Issue #3521327 by avpaderno: The insecure examples code does not include delimiters for strings

(cherry picked from commit b4332a51)

Issue #3521327 by avpaderno: The insecure examples code does not include delimiters for strings
d4c9cbd2 · catch · a42a6de2 · d4c9cbd2
Commit d4c9cbd2 authored 1 month ago by catch
--- a/core/lib/Drupal/Component/Render/FormattableMarkup.php
+++ b/core/lib/Drupal/Component/Render/FormattableMarkup.php
@@ -124,10 +124,10 @@ public function jsonSerialize(): string {
   * Insecure examples.
   * @code
   * // The following are using the @ placeholder inside an HTML tag.
-   * $this->placeholderFormat('<@foo>text</@foo>, ['@foo' => $some_variable]);
-   * $this->placeholderFormat('<a @foo>link text</a>, ['@foo' => $some_variable]);
-   * $this->placeholderFormat('<a href="@foo">link text</a>, ['@foo' => $some_variable]);
-   * $this->placeholderFormat('<a title="@foo">link text</a>, ['@foo' => $some_variable]);
+   * $this->placeholderFormat('<@foo>text</@foo>', ['@foo' => $some_variable]);
+   * $this->placeholderFormat('<a @foo>link text</a>', ['@foo' => $some_variable]);
+   * $this->placeholderFormat('<a href="@foo">link text</a>', ['@foo' => $some_variable]);
+   * $this->placeholderFormat('<a title="@foo">link text</a>', ['@foo' => $some_variable]);
   * // Implicitly convert an object to a string, which is not sanitized.
   * $this->placeholderFormat('Non-sanitized replacement value: @foo', ['@foo' => $safe_string_interface_object]);
   * @endcode