Issue #2089351 by thedavidmeister, meba: Convert all calls to check_plain() in...

Issue #2089351 by thedavidmeister, meba: Convert all calls to check_plain() in core to Drupal\Component\Utility\String::checkPlain() in core/includes.

core/includes/bootstrap.inc

@@ -1467,7 +1467,9 @@ function watchdog_exception($type, Exception $exception, $message = NULL, $varia
 
    // Use a default value if $message is not set.
    if (empty($message)) {
-     // The exception message is run through check_plain() by _drupal_decode_exception().
+     // The exception message is run through
+     // \Drupal\Component\Utility\String::checkPlain() by
+     // _drupal_decode_exception().
      $message = '%type: !message in %function (line %line of %file).';
    }
    // $variables must be an array so that we can add the exception information.
@@ -1672,7 +1674,7 @@ function drupal_get_title() {
 
   // During a bootstrap, menu.inc is not included and thus we cannot provide a title.
   if (!isset($title) && function_exists('menu_get_active_title')) {
-    $title = check_plain(menu_get_active_title());
+    $title = String::checkPlain(menu_get_active_title());
   }
 
   return $title;
@@ -1689,7 +1691,8 @@ function drupal_get_title() {
  * @param $output
  *   Optional flag - normally should be left as Title::CHECK_PLAIN. Only set to
  *   PASS_THROUGH if you have already removed any possibly dangerous code
- *   from $title using a function like check_plain() or filter_xss(). With this
+ *   from $title using a function like
+ *   \Drupal\Component\Utility\String::checkPlain() or filter_xss(). With this
  *   flag the string will be passed through unchanged.
  *
  * @return
@@ -1699,7 +1702,7 @@ function drupal_set_title($title = NULL, $output = Title::CHECK_PLAIN) {
   $stored_title = &drupal_static(__FUNCTION__);
 
   if (isset($title)) {
-    $stored_title = ($output == PASS_THROUGH) ? $title : check_plain($title);
+    $stored_title = ($output == PASS_THROUGH) ? $title : String::checkPlain($title);
   }
 
   return $stored_title;

core/includes/common.inc

@@ -700,7 +700,7 @@ function valid_number_step($value, $step, $offset = 0.0) {
  * string, so this function can be called independently when the output needs to
  * be a plain-text string for passing to t(), l(),
  * Drupal\Core\Template\Attribute, or another function that will call
- * check_plain() separately.
+ * \Drupal\Component\Utility\String::checkPlain() separately.
  *
  * @param $uri
  *   A plain-text URI that might contain dangerous protocols.
@@ -708,8 +708,8 @@ function valid_number_step($value, $step, $offset = 0.0) {
  * @return
  *   A plain-text URI stripped of dangerous protocols. As with all plain-text
  *   strings, this return value must not be output to an HTML page without
- *   check_plain() being called on it. However, it can be passed to functions
- *   expecting plain-text strings.
+ *   \Drupal\Component\Utility\String::checkPlain() being called on it. However,
+ *   it can be passed to functions expecting plain-text strings.
  *
  * @see \Drupal\Component\Utility\Url::stripDangerousProtocols()
  */
@@ -744,7 +744,8 @@ function check_url($uri) {
  *
  * Use only for fields where it is impractical to use the
  * whole filter system, but where some (mainly inline) mark-up
- * is desired (so check_plain() is not acceptable).
+ * is desired (so \Drupal\Component\Utility\String::checkPlain() is not
+ * acceptable).
  *
  * Allows all tags that can be used inside an HTML body, save
  * for scripts and styles.
@@ -826,14 +827,14 @@ function format_rss_channel($title, $link, $description, $items, $langcode = NUL
   $langcode = $langcode ? $langcode : language(Language::TYPE_CONTENT)->id;
 
   $output = "<channel>\n";
-  $output .= ' <title>' . check_plain($title) . "</title>\n";
+  $output .= ' <title>' . String::checkPlain($title) . "</title>\n";
   $output .= ' <link>' . check_url($link) . "</link>\n";
 
   // The RSS 2.0 "spec" doesn't indicate HTML can be used in the description.
   // We strip all HTML tags, but need to prevent double encoding from properly
   // escaped source data (such as &amp becoming &amp;amp;).
-  $output .= ' <description>' . check_plain(decode_entities(strip_tags($description))) . "</description>\n";
-  $output .= ' <language>' . check_plain($langcode) . "</language>\n";
+  $output .= ' <description>' . String::checkPlain(decode_entities(strip_tags($description))) . "</description>\n";
+  $output .= ' <language>' . String::checkPlain($langcode) . "</language>\n";
   $output .= format_xml_elements($args);
   $output .= $items;
   $output .= "</channel>\n";
@@ -848,9 +849,9 @@ function format_rss_channel($title, $link, $description, $items, $langcode = NUL
  */
 function format_rss_item($title, $link, $description, $args = array()) {
   $output = "<item>\n";
-  $output .= ' <title>' . check_plain($title) . "</title>\n";
+  $output .= ' <title>' . String::checkPlain($title) . "</title>\n";
   $output .= ' <link>' . check_url($link) . "</link>\n";
-  $output .= ' <description>' . check_plain($description) . "</description>\n";
+  $output .= ' <description>' . String::checkPlain($description) . "</description>\n";
   $output .= format_xml_elements($args);
   $output .= "</item>\n";
 
@@ -882,7 +883,7 @@ function format_xml_elements($array) {
         }
 
         if (isset($value['value']) && $value['value'] != '') {
-          $output .= '>' . (is_array($value['value']) ? format_xml_elements($value['value']) : check_plain($value['value'])) . '</' . $value['key'] . ">\n";
+          $output .= '>' . (is_array($value['value']) ? format_xml_elements($value['value']) : String::checkPlain($value['value'])) . '</' . $value['key'] . ">\n";
         }
         else {
           $output .= " />\n";
@@ -890,7 +891,7 @@ function format_xml_elements($array) {
       }
     }
     else {
-      $output .= ' <' . $key . '>' . (is_array($value) ? format_xml_elements($value) : check_plain($value)) . "</$key>\n";
+      $output .= ' <' . $key . '>' . (is_array($value) ? format_xml_elements($value) : String::checkPlain($value)) . "</$key>\n";
     }
   }
   return $output;
@@ -1285,8 +1286,9 @@ function drupal_http_header_attributes(array $attributes = array()) {
  *   The internal path or external URL being linked to, such as "node/34" or
  *   "http://example.com/foo". After the url() function is called to construct
  *   the URL from $path and $options, the resulting URL is passed through
- *   check_plain() before it is inserted into the HTML anchor tag, to ensure
- *   well-formed HTML. See url() for more information and notes.
+ *   \Drupal\Component\Utility\String::checkPlain() before it is inserted into
+ *   the HTML anchor tag, to ensure well-formed HTML. See url() for more
+ *   information and notes.
  * @param array $options
  *   An associative array of additional options. Defaults to an empty array. It
  *   may contain the following elements.
@@ -1379,10 +1381,10 @@ function l($text, $path, array $options = array()) {
 
   // The result of url() is a plain-text URL. Because we are using it here
   // in an HTML argument context, we need to encode it properly.
-  $url = check_plain(url($variables['path'], $variables['options']));
+  $url = String::checkPlain(url($variables['path'], $variables['options']));
 
   // Sanitize the link text if necessary.
-  $text = $variables['options']['html'] ? $variables['text'] : check_plain($variables['text']);
+  $text = $variables['options']['html'] ? $variables['text'] : String::checkPlain($variables['text']);
 
   return '<a href="' . $url . '"' . $attributes . '>' . $text . '</a>';
 }
@@ -1481,7 +1483,7 @@ function drupal_add_html_head_link($attributes, $header = FALSE) {
 
   if ($header) {
     // Also add a HTTP header "Link:".
-    $href = '<' . check_plain($attributes['href']) . '>;';
+    $href = '<' . String::checkPlain($attributes['href']) . '>;';
     unset($attributes['href']);
     $element['#attached']['drupal_add_http_header'][] = array('Link',  $href . drupal_http_header_attributes($attributes), TRUE);
   }
@@ -4864,7 +4866,7 @@ function _drupal_flush_css_js() {
  */
 function debug($data, $label = NULL, $print_r = FALSE) {
   // Print $data contents to string.
-  $string = check_plain($print_r ? print_r($data, TRUE) : var_export($data, TRUE));
+  $string = String::checkPlain($print_r ? print_r($data, TRUE) : var_export($data, TRUE));
 
   // Display values with pre-formatting to increase readability.
   $string = '<pre>' . $string . '</pre>';

core/includes/errors.inc

@@ -5,6 +5,7 @@
  * Functions for error handling.
  */
 
+use Drupal\Component\Utility\String;
 use Symfony\Component\HttpFoundation\Response;
 
 /**
@@ -117,7 +118,7 @@ function _drupal_decode_exception($exception) {
     '%type' => get_class($exception),
     // The standard PHP exception handler considers that the exception message
     // is plain-text. We mimick this behavior here.
-    '!message' => check_plain($message),
+    '!message' => String::checkPlain($message),
     '%function' => $caller['function'],
     '%file' => $caller['file'],
     '%line' => $caller['line'],
@@ -138,7 +139,7 @@ function _drupal_decode_exception($exception) {
 function _drupal_render_exception_safe($exception) {
   $decode = _drupal_decode_exception($exception);
   unset($decode['backtrace']);
-  return check_plain(strtr('%type: !message in %function (line %line of %file).', $decode));
+  return String::checkPlain(strtr('%type: !message in %function (line %line of %file).', $decode));
 }
 
 /**

core/includes/file.inc

@@ -7,6 +7,7 @@
 
 use Drupal\Core\StreamWrapper\LocalStream;
 use Drupal\Component\PhpStorage\MTimeProtectedFastFileStorage;
+use Drupal\Component\Utility\String;
 use Drupal\Core\StreamWrapper\PublicStream;
 
 /**
@@ -561,7 +562,7 @@ function file_save_htaccess($directory, $private = TRUE) {
     drupal_chmod($htaccess_path, 0444);
   }
   else {
-    $variables = array('%directory' => $directory, '!htaccess' => '<br />' . nl2br(check_plain($htaccess_lines)));
+    $variables = array('%directory' => $directory, '!htaccess' => '<br />' . nl2br(String::checkPlain($htaccess_lines)));
     watchdog('security', "Security warning: Couldn't write .htaccess file. Please create a .htaccess file in your %directory directory which contains the following lines: <code>!htaccess</code>", $variables, WATCHDOG_ERROR);
   }
 }

core/includes/form.inc

@@ -7,6 +7,7 @@
 
 use Drupal\Component\Utility\Crypt;
 use Drupal\Component\Utility\NestedArray;
+use Drupal\Component\Utility\String;
 use Drupal\Core\Form\FormInterface;
 use Drupal\Core\Form\BaseFormIdInterface;
 use Drupal\Core\Database\Database;
@@ -2824,7 +2825,7 @@ function form_select_options($element, $choices = NULL) {
       else {
         $selected = '';
       }
-      $options .= '<option value="' . check_plain($key) . '"' . $selected . '>' . check_plain($choice) . '</option>';
+      $options .= '<option value="' . String::checkPlain($key) . '"' . $selected . '>' . String::checkPlain($choice) . '</option>';
     }
   }
   return $options;
@@ -4569,7 +4570,7 @@ function theme_textarea($variables) {
   }
 
   $output = '<div' . new Attribute($wrapper_attributes) . '>';
-  $output .= '<textarea' . new Attribute($element['#attributes']) . '>' . check_plain($element['#value']) . '</textarea>';
+  $output .= '<textarea' . new Attribute($element['#attributes']) . '>' . String::checkPlain($element['#value']) . '</textarea>';
   $output .= '</div>';
   return $output;
 }
@@ -4932,9 +4933,9 @@ function _drupal_form_send_response(Response $response) {
  * Note: if the batch 'title', 'init_message', 'progress_message', or
  * 'error_message' could contain any user input, it is the responsibility of
  * the code calling batch_set() to sanitize them first with a function like
- * check_plain() or filter_xss(). Furthermore, if the batch operation
- * returns any user input in the 'results' or 'message' keys of $context,
- * it must also sanitize them first.
+ * \Drupal\Component\Utility\String::checkPlain() or filter_xss(). Furthermore,
+ * if the batch operation returns any user input in the 'results' or 'message'
+ * keys of $context, it must also sanitize them first.
  *
  * Sample batch operations:
  * @code
@@ -4958,8 +4959,8 @@ function _drupal_form_send_response(Response $response) {
  *
  *   $nodes = entity_load_multiple_by_properties('node', array('uid' => $uid, 'type' => $type));
  *   $node = reset($nodes);
- *   $context['results'][] = $node->id() . ' : ' . check_plain($node->label());
- *   $context['message'] = check_plain($node->label());
+ *   $context['results'][] = $node->id() . ' : ' . String::checkPlain($node->label());
+ *   $context['message'] = String::checkPlain($node->label());
  * }
  *
  * // A more advanced example is a multi-step operation that loads all rows,
@@ -4978,10 +4979,10 @@ function _drupal_form_send_response(Response $response) {
  *     ->range(0, $limit)
  *     ->execute();
  *   foreach ($result as $row) {
- *     $context['results'][] = $row->id . ' : ' . check_plain($row->title);
+ *     $context['results'][] = $row->id . ' : ' . String:checkPlain($row->title);
  *     $context['sandbox']['progress']++;
  *     $context['sandbox']['current_id'] = $row->id;
- *     $context['message'] = check_plain($row->title);
+ *     $context['message'] = String:checkPlain($row->title);
  *   }
  *   if ($context['sandbox']['progress'] != $context['sandbox']['max']) {
  *     $context['finished'] = $context['sandbox']['progress'] / $context['sandbox']['max'];

core/includes/menu.inc

@@ -6,6 +6,7 @@
  */
 
 use Drupal\Component\Utility\NestedArray;
+use Drupal\Component\Utility\String;
 use Drupal\Core\Cache\CacheBackendInterface;
 use Drupal\Core\Language\Language;
 use Drupal\Core\Routing\RequestHelper;
@@ -1728,10 +1729,10 @@ function theme_menu_local_task($variables) {
     // Add text to indicate active tab for non-visual users.
     $active = '<span class="visually-hidden">' . t('(active tab)') . '</span>';
 
-    // If the link does not contain HTML already, check_plain() it now.
+    // If the link does not contain HTML already, String::checkPlain() it now.
     // After we set 'html'=TRUE the link will not be sanitized by l().
     if (empty($link['localized_options']['html'])) {
-      $link['title'] = check_plain($link['title']);
+      $link['title'] = String::checkPlain($link['title']);
     }
     $link['localized_options']['html'] = TRUE;
     $link_text = t('!local-task-title!active', array('!local-task-title' => $link['title'], '!active' => $active));

core/includes/schema.inc

@@ -232,7 +232,8 @@ function drupal_install_schema($module) {
  * @return array
  *   An array of arrays with the following key/value pairs:
  *    - success: a boolean indicating whether the query succeeded.
- *    - query: the SQL query(s) executed, passed through check_plain().
+ *    - query: the SQL query(s) executed, passed through
+ *      \Drupal\Component\Utility\String::checkPlain().
  */
 function drupal_uninstall_schema($module) {
   $schema = drupal_get_schema_unprocessed($module);

core/includes/theme.inc

@@ -1616,7 +1616,8 @@ function template_preprocess_status_messages(&$variables) {
  *     - href: The link URL. If omitted, the 'title' is shown as a plain text
  *       item in the links list.
  *     - html: (optional) Whether or not 'title' is HTML. If set, the title
- *       will not be passed through check_plain().
+ *       will not be passed through
+ *       \Drupal\Component\Utility\String::checkPlain().
  *     - attributes: (optional) Attributes for the anchor, or for the <span>
  *       tag used in its place if no 'href' is supplied. If element 'class' is
  *       included, it must be an array of one or more class names.
@@ -1666,7 +1667,7 @@ function theme_links($variables) {
       }
 
       $output .= '<' . $heading['level'] . new Attribute($heading['attributes']) . '>';
-      $output .= check_plain($heading['text']);
+      $output .= String::checkPlain($heading['text']);
       $output .= '</' . $heading['level'] . '>';
     }
 
@@ -1721,7 +1722,7 @@ function theme_links($variables) {
         $link += array(
           'html' => FALSE,
         );
-        $item = ($link['html'] ? $link['title'] : check_plain($link['title']));
+        $item = ($link['html'] ? $link['title'] : String::checkPlain($link['title']));
         if (isset($link['attributes'])) {
           $item = '<span' . new Attribute($link['attributes']) . '>' . $item . '</span>';
         }
@@ -2567,11 +2568,11 @@ function template_preprocess_html(&$variables) {
   elseif (drupal_get_title()) {
     $head_title = array(
       'title' => strip_tags(drupal_get_title()),
-      'name' => check_plain($site_config->get('name')),
+      'name' => String::checkPlain($site_config->get('name')),
     );
   }
   else {
-    $head_title = array('name' => check_plain($site_config->get('name')));
+    $head_title = array('name' => String::checkPlain($site_config->get('name')));
     if ($site_config->get('slogan')) {
       $head_title['slogan'] = strip_tags(filter_xss_admin($site_config->get('slogan')));
     }
@@ -2679,7 +2680,7 @@ function template_preprocess_page(&$variables) {
   $variables['main_menu']         = theme_get_setting('features.main_menu') ? menu_main_menu() : array();
   $variables['secondary_menu']    = theme_get_setting('features.secondary_menu') ? menu_secondary_menu() : array();
   $variables['action_links']      = menu_get_local_actions();
-  $variables['site_name']         = (theme_get_setting('features.name') ? check_plain($site_config->get('name')) : '');
+  $variables['site_name']         = (theme_get_setting('features.name') ? String::checkPlain($site_config->get('name')) : '');
   $variables['site_slogan']       = (theme_get_setting('features.slogan') ? filter_xss_admin($site_config->get('slogan')) : '');
   $variables['tabs']              = menu_local_tabs();
 
@@ -2873,7 +2874,7 @@ function template_preprocess_maintenance_page(&$variables) {
     );
   }
   else {
-    $head_title = array('name' => check_plain($site_name));
+    $head_title = array('name' => String::checkPlain($site_name));
     if ($site_slogan) {
       $head_title['slogan'] = strip_tags(filter_xss_admin($site_slogan));
     }
@@ -2907,7 +2908,7 @@ function template_preprocess_maintenance_page(&$variables) {
   $variables['messages']          = $variables['show_messages'] ? theme('status_messages') : '';
   $variables['main_menu']         = array();
   $variables['secondary_menu']    = array();
-  $variables['site_name']         = (theme_get_setting('features.name') ? check_plain($site_name) : '');
+  $variables['site_name']         = (theme_get_setting('features.name') ? String::checkPlain($site_name) : '');
   $variables['site_slogan']       = (theme_get_setting('features.slogan') ? filter_xss_admin($site_slogan) : '');
   $variables['tabs']              = '';
 

core/includes/update.inc

@@ -10,6 +10,7 @@
 
 use Drupal\Component\Graph\Graph;
 use Drupal\Component\Utility\Settings;
+use Drupal\Component\Utility\String;
 use Drupal\Core\Config\FileStorage;
 use Drupal\Core\Config\ConfigException;
 use Drupal\Core\DrupalKernel;
@@ -813,7 +814,9 @@ function update_do_one($module, $number, $dependency_map, &$context) {
       require_once __DIR__ . '/errors.inc';
       $variables = _drupal_decode_exception($e);
       unset($variables['backtrace']);
-      // The exception message is run through check_plain() by _drupal_decode_exception().
+      // The exception message is run through
+      // \Drupal\Component\Utility\String::checkPlain() by
+      // _drupal_decode_exception().
       $ret['#abort'] = array('success' => FALSE, 'query' => t('%type: !message in %function (line %line of %file).', $variables));
     }
   }
@@ -841,7 +844,7 @@ function update_do_one($module, $number, $dependency_map, &$context) {
     drupal_set_installed_schema_version($module, $number);
   }
 
-  $context['message'] = 'Updating ' . check_plain($module) . ' module';
+  $context['message'] = 'Updating ' . String::checkPlain($module) . ' module';
 }
 
 /**