Commit f506915e authored by alexpott's avatar alexpott
Browse files

Revert "Issue #2807705 by alexpott, dawehner, aburke626:...

Revert "Issue #2807705 by alexpott, dawehner, aburke626: FormattableMarkup::placeholderFormat() can result in unsafe replacements"

This reverts commit 8477ed5a.
parent 64f9bb95
......@@ -227,16 +227,11 @@ protected static function placeholderFormat($string, array $args) {
// We do not trigger an error for placeholder that start with an
// alphabetic character.
// @todo Change to an exception
// and always throw regardless of the first character.
if (!ctype_alpha($key[0])) {
// We trigger an error as we may want to introduce new placeholders
// in the future without breaking backward compatibility.
trigger_error('Invalid placeholder (' . $key . ') in string: ' . $string, E_USER_ERROR);
// If the placeholder is not a recognised placeholder ensure non-safe
// values are escaped.
$args[$key] = '<em class="placeholder">' . static::placeholderEscape($value) . '</em>';
......@@ -137,7 +137,7 @@ public function testFormat($string, array $args, $expected, $message, $expected_
UrlHelper::setAllowedProtocols(['http', 'https', 'mailto']);
$result = SafeMarkup::format($string, $args);
$this->assertEquals($expected, (string) $result, $message);
$this->assertEquals($expected, $result, $message);
$this->assertEquals($expected_is_safe, $result instanceof MarkupInterface, 'SafeMarkup::format correctly sets the result as safe or not safe.');
foreach ($args as $arg) {
......@@ -171,8 +171,6 @@ function providerFormat() {
$tests['non-url-with-colon'] = ['Hey giraffe <a href=":url">MUUUH</a>', [':url' => "llamas: they are not URLs"], 'Hey giraffe <a href=" they are not URLs">MUUUH</a>', '', TRUE];
$tests['non-url-with-html'] = ['Hey giraffe <a href=":url">MUUUH</a>', [':url' => "<span>not a url</span>"], 'Hey giraffe <a href="&lt;span&gt;not a url&lt;/span&gt;">MUUUH</a>', '', TRUE];
// Tests non-standard placeholders.
$tests['non-standard-placeholder'] = ['Hey risky', ['risky' => "<script>alert('foo');</script>"], 'Hey <em class="placeholder">&lt;script&gt;alert(&#039;foo&#039;);&lt;/script&gt;</em>', '', TRUE];
return $tests;
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment