Issue #2567257 followup by dawehner: hook_tokens() $sanitize option...

Issue #2567257 followup by dawehner: hook_tokens() $sanitize option incompatible with Html sanitisation requirements

Issue #2567257 followup by dawehner: hook_tokens() $sanitize option...
Issue #2567257 followup by dawehner: hook_tokens() $sanitize option incompatible with Html sanitisation requirements
10626d87 · alexpott · 4c867f94 · 10626d87 · 10626d87 · 10626d87
Commit 10626d87 authored Oct 01, 2015 by alexpott
3 changed files
--- a/core/lib/Drupal/Core/Utility/Token.php
+++ b/core/lib/Drupal/Core/Utility/Token.php
@@ -8,7 +8,7 @@
 namespace Drupal\Core\Utility;

 use Drupal\Component\Utility\Html;
-use Drupal\Component\Utility\SafeStringInterface;
+use Drupal\Component\Utility\SafeMarkup;
 use Drupal\Core\Cache\Cache;
 use Drupal\Core\Cache\CacheableDependencyInterface;
 use Drupal\Core\Cache\CacheBackendInterface;
@@ -207,7 +207,7 @@ public function replace($text, array $data = array(), array $options = array(),

    // Escape the tokens, unless they are explicitly markup.
    foreach ($replacements as $token => $value) {
-      $replacements[$token] = $value instanceof SafeStringInterface ? $value : Html::escape($value);
+      $replacements[$token] = SafeMarkup::isSafe($value) ? $value : Html::escape($value);
    }

    // Optionally alter the list of replacement values.

--- a/core/modules/file/src/Plugin/Field/FieldType/FileItem.php
+++ b/core/modules/file/src/Plugin/Field/FieldType/FileItem.php
@@ -261,7 +261,8 @@ public static function validateMaxFilesize($element, FormStateInterface $form_st
   *   An array of token objects to pass to token_replace().
   *
   * @return string
-   *   An unsanitized file directory URI with tokens replaced.
+   *   An unsanitized file directory URI with tokens replaced. The result of
+   *   the token replacement is then converted to plain text and returned.
   *
   * @see token_replace()
   */
@@ -272,10 +273,6 @@ public function getUploadLocation($data = array()) {
    // Replace tokens. As the tokens might contain HTML we convert it to plain
    // text.
    $destination = PlainTextOutput::renderFromHtml(\Drupal::token()->replace($destination, $data));
-
-    // @todo Is any valid URI always safe output? If not, handle invalid URIs
-    //   here, and certainly do not return them, see
-    //   https://www.drupal.org/node/2578193.
    return $settings['uri_scheme'] . '://' . $destination;
  }


--- a/core/modules/tour/src/Plugin/tour/tip/TipPluginText.php
+++ b/core/modules/tour/src/Plugin/tour/tip/TipPluginText.php
@@ -8,7 +8,6 @@
 namespace Drupal\tour\Plugin\tour\tip;

 use Drupal\Component\Utility\Html;
-use Drupal\Component\Utility\Xss;
 use Drupal\Core\Plugin\ContainerFactoryPluginInterface;
 use Drupal\Core\Utility\Token;
 use Drupal\tour\TipPluginBase;