Commit c7d4ab58 authored by catch's avatar catch

Issue #2552579 by alexpott: Remove SafeMarkup::placeholder(), deprecate...

Issue #2552579 by alexpott: Remove SafeMarkup::placeholder(), deprecate drupal_placeholder() and stop drupal_placeholder() from marking safe
parent 50723539
...@@ -7,6 +7,7 @@ ...@@ -7,6 +7,7 @@
use Drupal\Component\Datetime\DateTimePlus; use Drupal\Component\Datetime\DateTimePlus;
use Drupal\Component\Utility\Crypt; use Drupal\Component\Utility\Crypt;
use Drupal\Component\Utility\Environment; use Drupal\Component\Utility\Environment;
use Drupal\Component\Utility\Html;
use Drupal\Component\Utility\SafeMarkup; use Drupal\Component\Utility\SafeMarkup;
use Drupal\Component\Utility\Unicode; use Drupal\Component\Utility\Unicode;
use Drupal\Core\DrupalKernel; use Drupal\Core\DrupalKernel;
...@@ -953,10 +954,16 @@ function drupal_static_reset($name = NULL) { ...@@ -953,10 +954,16 @@ function drupal_static_reset($name = NULL) {
/** /**
* Formats text for emphasized display in a placeholder inside a sentence. * Formats text for emphasized display in a placeholder inside a sentence.
* *
* @see \Drupal\Component\Utility\SafeMarkup::placeholder() * @deprecated in Drupal 8.0.0, will be removed before Drupal 9.0.0. Use
* \Drupal\Component\Utility\SafeMarkup::format() or Twig's "placeholder"
* filter instead. Note this method should not be used to simply emphasize a
* string and therefore has few valid use-cases. Note also, that this method
* does not mark the string as safe.
*
* @see \Drupal\Component\Utility\SafeMarkup::format()
*/ */
function drupal_placeholder($text) { function drupal_placeholder($text) {
return SafeMarkup::placeholder($text); return '<em class="placeholder">' . Html::escape($text) . '</em>';
} }
/** /**
......
...@@ -197,8 +197,8 @@ public static function checkPlain($text) { ...@@ -197,8 +197,8 @@ public static function checkPlain($text) {
* formatting depends on the first character of the key: * formatting depends on the first character of the key:
* - @variable: Escaped to HTML using self::escape(). Use this as the * - @variable: Escaped to HTML using self::escape(). Use this as the
* default choice for anything displayed on a page on the site. * default choice for anything displayed on a page on the site.
* - %variable: Escaped to HTML and formatted using self::placeholder(), * - %variable: Escaped to HTML wrapped in <em> tags, which makes the
* which makes the following HTML code: * following HTML code:
* @code * @code
* <em class="placeholder">text output here.</em> * <em class="placeholder">text output here.</em>
* @endcode * @endcode
...@@ -232,7 +232,7 @@ public static function format($string, array $args) { ...@@ -232,7 +232,7 @@ public static function format($string, array $args) {
case '%': case '%':
default: default:
// Escaped and placeholder. // Escaped and placeholder.
$args[$key] = static::placeholder($value); $args[$key] = '<em class="placeholder">' . static::escape($value) . '</em>';
break; break;
case '!': case '!':
...@@ -251,21 +251,4 @@ public static function format($string, array $args) { ...@@ -251,21 +251,4 @@ public static function format($string, array $args) {
return $output; return $output;
} }
/**
* Formats text for emphasized display in a placeholder inside a sentence.
*
* Used automatically by self::format().
*
* @param string $text
* The text to format (plain-text).
*
* @return string
* The formatted text (html).
*/
public static function placeholder($text) {
$string = '<em class="placeholder">' . static::escape($text) . '</em>';
static::$safeStrings[$string]['html'] = TRUE;
return $string;
}
} }
...@@ -78,7 +78,7 @@ function editor_form_filter_admin_overview_alter(&$form, FormStateInterface $for ...@@ -78,7 +78,7 @@ function editor_form_filter_admin_overview_alter(&$form, FormStateInterface $for
$editors = \Drupal::service('plugin.manager.editor')->getDefinitions(); $editors = \Drupal::service('plugin.manager.editor')->getDefinitions();
foreach (Element::children($form['formats']) as $format_id) { foreach (Element::children($form['formats']) as $format_id) {
$editor = editor_load($format_id); $editor = editor_load($format_id);
$editor_name = ($editor && isset($editors[$editor->getEditor()])) ? $editors[$editor->getEditor()]['label'] : drupal_placeholder('—'); $editor_name = ($editor && isset($editors[$editor->getEditor()])) ? $editors[$editor->getEditor()]['label'] : '—';
$editor_column['editor'] = array('#markup' => $editor_name); $editor_column['editor'] = array('#markup' => $editor_name);
$position = array_search('name', array_keys($form['formats'][$format_id])) + 1; $position = array_search('name', array_keys($form['formats'][$format_id])) + 1;
$start = array_splice($form['formats'][$format_id], 0, $position, $editor_column); $start = array_splice($form['formats'][$format_id], 0, $position, $editor_column);
......
...@@ -7,7 +7,6 @@ ...@@ -7,7 +7,6 @@
namespace Drupal\filter; namespace Drupal\filter;
use Drupal\Component\Utility\SafeMarkup;
use Drupal\Core\Config\ConfigFactoryInterface; use Drupal\Core\Config\ConfigFactoryInterface;
use Drupal\Core\Config\Entity\DraggableListBuilder; use Drupal\Core\Config\Entity\DraggableListBuilder;
use Drupal\Core\Entity\EntityInterface; use Drupal\Core\Entity\EntityInterface;
...@@ -94,24 +93,28 @@ public function buildHeader() { ...@@ -94,24 +93,28 @@ public function buildHeader() {
public function buildRow(EntityInterface $entity) { public function buildRow(EntityInterface $entity) {
// Check whether this is the fallback text format. This format is available // Check whether this is the fallback text format. This format is available
// to all roles and cannot be disabled via the admin interface. // to all roles and cannot be disabled via the admin interface.
$row['label'] = $this->getLabel($entity);
$row['roles'] = [];
if ($entity->isFallbackFormat()) { if ($entity->isFallbackFormat()) {
$row['label'] = SafeMarkup::placeholder($entity->label());
$fallback_choice = $this->configFactory->get('filter.settings')->get('always_show_fallback_choice'); $fallback_choice = $this->configFactory->get('filter.settings')->get('always_show_fallback_choice');
if ($fallback_choice) { if ($fallback_choice) {
$roles_markup = SafeMarkup::placeholder($this->t('All roles may use this format')); $roles_markup = $this->t('All roles may use this format');
} }
else { else {
$roles_markup = SafeMarkup::placeholder($this->t('This format is shown when no other formats are available')); $roles_markup = $this->t('This format is shown when no other formats are available');
} }
// Emphasize the fallback role text since it is important to understand
// how it works which configuring filter formats. Additionally, it is not
// a list of roles unlike the other values in this column.
$row['roles']['#prefix'] = '<em>';
$row['roles']['#suffix'] = '</em>';
} }
else { else {
$row['label'] = $this->getLabel($entity);
$roles = array_map('\Drupal\Component\Utility\SafeMarkup::checkPlain', filter_get_roles_by_format($entity)); $roles = array_map('\Drupal\Component\Utility\SafeMarkup::checkPlain', filter_get_roles_by_format($entity));
$roles_markup = $roles ? implode(', ', $roles) : $this->t('No roles may use this format'); $roles_markup = $roles ? implode(', ', $roles) : $this->t('No roles may use this format');
} }
$row['roles'] = !empty($this->weightKey) ? array('#markup' => $roles_markup) : $roles_markup; $row['roles']['#markup'] = $roles_markup;
return $row + parent::buildRow($entity); return $row + parent::buildRow($entity);
} }
......
...@@ -7,7 +7,6 @@ ...@@ -7,7 +7,6 @@
namespace Drupal\filter; namespace Drupal\filter;
use Drupal\Component\Utility\SafeMarkup;
use Drupal\Core\DependencyInjection\ContainerInjectionInterface; use Drupal\Core\DependencyInjection\ContainerInjectionInterface;
use Drupal\Core\Entity\EntityManagerInterface; use Drupal\Core\Entity\EntityManagerInterface;
use Drupal\Core\StringTranslation\StringTranslationTrait; use Drupal\Core\StringTranslation\StringTranslationTrait;
...@@ -60,7 +59,11 @@ public function permissions() { ...@@ -60,7 +59,11 @@ public function permissions() {
if ($permission = $format->getPermissionName()) { if ($permission = $format->getPermissionName()) {
$permissions[$permission] = [ $permissions[$permission] = [
'title' => $this->t('Use the <a href="@url">@label</a> text format', ['@url' => $format->url(), '@label' => $format->label()]), 'title' => $this->t('Use the <a href="@url">@label</a> text format', ['@url' => $format->url(), '@label' => $format->label()]),
'description' => SafeMarkup::placeholder($this->t('Warning: This permission may have security implications depending on how the text format is configured.')), 'description' => [
'#prefix' => '<em>',
'#markup' => $this->t('Warning: This permission may have security implications depending on how the text format is configured.'),
'#suffix' => '</em>'
],
]; ];
} }
} }
......
...@@ -7,7 +7,6 @@ ...@@ -7,7 +7,6 @@
namespace Drupal\node\Controller; namespace Drupal\node\Controller;
use Drupal\Component\Utility\SafeMarkup;
use Drupal\Component\Utility\Xss; use Drupal\Component\Utility\Xss;
use Drupal\Core\Controller\ControllerBase; use Drupal\Core\Controller\ControllerBase;
use Drupal\Core\Datetime\DateFormatter; use Drupal\Core\Datetime\DateFormatter;
...@@ -206,7 +205,11 @@ public function revisionOverview(NodeInterface $node) { ...@@ -206,7 +205,11 @@ public function revisionOverview(NodeInterface $node) {
if ($vid == $node->getRevisionId()) { if ($vid == $node->getRevisionId()) {
$row[0]['class'] = ['revision-current']; $row[0]['class'] = ['revision-current'];
$row[] = [ $row[] = [
'data' => SafeMarkup::placeholder($this->t('current revision')), 'data' => [
'#prefix' => '<em>',
'#markup' => $this->t('current revision'),
'#suffix' => '</em>',
],
'class' => ['revision-current'], 'class' => ['revision-current'],
]; ];
} }
......
...@@ -228,7 +228,11 @@ function template_preprocess_update_project_status(&$variables) { ...@@ -228,7 +228,11 @@ function template_preprocess_update_project_status(&$variables) {
$extra_item = array(); $extra_item = array();
$extra_item['attributes'] = new Attribute(); $extra_item['attributes'] = new Attribute();
$extra_item['label'] = $value['label']; $extra_item['label'] = $value['label'];
$extra_item['data'] = drupal_placeholder($value['data']); $extra_item['data'] = [
'#prefix' => '<em>',
'#markup' => $value['data'],
'#suffix' => '</em>'
];
$variables['extras'][] = $extra_item; $variables['extras'][] = $extra_item;
} }
} }
......
...@@ -7,7 +7,7 @@ ...@@ -7,7 +7,7 @@
namespace Drupal\user\Plugin\Validation\Constraint; namespace Drupal\user\Plugin\Validation\Constraint;
use Drupal\Component\Utility\SafeMarkup; use Drupal\Component\Utility\Html;
use Symfony\Component\Validator\Constraint; use Symfony\Component\Validator\Constraint;
use Symfony\Component\Validator\ConstraintValidatorInterface; use Symfony\Component\Validator\ConstraintValidatorInterface;
use Symfony\Component\Validator\ExecutionContextInterface; use Symfony\Component\Validator\ExecutionContextInterface;
...@@ -29,6 +29,9 @@ class UserMailRequired extends Constraint implements ConstraintValidatorInterfac ...@@ -29,6 +29,9 @@ class UserMailRequired extends Constraint implements ConstraintValidatorInterfac
/** /**
* Violation message. Use the same message as FormValidator. * Violation message. Use the same message as FormValidator.
* *
* Note that the name argument is not sanitized so that translators only have
* one string to translate. The name is sanitized in self::validate().
*
* @var string * @var string
*/ */
public $message = '!name field is required.'; public $message = '!name field is required.';
...@@ -70,7 +73,7 @@ public function validate($items, Constraint $constraint) { ...@@ -70,7 +73,7 @@ public function validate($items, Constraint $constraint) {
$required = !(!$existing_value && \Drupal::currentUser()->hasPermission('administer users')); $required = !(!$existing_value && \Drupal::currentUser()->hasPermission('administer users'));
if ($required && (!isset($items) || $items->isEmpty())) { if ($required && (!isset($items) || $items->isEmpty())) {
$this->context->addViolation($this->message, array('!name' => SafeMarkup::placeholder($account->getFieldDefinition('mail')->getLabel()))); $this->context->addViolation($this->message, ['!name' => Html::escape($account->getFieldDefinition('mail')->getLabel())]);
} }
} }
......
...@@ -136,7 +136,7 @@ function testValidation() { ...@@ -136,7 +136,7 @@ function testValidation() {
$violations = $user->validate(); $violations = $user->validate();
$this->assertEqual(count($violations), 1, 'E-mail addresses may not be removed'); $this->assertEqual(count($violations), 1, 'E-mail addresses may not be removed');
$this->assertEqual($violations[0]->getPropertyPath(), 'mail'); $this->assertEqual($violations[0]->getPropertyPath(), 'mail');
$this->assertEqual($violations[0]->getMessage(), t('!name field is required.', array('!name' => SafeMarkup::placeholder($user->getFieldDefinition('mail')->getLabel())))); $this->assertEqual($violations[0]->getMessage(), t('!name field is required.', array('!name' => $user->getFieldDefinition('mail')->getLabel())));
$user->set('mail', 'someone@example.com'); $user->set('mail', 'someone@example.com');
$user->set('timezone', $this->randomString(33)); $user->set('timezone', $this->randomString(33));
......
...@@ -192,15 +192,6 @@ function providerFormat() { ...@@ -192,15 +192,6 @@ function providerFormat() {
return $tests; return $tests;
} }
/**
* Tests SafeMarkup::placeholder().
*
* @covers ::placeholder
*/
function testPlaceholder() {
$this->assertEquals('<em class="placeholder">Some text</em>', SafeMarkup::placeholder('Some text'));
}
/** /**
* Tests the interaction between the safe list and XSS filtering. * Tests the interaction between the safe list and XSS filtering.
* *
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment