Commit 397b680a authored by alexpott's avatar alexpott

Issue #2567715 by marthinal, hgoto, jpd4nt, mr.baileys, Wim Leers, alexpott:...

Issue #2567715 by marthinal, hgoto, jpd4nt, mr.baileys, Wim Leers, alexpott: #markup generated by #pre_render callbacks do not get processed by ensureMarkupIsSafe()
parent 67076176
......@@ -224,6 +224,8 @@ protected static function attributes($attributes) {
$skip_protocol_filtering = substr($attribute_name, 0, 5) === 'data-' || in_array($attribute_name, array(
'title',
'alt',
'rel',
'property',
));
$working = $mode = 1;
......
......@@ -365,11 +365,6 @@ protected function doRender(&$elements, $is_root_call = FALSE) {
$elements['#lazy_builder_built'] = TRUE;
}
// All render elements support #markup and #plain_text.
if (!empty($elements['#markup']) || !empty($elements['#plain_text'])) {
$elements = $this->ensureMarkupIsSafe($elements);
}
// Make any final changes to the element before it is rendered. This means
// that the $element or the children can be altered or corrected before the
// element is rendered into the final text.
......@@ -382,6 +377,11 @@ protected function doRender(&$elements, $is_root_call = FALSE) {
}
}
// All render elements support #markup and #plain_text.
if (!empty($elements['#markup']) || !empty($elements['#plain_text'])) {
$elements = $this->ensureMarkupIsSafe($elements);
}
// Defaults for bubbleable rendering metadata.
$elements['#cache']['tags'] = isset($elements['#cache']['tags']) ? $elements['#cache']['tags'] : array();
$elements['#cache']['max-age'] = isset($elements['#cache']['max-age']) ? $elements['#cache']['max-age'] : Cache::PERMANENT;
......
......@@ -244,7 +244,7 @@ public static function cases(ContainerInterface $container = NULL, AccountInterf
'command' => 'insert',
'method' => 'replaceWith',
'selector' => '[data-big-pipe-placeholder-id="timecurrent-timetime"]',
'data' => '<time datetime=1991-03-14"></time>',
'data' => '<time datetime="1991-03-14"></time>',
'settings' => NULL,
],
];
......@@ -258,7 +258,7 @@ public static function cases(ContainerInterface $container = NULL, AccountInterf
],
],
];
$current_time->embeddedHtmlResponse = '<time datetime=1991-03-14"></time>';
$current_time->embeddedHtmlResponse = '<time datetime="1991-03-14"></time>';
// 6. Edge case: #lazy_builder that throws an exception.
......
......@@ -85,7 +85,7 @@ public function multiOccurrence() {
*/
public static function currentTime() {
return [
'#markup' => '<time datetime=' . date('Y-m-d', 668948400) . '"></time>',
'#markup' => '<time datetime="' . date('Y-m-d', 668948400) . '"></time>',
'#cache' => ['max-age' => 0]
];
}
......
......@@ -505,6 +505,18 @@ public function providerTestAttributes() {
'Image tag with alt and title attribute',
array('img')
),
array(
'<a href="https://www.drupal.org/" rel="dc:publisher">Drupal</a>',
'<a href="https://www.drupal.org/" rel="dc:publisher">Drupal</a>',
'Link tag with rel attribute',
array('a')
),
array(
'<span property="dc:subject">Drupal 8: The best release ever.</span>',
'<span property="dc:subject">Drupal 8: The best release ever.</span>',
'Span tag with property attribute',
array('span')
),
array(
'<img src="http://example.com/foo.jpg" data-caption="Drupal 8: The best release ever.">',
'<img src="http://example.com/foo.jpg" data-caption="Drupal 8: The best release ever.">',
......
......@@ -140,6 +140,32 @@ public function providerTestRenderBasic() {
'#children' => 'foo',
'child' => ['#markup' => 'bar'],
], 'foo'];
// Ensure that content added to #markup via a #pre_render callback is safe.
$data[] = [[
'#markup' => 'foo',
'#pre_render' => [function($elements) {
$elements['#markup'] .= '<script>alert("bar");</script>';
return $elements;
}]
], 'fooalert("bar");'];
// Test #allowed_tags in combination with #markup and #pre_render.
$data[] = [[
'#markup' => 'foo',
'#allowed_tags' => array('script'),
'#pre_render' => [function($elements) {
$elements['#markup'] .= '<script>alert("bar");</script>';
return $elements;
}]
], 'foo<script>alert("bar");</script>'];
// Ensure output is escaped when adding content to #check_plain through
// a #pre_render callback.
$data[] = [[
'#plain_text' => 'foo',
'#pre_render' => [function($elements) {
$elements['#plain_text'] .= '<script>alert("bar");</script>';
return $elements;
}]
], 'foo&lt;script&gt;alert(&quot;bar&quot;);&lt;/script&gt;'];
// Part 2: render arrays using #theme and #theme_wrappers.
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment