Issue #3521327 by avpaderno: The insecure examples code does not include delimiters for strings

b4332a51 · catch · cb9453f1 · b4332a51
Commit b4332a51 authored 2 weeks ago by catch
--- a/core/lib/Drupal/Component/Render/FormattableMarkup.php
+++ b/core/lib/Drupal/Component/Render/FormattableMarkup.php
@@ -124,10 +124,10 @@ public function jsonSerialize(): string {
   * Insecure examples.
   * @code
   * // The following are using the @ placeholder inside an HTML tag.
-   * $this->placeholderFormat('<@foo>text</@foo>, ['@foo' => $some_variable]);
-   * $this->placeholderFormat('<a @foo>link text</a>, ['@foo' => $some_variable]);
-   * $this->placeholderFormat('<a href="@foo">link text</a>, ['@foo' => $some_variable]);
-   * $this->placeholderFormat('<a title="@foo">link text</a>, ['@foo' => $some_variable]);
+   * $this->placeholderFormat('<@foo>text</@foo>', ['@foo' => $some_variable]);
+   * $this->placeholderFormat('<a @foo>link text</a>', ['@foo' => $some_variable]);
+   * $this->placeholderFormat('<a href="@foo">link text</a>', ['@foo' => $some_variable]);
+   * $this->placeholderFormat('<a title="@foo">link text</a>', ['@foo' => $some_variable]);
   * // Implicitly convert an object to a string, which is not sanitized.
   * $this->placeholderFormat('Non-sanitized replacement value: @foo', ['@foo' => $safe_string_interface_object]);
   * @endcode