From fd671837e052eb8c5fc0eecde76ad59ace90de6e Mon Sep 17 00:00:00 2001 From: xjm Date: Sun, 14 Jun 2015 15:54:42 -0500 Subject: [PATCH] Issue #2505701 by pwolanin, YesCT, akalata: Document SafeMarkup::set and Use htmlspecialchars() directly in Attribute() so we don't bloat the list of safe strings --- core/lib/Drupal/Core/Template/Attribute.php | 6 +++++- core/lib/Drupal/Core/Template/AttributeArray.php | 4 +--- core/lib/Drupal/Core/Template/AttributeBoolean.php | 4 +--- core/lib/Drupal/Core/Template/AttributeString.php | 4 +--- core/lib/Drupal/Core/Template/AttributeValueBase.php | 4 +--- 5 files changed, 9 insertions(+), 13 deletions(-) diff --git a/core/lib/Drupal/Core/Template/Attribute.php b/core/lib/Drupal/Core/Template/Attribute.php index 3ea18b1f32..ad4e1b1ece 100644 --- a/core/lib/Drupal/Core/Template/Attribute.php +++ b/core/lib/Drupal/Core/Template/Attribute.php @@ -40,7 +40,7 @@ * @endcode * * The attribute keys and values are automatically sanitized for output with - * \Drupal\Component\Utility\SafeMarkup::checkPlain(). + * htmlspecialchars() and the entire attribute string is marked safe for output. */ class Attribute implements \ArrayAccess, \IteratorAggregate { @@ -252,12 +252,16 @@ public function hasClass($class) { */ public function __toString() { $return = ''; + /** @var \Drupal\Core\Template\AttributeValueBase $value */ foreach ($this->storage as $name => $value) { $rendered = $value->render(); if ($rendered) { $return .= ' ' . $rendered; } } + // The implementations of AttributeValueBase::render() call + // htmlspecialchars() on the attribute name and value so we are confident + // that the return value can be set as safe. return SafeMarkup::set($return); } diff --git a/core/lib/Drupal/Core/Template/AttributeArray.php b/core/lib/Drupal/Core/Template/AttributeArray.php index 4cdd9323fa..cc3897f9b8 100644 --- a/core/lib/Drupal/Core/Template/AttributeArray.php +++ b/core/lib/Drupal/Core/Template/AttributeArray.php @@ -7,8 +7,6 @@ namespace Drupal\Core\Template; -use Drupal\Component\Utility\SafeMarkup; - /** * A class that defines a type of Attribute that can be added to as an array. * @@ -76,7 +74,7 @@ public function offsetExists($offset) { public function __toString() { // Filter out any empty values before printing. $this->value = array_unique(array_filter($this->value)); - return SafeMarkup::checkPlain(implode(' ', $this->value)); + return htmlspecialchars(implode(' ', $this->value), ENT_QUOTES, 'UTF-8'); } /** diff --git a/core/lib/Drupal/Core/Template/AttributeBoolean.php b/core/lib/Drupal/Core/Template/AttributeBoolean.php index a2e5c02e66..7ff67ae5b0 100644 --- a/core/lib/Drupal/Core/Template/AttributeBoolean.php +++ b/core/lib/Drupal/Core/Template/AttributeBoolean.php @@ -7,8 +7,6 @@ namespace Drupal\Core\Template; -use Drupal\Component\Utility\SafeMarkup; - /** * A class that defines a type of boolean HTML attribute. * @@ -42,7 +40,7 @@ public function render() { * Implements the magic __toString() method. */ public function __toString() { - return $this->value === FALSE ? '' : SafeMarkup::checkPlain($this->name); + return $this->value === FALSE ? '' : htmlspecialchars($this->name, ENT_QUOTES, 'UTF-8'); } } diff --git a/core/lib/Drupal/Core/Template/AttributeString.php b/core/lib/Drupal/Core/Template/AttributeString.php index 51b144827e..2dff59bae9 100644 --- a/core/lib/Drupal/Core/Template/AttributeString.php +++ b/core/lib/Drupal/Core/Template/AttributeString.php @@ -7,8 +7,6 @@ namespace Drupal\Core\Template; -use Drupal\Component\Utility\SafeMarkup; - /** * A class that represents most standard HTML attributes. * @@ -30,7 +28,7 @@ class AttributeString extends AttributeValueBase { * Implements the magic __toString() method. */ public function __toString() { - return SafeMarkup::checkPlain($this->value); + return htmlspecialchars($this->value, ENT_QUOTES, 'UTF-8'); } } diff --git a/core/lib/Drupal/Core/Template/AttributeValueBase.php b/core/lib/Drupal/Core/Template/AttributeValueBase.php index 4db6dd822f..c037004795 100644 --- a/core/lib/Drupal/Core/Template/AttributeValueBase.php +++ b/core/lib/Drupal/Core/Template/AttributeValueBase.php @@ -7,8 +7,6 @@ namespace Drupal\Core\Template; -use Drupal\Component\Utility\SafeMarkup; - /** * Defines the base class for an attribute type. * @@ -57,7 +55,7 @@ public function __construct($name, $value) { public function render() { $value = (string) $this; if (isset($this->value) && static::RENDER_EMPTY_ATTRIBUTE || !empty($value)) { - return SafeMarkup::checkPlain($this->name) . '="' . $value . '"'; + return htmlspecialchars($this->name, ENT_QUOTES, 'UTF-8') . '="' . $value . '"'; } } -- GitLab