Commit cc2d495f authored by moshe weitzman's avatar moshe weitzman

Improve output for Dumpers

parent 8ec61f91
......@@ -2,8 +2,8 @@
namespace Drupal\devel;
use Drupal\Core\Render\Markup;
use Drupal\Core\Plugin\PluginBase;
use Drupal\devel\Render\FilteredMarkup;
/**
* Defines a base devel dumper implementation.
......@@ -39,7 +39,7 @@ abstract class DevelDumperBase extends PluginBase implements DevelDumperInterfac
* The unaltered input value.
*/
protected function setSafeMarkup($input) {
return Markup::create($input);
return FilteredMarkup::create($input);
}
}
......@@ -3,6 +3,7 @@
namespace Drupal\devel\Plugin\Devel\Dumper;
use Doctrine\Common\Util\Debug;
use Drupal\Component\Utility\Xss;
use Drupal\devel\DevelDumperBase;
/**
......@@ -28,6 +29,10 @@ class DoctrineDebug extends DevelDumperBase {
$dump = ob_get_contents();
ob_end_clean();
// Run Xss::filterAdmin on the resulting string to prevent
// cross-site-scripting (XSS) vulnerabilities.
$dump = Xss::filterAdmin($dump);
$dump = '<pre>' . $name . $dump . '</pre>';
return $this->setSafeMarkup($dump);
......
......@@ -3,6 +3,7 @@
namespace Drupal\devel\Plugin\Devel\Dumper;
use Drupal\Component\Utility\Variable;
use Drupal\Component\Utility\Xss;
use Drupal\devel\DevelDumperBase;
/**
......@@ -21,7 +22,11 @@ class DrupalVariable extends DevelDumperBase {
*/
public function export($input, $name = NULL) {
$name = $name ? $name . ' => ' : '';
$dump = '<pre>' . $name . Variable::export($input) . '</pre>';
$dump = Variable::export($input);
// Run Xss::filterAdmin on the resulting string to prevent
// cross-site-scripting (XSS) vulnerabilities.
$dump = Xss::filterAdmin($dump);
$dump = '<pre>' . $name . $dump . '</pre>';
return $this->setSafeMarkup($dump);
}
......
<?php
namespace Drupal\devel\Render;
use Drupal\Component\Render\MarkupInterface;
use Drupal\Component\Render\MarkupTrait;
/**
* Defines an object that passes safe strings through the Devel system.
*
* This object should only be constructed with a known safe string. If there is
* any risk that the string contains user-entered data that has not been
* filtered first, it must not be used.
*
* @internal
* This object is marked as internal because it should only be used in the
* Devel module.
* @see \Drupal\Core\Render\Markup
*/
final class FilteredMarkup implements MarkupInterface, \Countable {
use MarkupTrait;
}
\ No newline at end of file
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment