Drupal
/
drupal
mirror of https://git.drupalcode.org/project/drupal.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Issue #2545972 by alexpott, joelpittet, ericjenkins, stefan.r, Wim Leers, Cottser: Remove all code usages SafeMarkup::checkPlain() and rely more on Twig autoescaping

8.0.x
Nathaniel Catchpole 2015-09-17 14:47:16 +01:00
parent cd37e6b953
commit 8691e08fdf
74 changed files with 500 additions and 159 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
core/includes/schema.inc
View File

@ -130,12 +130,6 @@ function drupal_install_schema($module) {
*
* @param string $module
* The module for which the tables will be removed.
*
* @return array
* An array of arrays with the following key/value pairs:
* - success: a boolean indicating whether the query succeeded.
* - query: the SQL query(s) executed, passed through
* \Drupal\Component\Utility\SafeMarkup::checkPlain().
*/
function drupal_uninstall_schema($module) {
$schema = drupal_get_module_schema($module);

2
core/lib/Drupal/Component/Utility/UrlHelper.php
View File

@ -304,7 +304,7 @@ class UrlHelper {
* \Drupal\Component\Utility\Xss::filter(), but those functions return an
* HTML-encoded string, so this function can be called independently when the
* output needs to be a plain-text string for passing to functions that will
* call \Drupal\Component\Utility\SafeMarkup::checkPlain() separately.
* call \Drupal\Component\Utility\Html::escape() separately.
*
* @param string $uri
* A plain-text URI that might contain dangerous protocols.

2
core/lib/Drupal/Component/Utility/Xss.php
View File

@ -106,7 +106,7 @@ class Xss {
*
* Use only for fields where it is impractical to use the
* whole filter system, but where some (mainly inline) mark-up
* is desired (so \Drupal\Component\Utility\SafeMarkup::checkPlain() is
* is desired (so \Drupal\Component\Utility\Html::escape() is
* not acceptable).
*
* Allows all tags that can be used inside an HTML body, save

14
core/lib/Drupal/Core/Controller/TitleResolverInterface.php
View File

@ -17,18 +17,20 @@ interface TitleResolverInterface {
/**
* Returns a static or dynamic title for the route.
*
* The returned title string must be safe to output in HTML. For example, an
* implementation should call \Drupal\Component\Utility\SafeMarkup::checkPlain()
* or \Drupal\Component\Utility\Xss::filterAdmin() on the string, or use
* appropriate placeholders to sanitize dynamic content inside a localized
* string before returning it. The title may contain HTML such as EM tags.
* If the returned title can contain HTML that should not be escaped it should
* return a render array, for example:
* @code
* ['#markup' => 'title', '#allowed_tags' => ['em']]
* @endcode
* If the method returns a string and it is not marked safe then it will be
* auto-escaped.
*
* @param \Symfony\Component\HttpFoundation\Request $request
* The request object passed to the title callback.
* @param \Symfony\Component\Routing\Route $route
* The route information of the route to fetch the title.
*
* @return string|null
* @return array|string|null
* The title for the route.
*/
public function getTitle(Request $request, Route $route);

5
core/lib/Drupal/Core/EventSubscriber/ExceptionLoggingSubscriber.php
View File

@ -7,7 +7,6 @@
namespace Drupal\Core\EventSubscriber;
use Drupal\Component\Utility\SafeMarkup;
use Drupal\Core\Logger\LoggerChannelFactoryInterface;
use Drupal\Core\Utility\Error;
use Symfony\Component\EventDispatcher\EventSubscriberInterface;
@ -45,7 +44,7 @@ class ExceptionLoggingSubscriber implements EventSubscriberInterface {
*/
public function on403(GetResponseForExceptionEvent $event) {
$request = $event->getRequest();
$this->logger->get('access denied')->warning(SafeMarkup::checkPlain($request->getRequestUri()));
$this->logger->get('access denied')->warning('@uri', ['@uri' => $request->getRequestUri()]);
}
/**
@ -56,7 +55,7 @@ class ExceptionLoggingSubscriber implements EventSubscriberInterface {
*/
public function on404(GetResponseForExceptionEvent $event) {
$request = $event->getRequest();
$this->logger->get('page not found')->warning(SafeMarkup::checkPlain($request->getRequestUri()));
$this->logger->get('page not found')->warning('@uri', ['@uri' => $request->getRequestUri()]);
}
/**

3
core/lib/Drupal/Core/Extension/ThemeHandler.php
View File

@ -7,7 +7,6 @@
namespace Drupal\Core\Extension;
use Drupal\Component\Utility\SafeMarkup;
use Drupal\Core\Config\ConfigFactoryInterface;
use Drupal\Core\State\StateInterface;
@ -428,7 +427,7 @@ class ThemeHandler implements ThemeHandlerInterface {
if (!isset($themes[$theme])) {
throw new \InvalidArgumentException("Requested the name of a non-existing theme $theme");
}
return SafeMarkup::checkPlain($themes[$theme]->info['name']);
return $themes[$theme]->info['name'];
}
/**

2
core/lib/Drupal/Core/Field/AllowedTagsXssTrait.php
View File

@ -24,7 +24,7 @@ trait AllowedTagsXssTrait {
*
* Used for items entered by administrators, like field descriptions, allowed
* values, where some (mainly inline) mark-up may be desired (so
* \Drupal\Component\Utility\SafeMarkup::checkPlain() is not acceptable).
* \Drupal\Component\Utility\Html::escape() is not acceptable).
*
* @param string $string
* The string with raw HTML in it.

4
core/lib/Drupal/Core/Form/form.api.php
View File

@ -5,8 +5,6 @@
* Callbacks and hooks related to form system.
*/
use Drupal\Component\Utility\SafeMarkup;
/**
* @addtogroup callbacks
* @{
@ -79,7 +77,7 @@ function callback_batch_operation($MULTIPLE_PARAMS, &$context) {
node_save($node);
// Store some result for post-processing in the finished callback.
$context['results'][] = SafeMarkup::checkPlain($node->title);
$context['results'][] = $node->title;
// Update our progress information.
$context['sandbox']['progress']++;

3
core/lib/Drupal/Core/Menu/menu.api.php
View File

@ -461,9 +461,6 @@ function hook_system_breadcrumb_alter(\Drupal\Core\Breadcrumb\Breadcrumb &$bread
* must be a string; other elements are more flexible, as they just need
* to work as an argument for the constructor of the class
* Drupal\Core\Template\Attribute($options['attributes']).
* - html: Whether or not HTML should be allowed as the link text. If FALSE,
* the text will be run through
* \Drupal\Component\Utility\SafeMarkup::checkPlain() before being output.
*
* @see \Drupal\Core\Routing\UrlGenerator::generateFromPath()
* @see \Drupal\Core\Routing\UrlGenerator::generateFromRoute()

5
core/lib/Drupal/Core/Session/AccountInterface.php
View File

@ -116,10 +116,7 @@ interface AccountInterface {
* @see hook_user_format_name_alter()
*
* @return
* An unsanitized string with the username to display. The code receiving
* this result must ensure that \Drupal\Component\Utility\SafeMarkup::checkPlain()
* is called on it before it is
* printed to the page.
* An unsanitized string with the username to display.
*/
public function getUsername();

8
core/lib/Drupal/Core/Utility/Token.php
View File

@ -164,8 +164,8 @@ class Token {
* display to a web browser. Defaults to TRUE. Developers who set this
* option to FALSE assume responsibility for running
* \Drupal\Component\Utility\Xss::filter(),
* \Drupal\Component\Utility\SafeMarkup::checkPlain() or other appropriate
* scrubbing functions before displaying data to users.
* \Drupal\Component\Utility\Html::escape() or other appropriate scrubbing
* functions before displaying data to users.
* @param \Drupal\Core\Render\BubbleableMetadata $bubbleable_metadata|null
* (optional) An object to which static::generate() and the hooks and
* functions that it invokes will add their required bubbleable metadata.
@ -285,8 +285,8 @@ class Token {
* - sanitize: A boolean flag indicating that tokens should be sanitized for
* display to a web browser. Developers who set this option to FALSE assume
* responsibility for running \Drupal\Component\Utility\Xss::filter(),
* \Drupal\Component\Utility\SafeMarkup::checkPlain() or other appropriate
* scrubbing functions before displaying data to users.
* \Drupal\Component\Utility\Html::escape() or other appropriate scrubbing
* functions before displaying data to users.
* @param \Drupal\Core\Render\BubbleableMetadata $bubbleable_metadata
* The bubbleable metadata. This is passed to the token replacement
* implementations so that they can attach their metadata.

3
core/modules/block/src/Controller/BlockController.php
View File

@ -7,6 +7,7 @@
namespace Drupal\block\Controller;
use Drupal\Component\Utility\Html;
use Drupal\Core\Controller\ControllerBase;
use Drupal\Core\Extension\ThemeHandler;
use Drupal\Core\Extension\ThemeHandlerInterface;
@ -55,7 +56,7 @@ class BlockController extends ControllerBase {
*/
public function demo($theme) {
$page = [
'#title' => $this->themeHandler->getName($theme),
'#title' => Html::escape($this->themeHandler->getName($theme)),
'#type' => 'page',
'#attached' => array(
'drupalSettings' => [

4
core/modules/block/src/Controller/CategoryAutocompleteController.php
View File

@ -7,8 +7,8 @@
namespace Drupal\block\Controller;
use Drupal\Component\Utility\Html;
use Drupal\Core\Block\BlockManagerInterface;
use Drupal\Component\Utility\SafeMarkup;
use Drupal\Core\DependencyInjection\ContainerInjectionInterface;
use Symfony\Component\DependencyInjection\ContainerInterface;
use Symfony\Component\HttpFoundation\JsonResponse;
@ -59,7 +59,7 @@ class CategoryAutocompleteController implements ContainerInjectionInterface {
$matches = array();
foreach ($this->blockManager->getCategories() as $category) {
if (stripos($category, $typed_category) === 0) {
$matches[] = array('value' => $category, 'label' => SafeMarkup::checkPlain($category));
$matches[] = array('value' => $category, 'label' => Html::escape($category));
}
}
return new JsonResponse($matches);

4
core/modules/block/src/Tests/BlockUiTest.php
View File

@ -86,6 +86,10 @@ class BlockUiTest extends WebTestBase {
$this->clickLink(t('Demonstrate block regions (@theme)', array('@theme' => 'Classy')));
$elements = $this->xpath('//div[contains(@class, "region-highlighted")]/div[contains(@class, "block-region") and contains(text(), :title)]', array(':title' => 'Highlighted'));
$this->assertTrue(!empty($elements), 'Block demo regions are shown.');
\Drupal::service('theme_handler')->install(array('test_theme'));
$this->drupalGet('admin/structure/block/demo/test_theme');
$this->assertEscaped('<strong>Test theme</strong>');
}
/**

4
core/modules/block/tests/src/Unit/CategoryAutocompleteTest.php
View File

@ -7,8 +7,8 @@
namespace Drupal\Tests\block\Unit;
use Drupal\Component\Utility\Html;
use Drupal\block\Controller\CategoryAutocompleteController;
use Drupal\Component\Utility\SafeMarkup;
use Drupal\Tests\UnitTestCase;
use Symfony\Component\HttpFoundation\Request;
@ -48,7 +48,7 @@ class CategoryAutocompleteTest extends UnitTestCase {
*/
public function testAutocompleteSuggestions($string, $suggestions) {
$suggestions = array_map(function ($suggestion) {
return array('value' => $suggestion, 'label' => SafeMarkup::checkPlain($suggestion));
return array('value' => $suggestion, 'label' => Html::escape($suggestion));
}, $suggestions);
$result = $this->autocompleteController->autocomplete(new Request(array('q' => $string)));
$this->assertSame($suggestions, json_decode($result->getContent(), TRUE));

3
core/modules/comment/comment.module
View File

@ -16,7 +16,6 @@ use Drupal\comment\CommentManagerInterface;
use Drupal\comment\Entity\CommentType;
use Drupal\Core\Entity\FieldableEntityInterface;
use Drupal\comment\Plugin\Field\FieldType\CommentItemInterface;
use Drupal\Component\Utility\SafeMarkup;
use Drupal\Core\Entity\EntityInterface;
use Drupal\Core\Form\FormStateInterface;
use Drupal\Core\Routing\RouteMatchInterface;
@ -579,7 +578,7 @@ function comment_preview(CommentInterface $comment, FormStateInterface $form_sta
if (!empty($account) && $account->isAuthenticated()) {
$comment->setOwner($account);
$comment->setAuthorName(SafeMarkup::checkPlain($account->getUsername()));
$comment->setAuthorName($account->getUsername());
}
elseif (empty($author_name)) {
$comment->setAuthorName(\Drupal::config('user.settings')->get('anonymous'));

3
core/modules/comment/src/Plugin/views/argument/UserUid.php
View File

@ -7,7 +7,6 @@
namespace Drupal\comment\Plugin\views\argument;
use Drupal\Component\Utility\SafeMarkup;
use Drupal\Core\Database\Connection;
use Drupal\views\Plugin\views\argument\ArgumentPluginBase;
use Symfony\Component\DependencyInjection\ContainerInterface;
@ -65,7 +64,7 @@ class UserUid extends ArgumentPluginBase {
return $this->t('No user');
}
return SafeMarkup::checkPlain($title);
return $title;
}
protected function defaultActions($which = NULL) {

25
core/modules/comment/src/Tests/CommentPreviewTest.php
View File

@ -8,6 +8,7 @@
namespace Drupal\comment\Tests;
use Drupal\comment\CommentManagerInterface;
use Drupal\Component\Utility\SafeMarkup;
use Drupal\Core\Datetime\DrupalDateTime;
use Drupal\comment\Entity\Comment;
@ -39,17 +40,31 @@ class CommentPreviewTest extends CommentTestBase {
$this->setCommentSettings('default_mode', CommentManagerInterface::COMMENT_MODE_THREADED, 'Comment paging changed.');
$this->drupalLogout();
// Login as web user and add a user picture.
// Login as web user.
$this->drupalLogin($this->webUser);
$image = current($this->drupalGetTestFiles('image'));
$edit['files[user_picture_0]'] = drupal_realpath($image->uri);
$this->drupalPostForm('user/' . $this->webUser->id() . '/edit', $edit, t('Save'));
// As the web user, fill in the comment form and preview the comment.
// Test escaping of the username on the preview form.
\Drupal::service('module_installer')->install(['user_hooks_test']);
\Drupal::state()->set('user_hooks_test_user_format_name_alter', TRUE);
$edit = array();
$edit['subject[0][value]'] = $this->randomMachineName(8);
$edit['comment_body[0][value]'] = $this->randomMachineName(16);
$this->drupalPostForm('node/' . $this->node->id(), $edit, t('Preview'));
$this->assertEscaped('<em>' . $this->webUser->id() . '</em>');
\Drupal::state()->set('user_hooks_test_user_format_name_alter_safe', TRUE);
$this->drupalPostForm('node/' . $this->node->id(), $edit, t('Preview'));
$this->assertTrue(SafeMarkup::isSafe($this->webUser->getUsername()), 'Username is marked safe');
$this->assertNoEscaped('<em>' . $this->webUser->id() . '</em>');
$this->assertRaw('<em>' . $this->webUser->id() . '</em>');
// Add a user picture.
$image = current($this->drupalGetTestFiles('image'));
$user_edit['files[user_picture_0]'] = drupal_realpath($image->uri);
$this->drupalPostForm('user/' . $this->webUser->id() . '/edit', $user_edit, t('Save'));
// As the web user, fill in the comment form and preview the comment.
$this->drupalPostForm('node/' . $this->node->id(), $edit, t('Preview'));
// Check that the preview is displaying the title and body.
$this->assertTitle(t('Preview comment | Drupal'), 'Page title is "Preview comment".');

3
core/modules/field_ui/src/Form/FieldConfigEditForm.php
View File

@ -7,7 +7,6 @@
namespace Drupal\field_ui\Form;
use Drupal\Component\Utility\SafeMarkup;
use Drupal\Core\Entity\EntityForm;
use Drupal\Core\Field\AllowedTagsXssTrait;
use Drupal\Core\Field\FieldFilteredString;
@ -203,7 +202,7 @@ class FieldConfigEditForm extends EntityForm {
* The label of the field.
*/
public function getTitle(FieldConfigInterface $field_config) {
return SafeMarkup::checkPlain($field_config->label());
return $field_config->label();
}
}

5
core/modules/field_ui/src/Tests/ManageFieldsTest.php
View File

@ -80,8 +80,8 @@ class ManageFieldsTest extends WebTestBase {
$type = $this->drupalCreateContentType(array('name' => $type_name, 'type' => $type_name));
$this->contentType = $type->id();
// Create random field name.
$this->fieldLabel = $this->randomMachineName(8);
// Create random field name with markup to test escaping.
$this->fieldLabel = '<em>' . $this->randomMachineName(8) . '</em>';
$this->fieldNameInput = strtolower($this->randomMachineName(8));
$this->fieldName = 'field_'. $this->fieldNameInput;
@ -194,6 +194,7 @@ class ManageFieldsTest extends WebTestBase {
$field_id = 'node.' . $this->contentType . '.' . $this->fieldName;
// Go to the field edit page.
$this->drupalGet('admin/structure/types/manage/' . $this->contentType . '/fields/' . $field_id . '/storage');
$this->assertEscaped($this->fieldLabel);
// Populate the field settings with new settings.
$string = 'updated dummy test string';

2
core/modules/filter/src/Tests/FilterUnitTest.php
View File

@ -479,8 +479,6 @@ class FilterUnitTest extends KernelTestBase {
/**
* Tests the HTML escaping filter.
*
* \Drupal\Component\Utility\SafeMarkup::checkPlain() is not tested here.
*/
function testHtmlEscapeFilter() {
// Get FilterHtmlEscape object.

3
core/modules/node/src/Controller/NodePreviewController.php
View File

@ -7,7 +7,6 @@
namespace Drupal\node\Controller;
use Drupal\Component\Utility\SafeMarkup;
use Drupal\Core\Entity\EntityInterface;
use Drupal\Core\Entity\Controller\EntityViewController;
@ -61,7 +60,7 @@ class NodePreviewController extends EntityViewController {
* The page title.
*/
public function title(EntityInterface $node_preview) {
return SafeMarkup::checkPlain($this->entityManager->getTranslationFromContext($node_preview)->label());
return $this->entityManager->getTranslationFromContext($node_preview)->label();
}
}

3
core/modules/node/src/Plugin/views/argument/Type.php
View File

@ -7,7 +7,6 @@
namespace Drupal\node\Plugin\views\argument;
use Drupal\Component\Utility\SafeMarkup;
use Drupal\Core\Entity\EntityStorageInterface;
use Drupal\views\Plugin\views\argument\StringArgument;
use Symfony\Component\DependencyInjection\ContainerInterface;
@ -76,7 +75,7 @@ class Type extends StringArgument {
function node_type($type_name) {
$type = $this->nodeTypeStorage->load($type_name);
$output = $type ? $type->label() : $this->t('Unknown content type');
return SafeMarkup::checkPlain($output);
return $output;
}
}

3
core/modules/node/src/Plugin/views/row/Rss.php
View File

@ -7,7 +7,6 @@
namespace Drupal\node\Plugin\views\row;
use Drupal\Component\Utility\SafeMarkup;
use Drupal\Core\Entity\EntityManagerInterface;
use Drupal\views\Plugin\views\row\RssPluginBase;
use Symfony\Component\DependencyInjection\ContainerInterface;
@ -78,7 +77,7 @@ class Rss extends RssPluginBase {
public function summaryTitle() {
$options = $this->buildOptionsForm_summary_options();
return SafeMarkup::checkPlain($options[$this->options['view_mode']]);
return $options[$this->options['view_mode']];
}
public function preRender($values) {

6
core/modules/node/src/Tests/PagePreviewTest.php
View File

@ -139,7 +139,7 @@ class PagePreviewTest extends NodeTestBase {
// Fill in node creation form and preview node.
$edit = array();
$edit[$title_key] = $this->randomMachineName(8);
$edit[$title_key] = '<em>' . $this->randomMachineName(8) . '</em>';
$edit[$body_key] = $this->randomMachineName(16);
$edit[$term_key] = $this->term->getName();
@ -153,7 +153,7 @@ class PagePreviewTest extends NodeTestBase {
// Check that the preview is displaying the title, body and term.
$this->assertTitle(t('@title | Drupal', array('@title' => $edit[$title_key])), 'Basic page title is preview.');
$this->assertText($edit[$title_key], 'Title displayed.');
$this->assertEscaped($edit[$title_key], 'Title displayed and escaped.');
$this->assertText($edit[$body_key], 'Body displayed.');
$this->assertText($edit[$term_key], 'Term displayed.');
$this->assertLink(t('Back to content editing'));
@ -185,7 +185,7 @@ class PagePreviewTest extends NodeTestBase {
// Return to page preview to check everything is as expected.
$this->drupalPostForm(NULL, array(), t('Preview'));
$this->assertTitle(t('@title | Drupal', array('@title' => $edit[$title_key])), 'Basic page title is preview.');
$this->assertText($edit[$title_key], 'Title displayed.');
$this->assertEscaped($edit[$title_key], 'Title displayed and escaped.');
$this->assertText($edit[$body_key], 'Body displayed.');
$this->assertText($edit[$term_key], 'Term displayed.');
$this->assertLink(t('Back to content editing'));

3
core/modules/node/src/Tests/Views/NodeIntegrationTest.php
View File

@ -29,7 +29,7 @@ class NodeIntegrationTest extends NodeTestBase {
$types = array();
$all_nids = array();
for ($i = 0; $i < 2; $i++) {
$type = $this->drupalCreateContentType();
$type = $this->drupalCreateContentType(['name' => '<em>' . $this->randomMachineName() . '</em>']);
$types[] = $type;
for ($j = 0; $j < 5; $j++) {
@ -49,6 +49,7 @@ class NodeIntegrationTest extends NodeTestBase {
foreach ($types as $type) {
$this->drupalGet("test-node-view/{$type->id()}");
$this->assertEscaped($type->label());
$this->assertNids(array_keys($nodes[$type->id()]));
}
}

4
core/modules/node/tests/modules/node_test_views/test_views/views.view.test_node_view.yml
View File

@ -167,8 +167,8 @@ display:
value: all
title_enable: false
title: All
title_enable: false
title: ''
title_enable: true
title: '{{ arguments.type }}'
default_argument_type: fixed
default_argument_options:
argument: ''

3
core/modules/options/src/Plugin/views/argument/NumberListField.php
View File

@ -7,7 +7,6 @@
namespace Drupal\options\Plugin\views\argument;
use Drupal\Component\Utility\SafeMarkup;
use Drupal\Core\Field\AllowedTagsXssTrait;
use Drupal\Core\Field\FieldFilteredString;
use Drupal\Core\Form\FormStateInterface;
@ -85,7 +84,7 @@ class NumberListField extends NumericArgument {
}
// Else, fallback to the key.
else {
return SafeMarkup::checkPlain($value);
return $value;
}
}

4
core/modules/rest/src/Tests/Views/StyleSerializerTest.php
View File

@ -395,7 +395,7 @@ class StyleSerializerTest extends PluginTestBase {
$expected[] = $expected_row;
}
$this->assertIdentical($this->drupalGetJSON('test/serialize/field'), $expected);
$this->assertIdentical($this->drupalGetJSON('test/serialize/field'), $this->castSafeStrings($expected));
// Test a random aliases for fields, they should be replaced.
$alias_map = array(
@ -430,7 +430,7 @@ class StyleSerializerTest extends PluginTestBase {
$expected[] = $expected_row;
}
$this->assertIdentical($this->drupalGetJSON('test/serialize/field'), $expected);
$this->assertIdentical($this->drupalGetJSON('test/serialize/field'), $this->castSafeStrings($expected));
}
/**

8
core/modules/simpletest/src/AssertContentTrait.php
View File

@ -437,7 +437,7 @@ trait AssertContentTrait {
*/
protected function assertRaw($raw, $message = '', $group = 'Other') {
if (!$message) {
$message = SafeMarkup::format('Raw "@raw" found', array('@raw' => $raw));
$message = 'Raw "' . Html::escape($raw) . '" found';
}
return $this->assert(strpos($this->getRawContent(), (string) $raw) !== FALSE, $message, $group);
}
@ -465,7 +465,7 @@ trait AssertContentTrait {
*/
protected function assertNoRaw($raw, $message = '', $group = 'Other') {
if (!$message) {
$message = SafeMarkup::format('Raw "@raw" not found', array('@raw' => $raw));
$message = 'Raw "' . Html::escape($raw) . '" not found';
}
return $this->assert(strpos($this->getRawContent(), (string) $raw) === FALSE, $message, $group);
}
@ -493,7 +493,7 @@ trait AssertContentTrait {
*/
protected function assertEscaped($raw, $message = '', $group = 'Other') {
if (!$message) {
$message = SafeMarkup::format('Escaped "@raw" found', array('@raw' => $raw));
$message = 'Escaped "' . Html::escape($raw) . '" found';
}
return $this->assert(strpos($this->getRawContent(), Html::escape($raw)) !== FALSE, $message, $group);
}
@ -522,7 +522,7 @@ trait AssertContentTrait {
*/
protected function assertNoEscaped($raw, $message = '', $group = 'Other') {
if (!$message) {
$message = SafeMarkup::format('Escaped "@raw" not found', array('@raw' => $raw));
$message = 'Escaped "' . Html::escape($raw) . '" not found';
}
return $this->assert(strpos($this->getRawContent(), Html::escape($raw)) === FALSE, $message, $group);
}

4
core/modules/system/src/Tests/System/ThemeTest.php
View File

@ -348,9 +348,9 @@ class ThemeTest extends WebTestBase {
*/
function testInstallAndSetAsDefault() {
$this->drupalGet('admin/appearance');
// Bartik is uninstalled in the test profile and has the second "Install and
// Bartik is uninstalled in the test profile and has the third "Install and
// set as default" link.
$this->clickLink(t('Install and set as default'), 1);
$this->clickLink(t('Install and set as default'), 2);
// Test the confirmation message.
$this->assertText('Bartik is now the default theme.');
// Make sure Bartik is now set as the default theme in config.

2
core/modules/system/tests/themes/test_theme/test_theme.info.yml
View File

@ -8,7 +8,7 @@
# here in order for a test to ensure that this correctly prevents the module
# version from being loaded, and that errors aren't caused by the lack of this
# file within the theme folder.
name: 'Test theme'
name: '<strong>Test theme</strong>'
type: theme
description: 'Theme for testing the theme system'
version: VERSION

3
core/modules/taxonomy/src/Plugin/views/argument/IndexTidDepth.php
View File

@ -11,7 +11,6 @@ use Drupal\Core\Entity\EntityStorageInterface;
use Drupal\Core\Form\FormStateInterface;
use Drupal\Core\Plugin\ContainerFactoryPluginInterface;
use Drupal\views\Plugin\views\argument\ArgumentPluginBase;
use Drupal\Component\Utility\SafeMarkup;
use Drupal\taxonomy\Entity\Term;
use Symfony\Component\DependencyInjection\ContainerInterface;
@ -140,7 +139,7 @@ class IndexTidDepth extends ArgumentPluginBase implements ContainerFactoryPlugin
function title() {
$term = $this->termStorage->load($this->argument);
if (!empty($term)) {
return SafeMarkup::checkPlain($term->getName());
return $term->getName();
}
// TODO review text
return $this->t('No name');

3
core/modules/taxonomy/src/Plugin/views/argument/Taxonomy.php
View File

@ -10,7 +10,6 @@ namespace Drupal\taxonomy\Plugin\views\argument;
use Drupal\Core\Entity\EntityStorageInterface;
use Drupal\Core\Plugin\ContainerFactoryPluginInterface;
use Drupal\views\Plugin\views\argument\NumericArgument;
use Drupal\Component\Utility\SafeMarkup;
use Symfony\Component\DependencyInjection\ContainerInterface;
/**
@ -56,7 +55,7 @@ class Taxonomy extends NumericArgument implements ContainerFactoryPluginInterfac
if ($this->argument) {
$term = $this->termStorage->load($this->argument);
if (!empty($term)) {
return SafeMarkup::checkPlain($term->getName());
return $term->getName();
}
}
// TODO review text

3
core/modules/taxonomy/src/Plugin/views/argument/VocabularyVid.php
View File

@ -8,7 +8,6 @@
namespace Drupal\taxonomy\Plugin\views\argument;
use Drupal\views\Plugin\views\argument\NumericArgument;
use Drupal\Component\Utility\SafeMarkup;
use Drupal\taxonomy\VocabularyStorageInterface;
use Symfony\Component\DependencyInjection\ContainerInterface;
@ -63,7 +62,7 @@ class VocabularyVid extends NumericArgument {
function title() {
$vocabulary = $this->vocabularyStorage->load($this->argument);
if ($vocabulary) {
return SafeMarkup::checkPlain($vocabulary->label());
return $vocabulary->label();
}
return $this->t('No vocabulary');

3
core/modules/taxonomy/src/Plugin/views/field/TaxonomyIndexTid.php
View File

@ -11,7 +11,6 @@ use Drupal\Core\Form\FormStateInterface;
use Drupal\views\ViewExecutable;
use Drupal\views\Plugin\views\display\DisplayPluginBase;
use Drupal\views\Plugin\views\field\PrerenderList;
use Drupal\Component\Utility\SafeMarkup;
use Drupal\taxonomy\Entity\Vocabulary;
use Symfony\Component\DependencyInjection\ContainerInterface;
use Drupal\taxonomy\VocabularyStorageInterface;
@ -153,7 +152,7 @@ class TaxonomyIndexTid extends PrerenderList {
$this->items[$node_nid][$tid]['name'] = \Drupal::entityManager()->getTranslationFromContext($term)->label();
$this->items[$node_nid][$tid]['tid'] = $tid;
$this->items[$node_nid][$tid]['vocabulary_vid'] = $term->getVocabularyId();
$this->items[$node_nid][$tid]['vocabulary'] = SafeMarkup::checkPlain($vocabularies[$term->getVocabularyId()]->label());
$this->items[$node_nid][$tid]['vocabulary'] = $vocabularies[$term->getVocabularyId()]->label();
if (!empty($this->options['link_to_taxonomy'])) {
$this->items[$node_nid][$tid]['make_link'] = TRUE;

3
core/modules/taxonomy/src/Plugin/views/filter/TaxonomyIndexTid.php
View File

@ -16,7 +16,6 @@ use Drupal\taxonomy\VocabularyStorageInterface;
use Drupal\views\ViewExecutable;
use Drupal\views\Plugin\views\display\DisplayPluginBase;
use Drupal\views\Plugin\views\filter\ManyToOne;
use Drupal\Component\Utility\SafeMarkup;
use Drupal\Component\Utility\Tags;
use Symfony\Component\DependencyInjection\ContainerInterface;
@ -359,7 +358,7 @@ class TaxonomyIndexTid extends ManyToOne {
$this->value = array_filter($this->value);
$terms = Term::loadMultiple($this->value);
foreach ($terms as $term) {
$this->valueOptions[$term->id()] = SafeMarkup::checkPlain(\Drupal::entityManager()->getTranslationFromContext($term)->label());
$this->valueOptions[$term->id()] = \Drupal::entityManager()->getTranslationFromContext($term)->label();
}
}
return parent::adminSummary();

10
core/modules/taxonomy/src/Tests/Views/TaxonomyDefaultArgumentTest.php
View File

@ -59,4 +59,14 @@ class TaxonomyDefaultArgumentTest extends TaxonomyTestBase {
$expected = $this->term1->id();
$this->assertEqual($expected, $view->argument['tid']->getDefaultArgument());
}
/**
* Tests escaping of page title when the taxonomy plugin provides it.
*/
public function testTermTitleEscaping() {
$this->term1->setName('<em>Markup</em>')->save();
$this->drupalGet('taxonomy_default_argument_test/'. $this->term1->id());
$this->assertEscaped($this->term1->label());
}
}

2
core/modules/taxonomy/src/Tests/Views/TaxonomyFieldAllTermsTest.php
View File

@ -28,6 +28,7 @@ class TaxonomyFieldAllTermsTest extends TaxonomyTestBase {
* Tests the "all terms" field handler.
*/
public function testViewsHandlerAllTermsField() {
$this->term1->setName('<em>Markup</em>')->save();
$view = Views::getView('taxonomy_all_terms_test');
$this->executeView($view);
$this->drupalGet('taxonomy_all_terms_test');
@ -36,6 +37,7 @@ class TaxonomyFieldAllTermsTest extends TaxonomyTestBase {
$this->assertEqual(count($actual), 2, 'Correct number of taxonomy term1 links');
$this->assertEqual($actual[0]->__toString(), $this->term1->label());
$this->assertEqual($actual[1]->__toString(), $this->term1->label());
$this->assertEscaped($this->term1->label());
$actual = $this->xpath('//a[@href="' . $this->term2->url() . '"]');
$this->assertEqual(count($actual), 2, 'Correct number of taxonomy term2 links');

64
core/modules/taxonomy/src/Tests/Views/TaxonomyTermArgumentDepthTest.php Normal file
View File

@ -0,0 +1,64 @@
<?php
/**
* @file
* Contains \Drupal\taxonomy\Tests\Views\TaxonomyTermArgumentDepthTest.
*/
namespace Drupal\taxonomy\Tests\Views;
/**
* Tests the taxonomy term with depth argument.
*
* @group taxonomy
*/
class TaxonomyTermArgumentDepthTest extends TaxonomyTestBase {
/**
* {@inheritdoc}
*/
public static $modules = ['taxonomy', 'taxonomy_test_views', 'views', 'node'];
/**
* {@inheritdoc}
*/
public static $testViews = ['test_argument_taxonomy_index_tid_depth'];
/**
* @var \Drupal\taxonomy\TermInterface[]
*/
protected $terms = [];
/**
* @var \Drupal\views\ViewExecutable
*/
protected $view;
/**
* {@inheritdoc}
*/
public function setUp() {
parent::setUp();
// Create a term with markup in the label.
$first = $this->createTerm(['name' => '<em>First</em>']);
// Create a node w/o any terms.
$settings = ['type' => 'article'];
// Create a node with linked to the term.
$settings['field_views_testing_tags'][0]['target_id'] = $first->id();
$this->nodes[] = $this->drupalCreateNode($settings);
$this->terms[0] = $first;
}
/**
* Tests title escaping.
*/
public function testTermWithDepthArgumentTitleEscaping() {
$this->drupalGet('test_argument_taxonomy_index_tid_depth/' . $this->terms[0]->id());
$this->assertEscaped($this->terms[0]->label());
}
}

7
core/modules/taxonomy/tests/modules/taxonomy_test_views/test_views/views.view.taxonomy_default_argument_test.yml
View File

@ -163,3 +163,10 @@ display:
entity_type: taxonomy_term
entity_field: tid
rendering_language: '***LANGUAGE_entity_translation***'
page_1:
display_plugin: page
id: page_1
display_title: Page
position: null
display_options:
path: taxonomy_default_argument_test

227
core/modules/taxonomy/tests/modules/taxonomy_test_views/test_views/views.view.test_argument_taxonomy_index_tid_depth.yml Normal file
View File

@ -0,0 +1,227 @@
langcode: en
status: true
dependencies:
module:
- node
- taxonomy
- user
id: test_argument_taxonomy_index_tid_depth
label: test_argument_taxonomy_index_tid_depth
module: views
description: ''
tag: ''
base_table: node_field_data
base_field: nid
core: 8.x
display:
default:
display_plugin: default
id: default
display_title: Master
position: 0
display_options:
access:
type: perm
options:
perm: 'access content'
cache:
type: tag
options: { }
query:
type: views_query
options:
disable_sql_rewrite: false
distinct: false
replica: false
query_comment: ''
query_tags: { }
exposed_form:
type: basic
options:
submit_button: Apply
reset_button: false
reset_button_label: Reset
exposed_sorts_label: 'Sort by'
expose_sort_order: true
sort_asc_label: Asc
sort_desc_label: Desc
pager:
type: full
options:
items_per_page: 10
offset: 0
id: 0
total_pages: null
expose:
items_per_page: false
items_per_page_label: 'Items per page'
items_per_page_options: '5, 10, 25, 50'
items_per_page_options_all: false
items_per_page_options_all_label: '- All -'
offset: false
offset_label: Offset
tags:
previous: ' previous'
next: 'next '
first: '« first'
last: 'last »'
quantity: 9
style:
type: default
options:
grouping: { }
row_class: ''
default_row_class: true
uses_fields: false
row:
type: fields
options:
inline: { }
separator: ''
hide_empty: false
default_field_elements: true
fields:
title:
id: title
table: node_field_data
field: title
entity_type: node
entity_field: title
label: ''
alter:
alter_text: false
make_link: false
absolute: false
trim: false
word_boundary: false
ellipsis: false
strip_tags: false
html: false
hide_empty: false
empty_zero: false
settings:
link_to_entity: true
plugin_id: field
relationship: none
group_type: group
admin_label: ''
exclude: false
element_type: ''
element_class: ''
element_label_type: ''
element_label_class: ''
element_label_colon: true
element_wrapper_type: ''
element_wrapper_class: ''
element_default_classes: true
empty: ''
hide_alter_empty: true
click_sort_column: value
type: string
group_column: value
group_columns: { }
group_rows: true
delta_limit: 0
delta_offset: 0
delta_reversed: false
delta_first_last: false
multi_type: separator
separator: ', '
field_api_classes: false
filters:
status:
value: true
table: node_field_data
field: status
plugin_id: boolean
entity_type: node
entity_field: status
id: status
expose:
operator: ''
group: 1
sorts:
created:
id: created
table: node_field_data
field: created
order: DESC
entity_type: node
entity_field: created
plugin_id: date
relationship: none
group_type: group
admin_label: ''
exposed: false
expose:
label: ''
granularity: second
header: { }
footer: { }
empty: { }
relationships: { }
arguments:
term_node_tid_depth:
id: term_node_tid_depth
table: node_field_data
field: term_node_tid_depth
relationship: none
group_type: group
admin_label: ''
default_action: ignore
exception:
value: all
title_enable: false
title: All
title_enable: true
title: '{{ arguments.term_node_tid_depth }}'
default_argument_type: fixed
default_argument_options:
argument: ''
default_argument_skip_url: false
summary_options:
base_path: ''
count: true
items_per_page: 25
override: false
summary:
sort_order: asc
number_of_records: 0
format: default_summary
specify_validation: false
validate:
type: none
fail: 'not found'
validate_options: { }
depth: 0
break_phrase: false
use_taxonomy_term_path: false
entity_type: node
plugin_id: taxonomy_index_tid_depth
display_extenders: { }
cache_metadata:
contexts:
- 'languages:language_content'
- 'languages:language_interface'
- url
- url.query_args
- 'user.node_grants:view'
- user.permissions
cacheable: false
page_1:
display_plugin: page
id: page_1
display_title: Page
position: 1
display_options:
display_extenders: { }
path: test_argument_taxonomy_index_tid_depth
cache_metadata:
contexts:
- 'languages:language_content'
- 'languages:language_interface'
- url
- url.query_args
- 'user.node_grants:view'
- user.permissions
cacheable: false

1
core/modules/text/src/Plugin/Field/FieldType/TextItemBase.php
View File

@ -43,7 +43,6 @@ abstract class TextItemBase extends FieldItemBase {
* {@inheritdoc}
*/
public function applyDefaultValue($notify = TRUE) {
// Default to a simple \Drupal\Component\Utility\SafeMarkup::checkPlain().
// @todo: Add in the filter default format here.
$this->setValue(array('format' => NULL), $notify);
return $this;

3
core/modules/text/src/TextProcessed.php
View File

@ -49,8 +49,7 @@ class TextProcessed extends TypedData {
$item = $this->getParent();
$text = $item->{($this->definition->getSetting('text source'))};
// Avoid running check_markup() or
// \Drupal\Component\Utility\SafeMarkup::checkPlain() on empty strings.
// Avoid running check_markup() on empty strings.
if (!isset($text) || $text === '') {
$this->processed = '';
}

3
core/modules/tracker/src/Controller/TrackerUserTab.php
View File

@ -9,7 +9,6 @@ namespace Drupal\tracker\Controller;
use Drupal\Core\Controller\ControllerBase;
use Drupal\user\UserInterface;
use Drupal\Component\Utility\SafeMarkup;
/**
* Controller for tracker.user_tab route.
@ -28,6 +27,6 @@ class TrackerUserTab extends ControllerBase {
* Title callback for the tracker.user_tab route.
*/
public function getTitle(UserInterface $user) {
return SafeMarkup::checkPlain($user->getUsername());
return $user->getUsername();
}
}

11
core/modules/tracker/src/Tests/TrackerTest.php
View File

@ -198,6 +198,17 @@ class TrackerTest extends WebTestBase {
$this->drupalPostForm('comment/1/edit', array('status' => CommentInterface::NOT_PUBLISHED), t('Save'));
$this->drupalGet('user/' . $this->user->id() . '/activity');
$this->assertNoText($other_published_my_comment->label(), 'Unpublished comments are not counted on the tracker listing.');
// Test escaping of title on user's tracker tab.
\Drupal::service('module_installer')->install(['user_hooks_test']);
\Drupal::state()->set('user_hooks_test_user_format_name_alter', TRUE);
$this->drupalGet('user/' . $this->user->id() . '/activity');
$this->assertEscaped('<em>' . $this->user->id() . '</em>');
\Drupal::state()->set('user_hooks_test_user_format_name_alter_safe', TRUE);
$this->drupalGet('user/' . $this->user->id() . '/activity');
$this->assertNoEscaped('<em>' . $this->user->id() . '</em>');
$this->assertRaw('<em>' . $this->user->id() . '</em>');
}
/**

2
core/modules/user/src/Plugin/Condition/UserRole.php
View File

@ -33,7 +33,7 @@ class UserRole extends ConditionPluginBase {
'#type' => 'checkboxes',
'#title' => $this->t('When the user has the following roles'),
'#default_value' => $this->configuration['roles'],
'#options' => array_map('\Drupal\Component\Utility\SafeMarkup::checkPlain', user_role_names()),
'#options' => array_map('\Drupal\Component\Utility\Html::escape', user_role_names()),
'#description' => $this->t('If you select no roles, the condition will evaluate to TRUE for all users.'),
);
return parent::buildConfigurationForm($form, $form_state);

2
core/modules/user/src/Plugin/views/access/Role.php
View File

@ -97,7 +97,7 @@ class Role extends AccessPluginBase implements CacheablePluginInterface {
else {
$rids = user_role_names();
$rid = reset($this->options['role']);
return SafeMarkup::checkPlain($rids[$rid]);
return $rids[$rid];
}
}

3
core/modules/user/src/Plugin/views/field/Roles.php
View File

@ -7,7 +7,6 @@
namespace Drupal\user\Plugin\views\field;
use Drupal\Component\Utility\SafeMarkup;
use Drupal\Core\Database\Connection;
use Drupal\views\Plugin\views\display\DisplayPluginBase;
use Drupal\views\ViewExecutable;
@ -81,7 +80,7 @@ class Roles extends PrerenderList {
$roles = user_roles();
$result = $this->database->query('SELECT u.entity_id as uid, u.roles_target_id as rid FROM {user__roles} u WHERE u.entity_id IN ( :uids[] ) AND u.roles_target_id IN ( :rids[] )', array(':uids[]' => $uids, ':rids[]' => array_keys($roles)));
foreach ($result as $role) {
$this->items[$role->uid][$role->rid]['role'] = SafeMarkup::checkPlain($roles[$role->rid]->label());
$this->items[$role->uid][$role->rid]['role'] = $roles[$role->rid]->label();
$this->items[$role->uid][$role->rid]['rid'] = $role->rid;
}
// Sort the roles for each user by role weight.

17
core/modules/user/src/Tests/Views/HandlerFieldRoleTest.php
View File

@ -7,6 +7,7 @@
namespace Drupal\user\Tests\Views;
use Drupal\Component\Utility\Html;
use Drupal\views\Views;
use Drupal\user\Entity\User;
@ -28,7 +29,7 @@ class HandlerFieldRoleTest extends UserTestBase {
public function testRole() {
// Create a couple of roles for the view.
$rolename_a = 'a' . $this->randomMachineName(8);
$this->drupalCreateRole(array('access content'), $rolename_a, $rolename_a, 9);
$this->drupalCreateRole(array('access content'), $rolename_a, '<em>' . $rolename_a . '</em>', 9);
$rolename_b = 'b' . $this->randomMachineName(8);
$this->drupalCreateRole(array('access content'), $rolename_b, $rolename_b, 8);
@ -42,16 +43,10 @@ class HandlerFieldRoleTest extends UserTestBase {
$user->addRole($rolename_b);
$user->save();
debug(db_query('SELECT * FROM {user__roles}')->fetchAll());
$view = Views::getView('test_views_handler_field_role');
$this->executeView($view);
// The role field is populated during preRender.
$view->field['roles_target_id']->preRender($view->result);
$render = $view->field['roles_target_id']->advancedRender($view->result[0]);
$this->assertEqual($rolename_b . $rolename_a, $render, 'View test_views_handler_field_role renders role assigned to user in the correct order.');
$this->assertFalse(strpos($render, $rolename_not_assigned), 'View test_views_handler_field_role does not render a role not assigned to a user.');
$this->drupalLogin($this->createUser(['access user profiles']));
$this->drupalGet('/test-views-handler-field-role');
$this->assertText($rolename_b . Html::escape('<em>' . $rolename_a . '</em>'), 'View test_views_handler_field_role renders role assigned to user in the correct order and markup in role names is escaped.');
$this->assertNoText($rolename_not_assigned, 'View test_views_handler_field_role does not render a role not assigned to a user.');
}
}

6
core/modules/user/tests/modules/user_hooks_test/user_hooks_test.info.yml Normal file
View File

@ -0,0 +1,6 @@
name: 'User module hooks tests'
type: module
description: 'Support module for user hooks testing.'
package: Testing
version: VERSION
core: 8.x

22
core/modules/user/tests/modules/user_hooks_test/user_hooks_test.module Normal file
View File

@ -0,0 +1,22 @@
<?php
/**
* @file
* Support module for user hooks testing.
*/
use Drupal\Component\Utility\SafeMarkup;
/**
* Implements hook_user_format_name_alter().
*/
function user_hooks_test_user_format_name_alter(&$name, $account) {
if (\Drupal::state()->get('user_hooks_test_user_format_name_alter', FALSE)) {
if (\Drupal::state()->get('user_hooks_test_user_format_name_alter_safe', FALSE)) {
$name = SafeMarkup::format('<em>@uid</em>', array('@uid' => $account->id()));
}
else {
$name = '<em>' . $account->id() . '</em>';
}
}
}

8
core/modules/user/user.module
View File

@ -413,9 +413,7 @@ function user_preprocess_block(&$variables) {
* The account object for the user whose name is to be formatted.
*
* @return string
* An unsanitized string with the username to display. The code receiving
* this result must ensure that \Drupal\Component\Utility\SafeMarkup::checkPlain()
* is called on it before it is printed to the page.
* An unsanitized string with the username to display.
*
* @deprecated in Drupal 8.0.x-dev, will be removed before Drupal 9.0.0.
* Use \Drupal\Core\Session\AccountInterface::getUsername().
@ -453,9 +451,7 @@ function user_template_preprocess_default_variables_alter(&$variables) {
* - account: The user account (\Drupal\Core\Session\AccountInterface).
*
* Modules that make any changes to variables like 'name' or 'extra' must ensure
* that the final string is safe to include directly in the output by using
* \Drupal\Component\Utility\SafeMarkup::checkPlain() or
* \Drupal\Component\Utility\Xss::filter().
* that the final string is safe.
*/
function template_preprocess_username(&$variables) {
$account = $variables['account'] ?: new AnonymousUserSession();

9
core/modules/views/src/Plugin/views/HandlerBase.php
View File

@ -7,7 +7,7 @@
namespace Drupal\views\Plugin\views;
use Drupal\Component\Utility\SafeMarkup;
use Drupal\Component\Utility\Html;
use Drupal\Component\Utility\Unicode;
use Drupal\Component\Utility\UrlHelper;
use Drupal\Component\Utility\Xss;
@ -16,6 +16,7 @@ use Drupal\Core\Form\FormStateInterface;
use Drupal\Core\Render\Element;
use Drupal\Core\Session\AccountInterface;
use Drupal\views\Plugin\views\display\DisplayPluginBase;
use Drupal\views\Render\ViewsRenderPipelineSafeString;
use Drupal\views\ViewExecutable;
use Drupal\Core\Database\Database;
use Drupal\views\Views;
@ -229,13 +230,13 @@ abstract class HandlerBase extends PluginBase implements ViewsHandlerInterface {
$value = Xss::filterAdmin($value);
break;
case 'url':
$value = SafeMarkup::checkPlain(UrlHelper::stripDangerousProtocols($value));
$value = Html::escape(UrlHelper::stripDangerousProtocols($value));
break;
default:
$value = SafeMarkup::checkPlain($value);
$value = Html::escape($value);
break;
}
return $value;
return ViewsRenderPipelineSafeString::create($value);
}
/**

5
core/modules/views/src/Plugin/views/PluginBase.php
View File

@ -8,7 +8,6 @@
namespace Drupal\views\Plugin\views;
use Drupal\Component\Plugin\DependentPluginInterface;
use Drupal\Component\Utility\SafeMarkup;
use Drupal\Component\Utility\Xss;
use Drupal\Core\Form\FormStateInterface;
use Drupal\Core\Language\LanguageInterface;
@ -314,9 +313,9 @@ abstract class PluginBase extends ComponentPluginBase implements ContainerFactor
public function pluginTitle() {
// Short_title is optional so its defaults to an empty string.
if (!empty($this->definition['short_title'])) {
return SafeMarkup::checkPlain($this->definition['short_title']);
return $this->definition['short_title'];
}
return SafeMarkup::checkPlain($this->definition['title']);
return $this->definition['title'];
}
/**

5
core/modules/views/src/Plugin/views/ViewsHandlerInterface.php
View File

@ -72,9 +72,10 @@ interface ViewsHandlerInterface extends ViewsPluginInterface {
* @param $value
* The value being rendered.
* @param $type
* The type of sanitization needed. If not provided, SafeMarkup::checkPlain() is used.
* The type of sanitization needed. If not provided,
* \Drupal\Component\Utility\Html::escape() is used.
*
* @return string
* @return \Drupal\views\Render\ViewsRenderPipelineSafeString
* Returns the safe value.
*/
public function sanitizeValue($value, $type = NULL);

4
core/modules/views/src/Plugin/views/area/Result.php
View File

@ -7,7 +7,7 @@
namespace Drupal\views\Plugin\views\area;
use Drupal\Component\Utility\SafeMarkup;
use Drupal\Component\Utility\Html;
use Drupal\Component\Utility\Xss;
use Drupal\Core\Form\FormStateInterface;
use Drupal\views\Plugin\views\style\DefaultSummary;
@ -87,7 +87,7 @@ class Result extends AreaPluginBase {
// @TODO: Maybe use a possible is views empty functionality.
// Not every view has total_rows set, use view->result instead.
$total = isset($this->view->total_rows) ? $this->view->total_rows : count($this->view->result);
$label = SafeMarkup::checkPlain($this->view->storage->label());
$label = Html::escape($this->view->storage->label());
if ($per_page === 0) {
$page_count = 1;
$start = 1;

5
core/modules/views/src/Plugin/views/argument/ArgumentPluginBase.php
View File

@ -10,7 +10,6 @@ namespace Drupal\views\Plugin\views\argument;
use Drupal\Component\Plugin\DependentPluginInterface;
use Drupal\Component\Utility\Html;
use Drupal\Component\Utility\NestedArray;
use Drupal\Component\Utility\SafeMarkup;
use Drupal\Core\Form\FormStateInterface;
use Drupal\Core\Render\Element;
use Drupal\views\Plugin\CacheablePluginInterface;
@ -938,7 +937,7 @@ abstract class ArgumentPluginBase extends HandlerBase implements CacheablePlugin
if (empty($value) && !empty($this->definition['empty field name'])) {
$value = $this->definition['empty field name'];
}
return SafeMarkup::checkPlain($value);
return $value;
}
/**
@ -957,7 +956,7 @@ abstract class ArgumentPluginBase extends HandlerBase implements CacheablePlugin
* This usually needs to be overridden to provide a proper title.
*/
function title() {
return SafeMarkup::checkPlain($this->argument);
return $this->argument;
}
/**

3
core/modules/views/src/Plugin/views/argument/FieldList.php
View File

@ -7,7 +7,6 @@
namespace Drupal\views\Plugin\views\argument;
use Drupal\Component\Utility\SafeMarkup;
use Drupal\Core\Field\AllowedTagsXssTrait;
use Drupal\Core\Field\FieldFilteredString;
use Drupal\Core\Form\FormStateInterface;
@ -75,7 +74,7 @@ class FieldList extends NumericArgument {
}
// else fallback to the key.
else {
return SafeMarkup::checkPlain($value);
return $value;
}
}

5
core/modules/views/src/Plugin/views/display/Attachment.php
View File

@ -7,7 +7,6 @@
namespace Drupal\views\Plugin\views\display;
use Drupal\Component\Utility\SafeMarkup;
use Drupal\Core\Form\FormStateInterface;
use Drupal\views\ViewExecutable;
@ -92,7 +91,7 @@ class Attachment extends DisplayPluginBase {
elseif (count($displays) == 1) {
$display = array_shift($displays);
if ($display = $this->view->storage->getDisplay($display)) {
$attach_to = SafeMarkup::checkPlain($display['display_title']);
$attach_to = $display['display_title'];
}
}
@ -204,7 +203,7 @@ class Attachment extends DisplayPluginBase {
'#title' => $this->t('Displays'),
'#type' => 'checkboxes',
'#description' => $this->t('Select which display or displays this should attach to.'),
'#options' => $displays,
'#options' => array_map('\Drupal\Component\Utility\Html::escape', $displays),
'#default_value' => $this->getOption('displays'),
);
break;

5
core/modules/views/src/Plugin/views/display/Feed.php
View File

@ -7,7 +7,6 @@
namespace Drupal\views\Plugin\views\display;
use Drupal\Component\Utility\SafeMarkup;
use Drupal\Core\Cache\CacheableMetadata;
use Drupal\Core\Cache\CacheableResponse;
use Drupal\Core\Form\FormStateInterface;
@ -204,7 +203,7 @@ class Feed extends PathPluginBase implements ResponseDisplayPluginInterface {
$display = array_shift($displays);
$displays = $this->view->storage->get('display');
if (!empty($displays[$display])) {
$attach_to = SafeMarkup::checkPlain($displays[$display]['display_title']);
$attach_to = $displays[$display]['display_title'];
}
}
@ -256,7 +255,7 @@ class Feed extends PathPluginBase implements ResponseDisplayPluginInterface {
'#title' => $this->t('Displays'),
'#type' => 'checkboxes',
'#description' => $this->t('The feed icon will be available only to the selected displays.'),
'#options' => $displays,
'#options' => array_map('\Drupal\Component\Utility\Html::escape', $displays),
'#default_value' => $this->getOption('displays'),
);
break;

7
core/modules/views/src/Plugin/views/field/FieldPluginBase.php
View File

@ -1396,8 +1396,8 @@ abstract class FieldPluginBase extends HandlerBase implements FieldHandlerInterf
$path = preg_replace(['/(\%7B){2}(\%20)*/', '/(\%20)*(\%7D){2}/'], ['{{','}}'], $path);
// Use strip tags as there should never be HTML in the path.
// However, we need to preserve special characters like " that
// were removed by SafeMarkup::checkPlain().
// However, we need to preserve special characters like " that are escaped
// by \Drupal\Component\Utility\Html::escape().
$path = strip_tags(Html::decodeEntities($this->viewsTokenReplace($path, $tokens)));
if (!empty($alter['path_case']) && $alter['path_case'] != 'none' && !$alter['url']->isRouted()) {
@ -1483,8 +1483,7 @@ abstract class FieldPluginBase extends HandlerBase implements FieldHandlerInterf
$options['attributes']['rel'] = $rel;
}
// Not sure if this SafeMarkup::checkPlain() is needed here?
$target = SafeMarkup::checkPlain(trim($this->viewsTokenReplace($alter['target'], $tokens)));
$target = trim($this->viewsTokenReplace($alter['target'], $tokens));
if (!empty($target)) {
$options['attributes']['target'] = $target;
}

2
core/modules/views/src/Plugin/views/field/MachineName.php
View File

@ -83,7 +83,7 @@ class MachineName extends FieldPluginBase {
public function render(ResultRow $values) {
$value = $values->{$this->field_alias};
if (!empty($this->options['machine_name']) || !isset($this->valueOptions[$value])) {
$result = SafeMarkup::checkPlain($value);
$result = $this->sanitizeValue($value);
}
else {
$result = $this->valueOptions[$value];

13
core/modules/views/src/Plugin/views/field/PrerenderList.php
View File

@ -78,17 +78,24 @@ abstract class PrerenderList extends FieldPluginBase implements MultiItemsFieldH
public function renderItems($items) {
if (!empty($items)) {
if ($this->options['type'] == 'separator') {
return implode($this->sanitizeValue($this->options['separator'], 'xss_admin'), $items);
$render = [
'#type' => 'inline_template',
'#template' => '{{ items|safe_join(separator) }}',
'#context' => [
'items' => $items,
'separator' => $this->sanitizeValue($this->options['separator'], 'xss_admin')
]
];
}
else {
$item_list = array(
$render = array(
'#theme' => 'item_list',
'#items' => $items,
'#title' => NULL,
'#list_type' => $this->options['type'],
);
return drupal_render($item_list);
}
return drupal_render($render);
}
}

5
core/modules/views/src/Plugin/views/field/Serialized.php
View File

@ -7,7 +7,6 @@
namespace Drupal\views\Plugin\views\field;
use Drupal\Component\Utility\SafeMarkup;
use Drupal\Core\Form\FormStateInterface;
use Drupal\views\ResultRow;
@ -76,11 +75,11 @@ class Serialized extends FieldPluginBase {
$value = $values->{$this->field_alias};
if ($this->options['format'] == 'unserialized') {
return SafeMarkup::checkPlain(print_r(unserialize($value), TRUE));
return $this->sanitizeValue(print_r(unserialize($value), TRUE));
}
elseif ($this->options['format'] == 'key' && !empty($this->options['key'])) {
$value = (array) unserialize($value);
return SafeMarkup::checkPlain($value[$this->options['key']]);
return $this->sanitizeValue($value[$this->options['key']]);
}
return $value;

6
core/modules/views/src/Views.php
View File

@ -7,8 +7,6 @@
namespace Drupal\views;
use Drupal\Component\Utility\SafeMarkup;
/**
* Static service container wrapper for views.
*/
@ -398,8 +396,8 @@ class Views {
if (!isset($plugins[$key])) {
$plugins[$key] = array(
'type' => $type,
'title' => SafeMarkup::checkPlain($info[$name]['title']),
'provider' => SafeMarkup::checkPlain($info[$name]['provider']),
'title' => $info[$name]['title'],
'provider' => $info[$name]['provider'],
'views' => array(),
);
}

2
core/modules/views/tests/modules/views_test_config/test_views/views.view.test_attachment_ui.yml
View File

@ -67,7 +67,7 @@ display:
path: test_attachment_ui_feed
page_1:
display_plugin: page
display_title: Page
display_title: <em>Page</em>
display_options:
path: test_attachment_ui
id: page_1

2
core/modules/views/tests/modules/views_test_config/test_views/views.view.test_display_feed.yml
View File

@ -123,6 +123,6 @@ display:
display_options:
path: test-feed-display
display_plugin: page
display_title: Page
display_title: <em>Page</em>
id: page
position: 0

2
core/modules/views/tests/modules/views_test_config/test_views/views.view.test_style_opml.yml
View File

@ -295,7 +295,7 @@ display:
page:
display_plugin: page
id: page_1
display_title: Page
display_title: <em>Page</em>
position: 1
display_options:
path: test-opml-style

4
core/modules/views/views.module
View File

@ -67,8 +67,8 @@ function views_views_pre_render($view) {
'views_dom_id:' . $view->dom_id => array(
'view_name' => $view->storage->id(),
'view_display_id' => $view->current_display,
'view_args' => SafeMarkup::checkPlain(implode('/', $view->args)),
'view_path' => SafeMarkup::checkPlain(Url::fromRoute('<current>')->toString()),
'view_args' => Html::escape(implode('/', $view->args)),
'view_path' => Html::escape(Url::fromRoute('<current>')->toString()),
'view_base_path' => $view->getPath(),
'view_dom_id' => $view->dom_id,
// To fit multiple views on a page, the programmer may have

5
core/modules/views_ui/src/Tests/DisplayAttachmentTest.php
View File

@ -33,6 +33,8 @@ class DisplayAttachmentTest extends UITestBase {
$attachment_display_url = 'admin/structure/views/nojs/display/test_attachment_ui/attachment_1/displays';
$this->drupalGet($attachment_display_url);
// Display labels should be escaped.
$this->assertEscaped('<em>Page</em>');
foreach (array('default', 'page-1') as $display_id) {
$this->assertNoFieldChecked("edit-displays-$display_id", format_string('Make sure the @display_id can be marked as attached', array('@display_id' => $display_id)));
@ -40,6 +42,9 @@ class DisplayAttachmentTest extends UITestBase {
// Save the attachments and test the value on the view.
$this->drupalPostForm($attachment_display_url, array('displays[page_1]' => 1), t('Apply'));
// Options summary should be escaped.
$this->assertEscaped('<em>Page</em>');
$this->assertNoRaw('<em>Page</em>');
$result = $this->xpath('//a[@id = :id]', array(':id' => 'views-attachment-1-displays'));
$this->assertEqual($result[0]->attributes()->title, t('Page'));
$this->drupalPostForm(NULL, array(), t('Save'));

8
core/modules/views_ui/src/Tests/DisplayFeedTest.php
View File

@ -55,6 +55,8 @@ class DisplayFeedTest extends UITestBase {
// Check the attach TO interface.
$this->drupalGet('admin/structure/views/nojs/display/' . $view_name . '/feed_1/displays');
// Display labels should be escaped.
$this->assertEscaped('<em>Page</em>');
// Load all the options of the checkbox.
$result = $this->xpath('//div[@id="edit-displays"]/div');
@ -71,8 +73,12 @@ class DisplayFeedTest extends UITestBase {
// Post and save this and check the output.
$this->drupalPostForm('admin/structure/views/nojs/display/' . $view_name . '/feed_1/displays', array('displays[page]' => 'page'), t('Apply'));
// Options summary should be escaped.
$this->assertEscaped('<em>Page</em>');
$this->assertNoRaw('<em>Page</em>');
$this->drupalGet('admin/structure/views/view/' . $view_name . '/edit/feed_1');
$this->assertFieldByXpath('//*[@id="views-feed-1-displays"]', 'Page');
$this->assertFieldByXpath('//*[@id="views-feed-1-displays"]', '<em>Page</em>');
// Add the default display, so there should now be multiple displays.
$this->drupalPostForm('admin/structure/views/nojs/display/' . $view_name . '/feed_1/displays', array('displays[default]' => 'default'), t('Apply'));

4
core/tests/Drupal/Tests/Component/Utility/HtmlTest.php
View File

@ -231,7 +231,7 @@ class HtmlTest extends UnitTestCase {
/**
* Data provider for testDecodeEntities().
*
* @see testCheckPlain()
* @see testDecodeEntities()
*/
public function providerDecodeEntities() {
return array(
@ -272,7 +272,7 @@ class HtmlTest extends UnitTestCase {
/**
* Data provider for testEscape().
*
* @see testCheckPlain()
* @see testEscape()
*/
public function providerEscape() {
return array(

2
core/tests/Drupal/Tests/Core/Render/RendererTest.php
View File

@ -740,7 +740,7 @@ class RendererTest extends RendererTestBase {
'child1' => ['#markup' => SafeString::create('1')],
'child2' => ['#markup' => SafeString::create('2')],
// Mark the value as safe.
'#custom_property' => SafeMarkup::checkPlain('custom_value'),
'#custom_property' => SafeString::create('custom_value'),
'#custom_property_array' => ['custom value'],
];