Issue #2505701 by pwolanin, YesCT, akalata: Document SafeMarkup::set and Use htmlspecialchars() directly in Attribute() so we don't bloat the list of safe strings
xjm
parent
2916dc8f43
commit
fd671837e0
|
|
@ -40,7 +40,7 @@ use Drupal\Component\Utility\SafeMarkup;
|
||||||
* @endcode
|
* @endcode
|
||||||
*
|
*
|
||||||
* The attribute keys and values are automatically sanitized for output with
|
* The attribute keys and values are automatically sanitized for output with
|
||||||
* \Drupal\Component\Utility\SafeMarkup::checkPlain().
|
* htmlspecialchars() and the entire attribute string is marked safe for output.
|
||||||
*/
|
*/
|
||||||
class Attribute implements \ArrayAccess, \IteratorAggregate {
|
class Attribute implements \ArrayAccess, \IteratorAggregate {
|
||||||
|
|
||||||
|
|
@ -252,12 +252,16 @@ class Attribute implements \ArrayAccess, \IteratorAggregate {
|
||||||
*/
|
*/
|
||||||
public function __toString() {
|
public function __toString() {
|
||||||
$return = '';
|
$return = '';
|
||||||
|
/** @var \Drupal\Core\Template\AttributeValueBase $value */
|
||||||
foreach ($this->storage as $name => $value) {
|
foreach ($this->storage as $name => $value) {
|
||||||
$rendered = $value->render();
|
$rendered = $value->render();
|
||||||
if ($rendered) {
|
if ($rendered) {
|
||||||
$return .= ' ' . $rendered;
|
$return .= ' ' . $rendered;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
// The implementations of AttributeValueBase::render() call
|
||||||
|
// htmlspecialchars() on the attribute name and value so we are confident
|
||||||
|
// that the return value can be set as safe.
|
||||||
return SafeMarkup::set($return);
|
return SafeMarkup::set($return);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -7,8 +7,6 @@
|
||||||
|
|
||||||
namespace Drupal\Core\Template;
|
namespace Drupal\Core\Template;
|
||||||
|
|
||||||
use Drupal\Component\Utility\SafeMarkup;
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* A class that defines a type of Attribute that can be added to as an array.
|
* A class that defines a type of Attribute that can be added to as an array.
|
||||||
*
|
*
|
||||||
|
|
@ -76,7 +74,7 @@ class AttributeArray extends AttributeValueBase implements \ArrayAccess, \Iterat
|
||||||
public function __toString() {
|
public function __toString() {
|
||||||
// Filter out any empty values before printing.
|
// Filter out any empty values before printing.
|
||||||
$this->value = array_unique(array_filter($this->value));
|
$this->value = array_unique(array_filter($this->value));
|
||||||
return SafeMarkup::checkPlain(implode(' ', $this->value));
|
return htmlspecialchars(implode(' ', $this->value), ENT_QUOTES, 'UTF-8');
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
|
|
||||||
|
|
@ -7,8 +7,6 @@
|
||||||
|
|
||||||
namespace Drupal\Core\Template;
|
namespace Drupal\Core\Template;
|
||||||
|
|
||||||
use Drupal\Component\Utility\SafeMarkup;
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* A class that defines a type of boolean HTML attribute.
|
* A class that defines a type of boolean HTML attribute.
|
||||||
*
|
*
|
||||||
|
|
@ -42,7 +40,7 @@ class AttributeBoolean extends AttributeValueBase {
|
||||||
* Implements the magic __toString() method.
|
* Implements the magic __toString() method.
|
||||||
*/
|
*/
|
||||||
public function __toString() {
|
public function __toString() {
|
||||||
return $this->value === FALSE ? '' : SafeMarkup::checkPlain($this->name);
|
return $this->value === FALSE ? '' : htmlspecialchars($this->name, ENT_QUOTES, 'UTF-8');
|
||||||
}
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -7,8 +7,6 @@
|
||||||
|
|
||||||
namespace Drupal\Core\Template;
|
namespace Drupal\Core\Template;
|
||||||
|
|
||||||
use Drupal\Component\Utility\SafeMarkup;
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* A class that represents most standard HTML attributes.
|
* A class that represents most standard HTML attributes.
|
||||||
*
|
*
|
||||||
|
|
@ -30,7 +28,7 @@ class AttributeString extends AttributeValueBase {
|
||||||
* Implements the magic __toString() method.
|
* Implements the magic __toString() method.
|
||||||
*/
|
*/
|
||||||
public function __toString() {
|
public function __toString() {
|
||||||
return SafeMarkup::checkPlain($this->value);
|
return htmlspecialchars($this->value, ENT_QUOTES, 'UTF-8');
|
||||||
}
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -7,8 +7,6 @@
|
||||||
|
|
||||||
namespace Drupal\Core\Template;
|
namespace Drupal\Core\Template;
|
||||||
|
|
||||||
use Drupal\Component\Utility\SafeMarkup;
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Defines the base class for an attribute type.
|
* Defines the base class for an attribute type.
|
||||||
*
|
*
|
||||||
|
|
@ -57,7 +55,7 @@ abstract class AttributeValueBase {
|
||||||
public function render() {
|
public function render() {
|
||||||
$value = (string) $this;
|
$value = (string) $this;
|
||||||
if (isset($this->value) && static::RENDER_EMPTY_ATTRIBUTE || !empty($value)) {
|
if (isset($this->value) && static::RENDER_EMPTY_ATTRIBUTE || !empty($value)) {
|
||||||
return SafeMarkup::checkPlain($this->name) . '="' . $value . '"';
|
return htmlspecialchars($this->name, ENT_QUOTES, 'UTF-8') . '="' . $value . '"';
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue