, $force_overwrite = FALS
return drupal_chmod($htaccess_path, 0444);
}
else {
- $variables = array('%directory' => $directory, '!htaccess' => '
' . nl2br(Html::escape($htaccess_lines)));
- \Drupal::logger('security')->error("Security warning: Couldn't write .htaccess file. Please create a .htaccess file in your %directory directory which contains the following lines: !htaccess", $variables);
+ $variables = array('%directory' => $directory, '@htaccess' => $htaccess_lines);
+ \Drupal::logger('security')->error("Security warning: Couldn't write .htaccess file. Please create a .htaccess file in your %directory directory which contains the following lines: @htaccess
", $variables);
return FALSE;
}
}
diff --git a/core/modules/system/src/Tests/File/FileSaveHtaccessLoggingTest.php b/core/modules/system/src/Tests/File/FileSaveHtaccessLoggingTest.php
new file mode 100644
index 00000000000..544e8b13e87
--- /dev/null
+++ b/core/modules/system/src/Tests/File/FileSaveHtaccessLoggingTest.php
@@ -0,0 +1,43 @@
+publicFilesDirectory . '/test/private';
+
+ // Verify that file_save_htaccess() returns FALSE if .htaccess cannot be
+ // written and writes a correctly formatted message to the error log. Set
+ // $private to TRUE so all possible .htaccess lines are written.
+ $this->assertFalse(file_save_htaccess($private, TRUE));
+ $this->drupalLogin($this->rootUser);
+ $this->drupalGet('admin/reports/dblog');
+ $this->clickLink("Security warning: Couldn't write .htaccess file. Pleaseā¦");
+
+ $lines = FileStorage::htaccessLines(TRUE);
+ foreach (array_filter(explode("\n", $lines)) as $line) {
+ $this->assertEscaped($line);
+ }
+ }
+
+}