Issue #2505701 by pwolanin, YesCT, akalata: Document SafeMarkup::set and Use htmlspecialchars() directly in Attribute() so we don't bloat the list of safe strings
xjm
parent
2916dc8f43
commit
fd671837e0
|
|
@ -40,7 +40,7 @@ use Drupal\Component\Utility\SafeMarkup;
|
|||
* @endcode
|
||||
*
|
||||
* The attribute keys and values are automatically sanitized for output with
|
||||
* \Drupal\Component\Utility\SafeMarkup::checkPlain().
|
||||
* htmlspecialchars() and the entire attribute string is marked safe for output.
|
||||
*/
|
||||
class Attribute implements \ArrayAccess, \IteratorAggregate {
|
||||
|
||||
|
|
@ -252,12 +252,16 @@ class Attribute implements \ArrayAccess, \IteratorAggregate {
|
|||
*/
|
||||
public function __toString() {
|
||||
$return = '';
|
||||
/** @var \Drupal\Core\Template\AttributeValueBase $value */
|
||||
foreach ($this->storage as $name => $value) {
|
||||
$rendered = $value->render();
|
||||
if ($rendered) {
|
||||
$return .= ' ' . $rendered;
|
||||
}
|
||||
}
|
||||
// The implementations of AttributeValueBase::render() call
|
||||
// htmlspecialchars() on the attribute name and value so we are confident
|
||||
// that the return value can be set as safe.
|
||||
return SafeMarkup::set($return);
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -7,8 +7,6 @@
|
|||
|
||||
namespace Drupal\Core\Template;
|
||||
|
||||
use Drupal\Component\Utility\SafeMarkup;
|
||||
|
||||
/**
|
||||
* A class that defines a type of Attribute that can be added to as an array.
|
||||
*
|
||||
|
|
@ -76,7 +74,7 @@ class AttributeArray extends AttributeValueBase implements \ArrayAccess, \Iterat
|
|||
public function __toString() {
|
||||
// Filter out any empty values before printing.
|
||||
$this->value = array_unique(array_filter($this->value));
|
||||
return SafeMarkup::checkPlain(implode(' ', $this->value));
|
||||
return htmlspecialchars(implode(' ', $this->value), ENT_QUOTES, 'UTF-8');
|
||||
}
|
||||
|
||||
/**
|
||||
|
|
|
|||
|
|
@ -7,8 +7,6 @@
|
|||
|
||||
namespace Drupal\Core\Template;
|
||||
|
||||
use Drupal\Component\Utility\SafeMarkup;
|
||||
|
||||
/**
|
||||
* A class that defines a type of boolean HTML attribute.
|
||||
*
|
||||
|
|
@ -42,7 +40,7 @@ class AttributeBoolean extends AttributeValueBase {
|
|||
* Implements the magic __toString() method.
|
||||
*/
|
||||
public function __toString() {
|
||||
return $this->value === FALSE ? '' : SafeMarkup::checkPlain($this->name);
|
||||
return $this->value === FALSE ? '' : htmlspecialchars($this->name, ENT_QUOTES, 'UTF-8');
|
||||
}
|
||||
|
||||
}
|
||||
|
|
|
|||
|
|
@ -7,8 +7,6 @@
|
|||
|
||||
namespace Drupal\Core\Template;
|
||||
|
||||
use Drupal\Component\Utility\SafeMarkup;
|
||||
|
||||
/**
|
||||
* A class that represents most standard HTML attributes.
|
||||
*
|
||||
|
|
@ -30,7 +28,7 @@ class AttributeString extends AttributeValueBase {
|
|||
* Implements the magic __toString() method.
|
||||
*/
|
||||
public function __toString() {
|
||||
return SafeMarkup::checkPlain($this->value);
|
||||
return htmlspecialchars($this->value, ENT_QUOTES, 'UTF-8');
|
||||
}
|
||||
|
||||
}
|
||||
|
|
|
|||
|
|
@ -7,8 +7,6 @@
|
|||
|
||||
namespace Drupal\Core\Template;
|
||||
|
||||
use Drupal\Component\Utility\SafeMarkup;
|
||||
|
||||
/**
|
||||
* Defines the base class for an attribute type.
|
||||
*
|
||||
|
|
@ -57,7 +55,7 @@ abstract class AttributeValueBase {
|
|||
public function render() {
|
||||
$value = (string) $this;
|
||||
if (isset($this->value) && static::RENDER_EMPTY_ATTRIBUTE || !empty($value)) {
|
||||
return SafeMarkup::checkPlain($this->name) . '="' . $value . '"';
|
||||
return htmlspecialchars($this->name, ENT_QUOTES, 'UTF-8') . '="' . $value . '"';
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue