Issue #2525908 by alexpott, cilefen: HtmlTag render element's prefix and...

Issue #2525908 by alexpott, cilefen: HtmlTag render element's prefix and suffix can be marked safe when they are not

core/lib/Drupal/Core/Render/Element/HtmlTag.php

@@ -174,8 +174,14 @@ public static function preRenderConditionalComments($element) {
 
     // Ensure what we are dealing with is safe.
     // This would be done later anyway in drupal_render().
-    $prefix = isset($elements['#prefix']) ? Xss::filterAdmin($elements['#prefix']) : '';
-    $suffix = isset($elements['#suffix']) ? Xss::filterAdmin($elements['#suffix']) : '';
+    $prefix = isset($element['#prefix']) ? $element['#prefix'] : '';
+    if ($prefix && !SafeMarkup::isSafe($prefix)) {
+      $prefix = Xss::filterAdmin($prefix);
+    }
+    $suffix = isset($element['#suffix']) ? $element['#suffix'] : '';
+    if ($suffix && !SafeMarkup::isSafe($suffix)) {
+      $suffix = Xss::filterAdmin($suffix);
+    }
 
     // Now calling SafeMarkup::set is safe, because we ensured the
     // data coming in was at least admin escaped.

core/tests/Drupal/Tests/Core/Render/Element/HtmlTagTest.php

@@ -7,6 +7,7 @@
 
 namespace Drupal\Tests\Core\Render\Element;
 
+use Drupal\Component\Utility\SafeMarkup;
 use Drupal\Tests\UnitTestCase;
 use Drupal\Core\Render\Element\HtmlTag;
 
@@ -84,7 +85,11 @@ public function providerPreRenderHtmlTag() {
    * @covers ::preRenderConditionalComments
    * @dataProvider providerPreRenderConditionalComments
    */
-  public function testPreRenderConditionalComments($element, $expected) {
+  public function testPreRenderConditionalComments($element, $expected, $set_safe = FALSE) {
+    if ($set_safe) {
+      SafeMarkup::set($element['#prefix']);
+      SafeMarkup::set($element['#suffix']);
+    }
     $this->assertSame($expected, HtmlTag::preRenderConditionalComments($element));
   }
 
@@ -142,6 +147,26 @@ public function providerPreRenderConditionalComments() {
     $expected['#suffix'] = "<!--<![endif]-->\n";
     $tags[] = array($element, $expected);
 
+    // Prefix and suffix filtering if not safe.
+    $element = array(
+      '#tag' => 'link',
+      '#browsers' => array(
+        'IE' => FALSE,
+      ),
+      '#prefix' => '<blink>prefix</blink>',
+      '#suffix' => '<blink>suffix</blink>',
+    );
+    $expected = $element;
+    $expected['#prefix'] = "\n<!--[if !IE]><!-->\nprefix";
+    $expected['#suffix'] = "suffix<!--<![endif]-->\n";
+    $tags[] = array($element, $expected);
+
+    // Prefix and suffix filtering if marked as safe. This has to come after the
+    // previous test case.
+    $expected['#prefix'] = "\n<!--[if !IE]><!-->\n<blink>prefix</blink>";
+    $expected['#suffix'] = "<blink>suffix</blink><!--<![endif]-->\n";
+    $tags[] = array($element, $expected, TRUE);
+
     return $tags;
   }