Commit d88f278d authored by catch's avatar catch

Issue #2525908 by alexpott, cilefen: HtmlTag render element's prefix and...

Issue #2525908 by alexpott, cilefen: HtmlTag render element's prefix and suffix can be marked safe when they are not
parent 9341eca0
......@@ -174,8 +174,14 @@ public static function preRenderConditionalComments($element) {
// Ensure what we are dealing with is safe.
// This would be done later anyway in drupal_render().
$prefix = isset($elements['#prefix']) ? Xss::filterAdmin($elements['#prefix']) : '';
$suffix = isset($elements['#suffix']) ? Xss::filterAdmin($elements['#suffix']) : '';
$prefix = isset($element['#prefix']) ? $element['#prefix'] : '';
if ($prefix && !SafeMarkup::isSafe($prefix)) {
$prefix = Xss::filterAdmin($prefix);
}
$suffix = isset($element['#suffix']) ? $element['#suffix'] : '';
if ($suffix && !SafeMarkup::isSafe($suffix)) {
$suffix = Xss::filterAdmin($suffix);
}
// Now calling SafeMarkup::set is safe, because we ensured the
// data coming in was at least admin escaped.
......
......@@ -7,6 +7,7 @@
namespace Drupal\Tests\Core\Render\Element;
use Drupal\Component\Utility\SafeMarkup;
use Drupal\Tests\UnitTestCase;
use Drupal\Core\Render\Element\HtmlTag;
......@@ -84,7 +85,11 @@ public function providerPreRenderHtmlTag() {
* @covers ::preRenderConditionalComments
* @dataProvider providerPreRenderConditionalComments
*/
public function testPreRenderConditionalComments($element, $expected) {
public function testPreRenderConditionalComments($element, $expected, $set_safe = FALSE) {
if ($set_safe) {
SafeMarkup::set($element['#prefix']);
SafeMarkup::set($element['#suffix']);
}
$this->assertSame($expected, HtmlTag::preRenderConditionalComments($element));
}
......@@ -142,6 +147,26 @@ public function providerPreRenderConditionalComments() {
$expected['#suffix'] = "<!--<![endif]-->\n";
$tags[] = array($element, $expected);
// Prefix and suffix filtering if not safe.
$element = array(
'#tag' => 'link',
'#browsers' => array(
'IE' => FALSE,
),
'#prefix' => '<blink>prefix</blink>',
'#suffix' => '<blink>suffix</blink>',
);
$expected = $element;
$expected['#prefix'] = "\n<!--[if !IE]><!-->\nprefix";
$expected['#suffix'] = "suffix<!--<![endif]-->\n";
$tags[] = array($element, $expected);
// Prefix and suffix filtering if marked as safe. This has to come after the
// previous test case.
$expected['#prefix'] = "\n<!--[if !IE]><!-->\n<blink>prefix</blink>";
$expected['#suffix'] = "<blink>suffix</blink><!--<![endif]-->\n";
$tags[] = array($element, $expected, TRUE);
return $tags;
}
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment