Commit fd671837 authored by xjm's avatar xjm
Browse files

Issue #2505701 by pwolanin, YesCT, akalata: Document SafeMarkup::set and Use...

Issue #2505701 by pwolanin, YesCT, akalata: Document SafeMarkup::set and Use htmlspecialchars() directly in Attribute() so we don't bloat the list of safe strings
parent 2916dc8f
...@@ -40,7 +40,7 @@ ...@@ -40,7 +40,7 @@
* @endcode * @endcode
* *
* The attribute keys and values are automatically sanitized for output with * The attribute keys and values are automatically sanitized for output with
* \Drupal\Component\Utility\SafeMarkup::checkPlain(). * htmlspecialchars() and the entire attribute string is marked safe for output.
*/ */
class Attribute implements \ArrayAccess, \IteratorAggregate { class Attribute implements \ArrayAccess, \IteratorAggregate {
...@@ -252,12 +252,16 @@ public function hasClass($class) { ...@@ -252,12 +252,16 @@ public function hasClass($class) {
*/ */
public function __toString() { public function __toString() {
$return = ''; $return = '';
/** @var \Drupal\Core\Template\AttributeValueBase $value */
foreach ($this->storage as $name => $value) { foreach ($this->storage as $name => $value) {
$rendered = $value->render(); $rendered = $value->render();
if ($rendered) { if ($rendered) {
$return .= ' ' . $rendered; $return .= ' ' . $rendered;
} }
} }
// The implementations of AttributeValueBase::render() call
// htmlspecialchars() on the attribute name and value so we are confident
// that the return value can be set as safe.
return SafeMarkup::set($return); return SafeMarkup::set($return);
} }
......
...@@ -7,8 +7,6 @@ ...@@ -7,8 +7,6 @@
namespace Drupal\Core\Template; namespace Drupal\Core\Template;
use Drupal\Component\Utility\SafeMarkup;
/** /**
* A class that defines a type of Attribute that can be added to as an array. * A class that defines a type of Attribute that can be added to as an array.
* *
...@@ -76,7 +74,7 @@ public function offsetExists($offset) { ...@@ -76,7 +74,7 @@ public function offsetExists($offset) {
public function __toString() { public function __toString() {
// Filter out any empty values before printing. // Filter out any empty values before printing.
$this->value = array_unique(array_filter($this->value)); $this->value = array_unique(array_filter($this->value));
return SafeMarkup::checkPlain(implode(' ', $this->value)); return htmlspecialchars(implode(' ', $this->value), ENT_QUOTES, 'UTF-8');
} }
/** /**
......
...@@ -7,8 +7,6 @@ ...@@ -7,8 +7,6 @@
namespace Drupal\Core\Template; namespace Drupal\Core\Template;
use Drupal\Component\Utility\SafeMarkup;
/** /**
* A class that defines a type of boolean HTML attribute. * A class that defines a type of boolean HTML attribute.
* *
...@@ -42,7 +40,7 @@ public function render() { ...@@ -42,7 +40,7 @@ public function render() {
* Implements the magic __toString() method. * Implements the magic __toString() method.
*/ */
public function __toString() { public function __toString() {
return $this->value === FALSE ? '' : SafeMarkup::checkPlain($this->name); return $this->value === FALSE ? '' : htmlspecialchars($this->name, ENT_QUOTES, 'UTF-8');
} }
} }
...@@ -7,8 +7,6 @@ ...@@ -7,8 +7,6 @@
namespace Drupal\Core\Template; namespace Drupal\Core\Template;
use Drupal\Component\Utility\SafeMarkup;
/** /**
* A class that represents most standard HTML attributes. * A class that represents most standard HTML attributes.
* *
...@@ -30,7 +28,7 @@ class AttributeString extends AttributeValueBase { ...@@ -30,7 +28,7 @@ class AttributeString extends AttributeValueBase {
* Implements the magic __toString() method. * Implements the magic __toString() method.
*/ */
public function __toString() { public function __toString() {
return SafeMarkup::checkPlain($this->value); return htmlspecialchars($this->value, ENT_QUOTES, 'UTF-8');
} }
} }
...@@ -7,8 +7,6 @@ ...@@ -7,8 +7,6 @@
namespace Drupal\Core\Template; namespace Drupal\Core\Template;
use Drupal\Component\Utility\SafeMarkup;
/** /**
* Defines the base class for an attribute type. * Defines the base class for an attribute type.
* *
...@@ -57,7 +55,7 @@ public function __construct($name, $value) { ...@@ -57,7 +55,7 @@ public function __construct($name, $value) {
public function render() { public function render() {
$value = (string) $this; $value = (string) $this;
if (isset($this->value) && static::RENDER_EMPTY_ATTRIBUTE || !empty($value)) { if (isset($this->value) && static::RENDER_EMPTY_ATTRIBUTE || !empty($value)) {
return SafeMarkup::checkPlain($this->name) . '="' . $value . '"'; return htmlspecialchars($this->name, ENT_QUOTES, 'UTF-8') . '="' . $value . '"';
} }
} }
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment