Skip to content
Snippets Groups Projects
Commit 10626d87 authored by Alex Pott's avatar Alex Pott
Browse files

Issue #2567257 followup by dawehner: hook_tokens() $sanitize option...

Issue #2567257 followup by dawehner: hook_tokens() $sanitize option incompatible with Html sanitisation requirements
parent 4c867f94
No related branches found
No related tags found
2 merge requests!7452Issue #1797438. HTML5 validation is preventing form submit and not fully...,!789Issue #3210310: Adjust Database API to remove deprecated Drupal 9 code in Drupal 10
...@@ -8,7 +8,7 @@ ...@@ -8,7 +8,7 @@
namespace Drupal\Core\Utility; namespace Drupal\Core\Utility;
use Drupal\Component\Utility\Html; use Drupal\Component\Utility\Html;
use Drupal\Component\Utility\SafeStringInterface; use Drupal\Component\Utility\SafeMarkup;
use Drupal\Core\Cache\Cache; use Drupal\Core\Cache\Cache;
use Drupal\Core\Cache\CacheableDependencyInterface; use Drupal\Core\Cache\CacheableDependencyInterface;
use Drupal\Core\Cache\CacheBackendInterface; use Drupal\Core\Cache\CacheBackendInterface;
...@@ -207,7 +207,7 @@ public function replace($text, array $data = array(), array $options = array(), ...@@ -207,7 +207,7 @@ public function replace($text, array $data = array(), array $options = array(),
// Escape the tokens, unless they are explicitly markup. // Escape the tokens, unless they are explicitly markup.
foreach ($replacements as $token => $value) { foreach ($replacements as $token => $value) {
$replacements[$token] = $value instanceof SafeStringInterface ? $value : Html::escape($value); $replacements[$token] = SafeMarkup::isSafe($value) ? $value : Html::escape($value);
} }
// Optionally alter the list of replacement values. // Optionally alter the list of replacement values.
......
...@@ -261,7 +261,8 @@ public static function validateMaxFilesize($element, FormStateInterface $form_st ...@@ -261,7 +261,8 @@ public static function validateMaxFilesize($element, FormStateInterface $form_st
* An array of token objects to pass to token_replace(). * An array of token objects to pass to token_replace().
* *
* @return string * @return string
* An unsanitized file directory URI with tokens replaced. * An unsanitized file directory URI with tokens replaced. The result of
* the token replacement is then converted to plain text and returned.
* *
* @see token_replace() * @see token_replace()
*/ */
...@@ -272,10 +273,6 @@ public function getUploadLocation($data = array()) { ...@@ -272,10 +273,6 @@ public function getUploadLocation($data = array()) {
// Replace tokens. As the tokens might contain HTML we convert it to plain // Replace tokens. As the tokens might contain HTML we convert it to plain
// text. // text.
$destination = PlainTextOutput::renderFromHtml(\Drupal::token()->replace($destination, $data)); $destination = PlainTextOutput::renderFromHtml(\Drupal::token()->replace($destination, $data));
// @todo Is any valid URI always safe output? If not, handle invalid URIs
// here, and certainly do not return them, see
// https://www.drupal.org/node/2578193.
return $settings['uri_scheme'] . '://' . $destination; return $settings['uri_scheme'] . '://' . $destination;
} }
......
...@@ -8,7 +8,6 @@ ...@@ -8,7 +8,6 @@
namespace Drupal\tour\Plugin\tour\tip; namespace Drupal\tour\Plugin\tour\tip;
use Drupal\Component\Utility\Html; use Drupal\Component\Utility\Html;
use Drupal\Component\Utility\Xss;
use Drupal\Core\Plugin\ContainerFactoryPluginInterface; use Drupal\Core\Plugin\ContainerFactoryPluginInterface;
use Drupal\Core\Utility\Token; use Drupal\Core\Utility\Token;
use Drupal\tour\TipPluginBase; use Drupal\tour\TipPluginBase;
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment