Commit 10626d87 authored by alexpott's avatar alexpott

Issue #2567257 followup by dawehner: hook_tokens() $sanitize option...

Issue #2567257 followup by dawehner: hook_tokens() $sanitize option incompatible with Html sanitisation requirements
parent 4c867f94
......@@ -8,7 +8,7 @@
namespace Drupal\Core\Utility;
use Drupal\Component\Utility\Html;
use Drupal\Component\Utility\SafeStringInterface;
use Drupal\Component\Utility\SafeMarkup;
use Drupal\Core\Cache\Cache;
use Drupal\Core\Cache\CacheableDependencyInterface;
use Drupal\Core\Cache\CacheBackendInterface;
......@@ -207,7 +207,7 @@ public function replace($text, array $data = array(), array $options = array(),
// Escape the tokens, unless they are explicitly markup.
foreach ($replacements as $token => $value) {
$replacements[$token] = $value instanceof SafeStringInterface ? $value : Html::escape($value);
$replacements[$token] = SafeMarkup::isSafe($value) ? $value : Html::escape($value);
}
// Optionally alter the list of replacement values.
......
......@@ -261,7 +261,8 @@ public static function validateMaxFilesize($element, FormStateInterface $form_st
* An array of token objects to pass to token_replace().
*
* @return string
* An unsanitized file directory URI with tokens replaced.
* An unsanitized file directory URI with tokens replaced. The result of
* the token replacement is then converted to plain text and returned.
*
* @see token_replace()
*/
......@@ -272,10 +273,6 @@ public function getUploadLocation($data = array()) {
// Replace tokens. As the tokens might contain HTML we convert it to plain
// text.
$destination = PlainTextOutput::renderFromHtml(\Drupal::token()->replace($destination, $data));
// @todo Is any valid URI always safe output? If not, handle invalid URIs
// here, and certainly do not return them, see
// https://www.drupal.org/node/2578193.
return $settings['uri_scheme'] . '://' . $destination;
}
......
......@@ -8,7 +8,6 @@
namespace Drupal\tour\Plugin\tour\tip;
use Drupal\Component\Utility\Html;
use Drupal\Component\Utility\Xss;
use Drupal\Core\Plugin\ContainerFactoryPluginInterface;
use Drupal\Core\Utility\Token;
use Drupal\tour\TipPluginBase;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment