Skip to content
Snippets Groups Projects
Unverified Commit 4105b556 authored by Alex Pott's avatar Alex Pott
Browse files

Issue #2528284 by cilefen, dawehner, Cottser, David_Rothstein: Document that... 

Issue #2528284 by cilefen, dawehner, Cottser, David_Rothstein: Document that alternate Drupal 8 theme engines must implement auto-escape or they are not secure
parent d6caa271
No related branches found
No related tags found
2 merge requests!7452Issue #1797438. HTML5 validation is preventing form submit and not fully...,!789Issue #3210310: Adjust Database API to remove deprecated Drupal 9 code in Drupal 10
Hide whitespace changes
Inline Side-by-side
core/lib/Drupal/Core/Render/theme.api.php
+ 6
0
View file @ 4105b556
...@@ -765,6 +765,12 @@ function hook_extension() { ...@@ -765,6 +765,12 @@ function hook_extension() {
/** /**
* Render a template using the theme engine. * Render a template using the theme engine.
* *
* It is the theme engine's responsibility to escape variables. The only
* exception is if a variable implements
* \Drupal\Component\Render\MarkupInterface. Drupal is inherently unsafe if
* other variables are not escaped. The helper function
* theme_render_and_autoescape() may be used for this.
*
* @param string $template_file * @param string $template_file
* The path (relative to the Drupal root directory) to the template to be * The path (relative to the Drupal root directory) to the template to be
* rendered including its extension in the format 'path/to/TEMPLATE_NAME.EXT'. * rendered including its extension in the format 'path/to/TEMPLATE_NAME.EXT'.
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment