Commit f3849617 authored by catch's avatar catch

Issue #2557519 by alexpott, joelpittet: Remove many usages...

Issue #2557519 by alexpott, joelpittet: Remove many usages SafeMarkup::checkPlain() and replace with Html::escape()
parent 6c8fe4bd
......@@ -491,7 +491,7 @@ function _drupal_add_html_head_link($attributes, $header = FALSE) {
if ($header) {
// Also add a HTTP header "Link:".
$href = '<' . SafeMarkup::checkPlain($attributes['href']) . '>;';
$href = '<' . Html::escape($attributes['href']) . '>;';
unset($attributes['href']);
$element['#attached']['http_header'][] = array('Link', $href . drupal_http_header_attributes($attributes), TRUE);
}
......@@ -1380,7 +1380,7 @@ function _drupal_flush_css_js() {
*/
function debug($data, $label = NULL, $print_r = TRUE) {
// Print $data contents to string.
$string = SafeMarkup::checkPlain($print_r ? print_r($data, TRUE) : var_export($data, TRUE));
$string = Html::escape($print_r ? print_r($data, TRUE) : var_export($data, TRUE));
// Display values with pre-formatting to increase readability.
$string = '<pre>' . $string . '</pre>';
......
......@@ -5,11 +5,11 @@
* API for handling file uploads and server file management.
*/
use Drupal\Component\Utility\Html;
use Drupal\Component\Utility\Unicode;
use Drupal\Component\Utility\UrlHelper;
use Drupal\Component\PhpStorage\FileStorage;
use Drupal\Component\Utility\Bytes;
use Drupal\Component\Utility\SafeMarkup;
use Drupal\Core\File\FileSystem;
use Drupal\Core\StreamWrapper\PublicStream;
use Drupal\Core\StreamWrapper\StreamWrapperInterface;
......@@ -371,7 +371,7 @@ function file_save_htaccess($directory, $private = TRUE, $force_overwrite = FALS
return drupal_chmod($htaccess_path, 0444);
}
else {
$variables = array('%directory' => $directory, '!htaccess' => '<br />' . nl2br(SafeMarkup::checkPlain($htaccess_lines)));
$variables = array('%directory' => $directory, '!htaccess' => '<br />' . nl2br(Html::escape($htaccess_lines)));
\Drupal::logger('security')->error("Security warning: Couldn't write .htaccess file. Please create a .htaccess file in your %directory directory which contains the following lines: <code>!htaccess</code>", $variables);
return FALSE;
}
......
......@@ -9,7 +9,7 @@
*/
use Drupal\Component\Graph\Graph;
use Drupal\Component\Utility\SafeMarkup;
use Drupal\Component\Utility\Html;
use Drupal\Core\Entity\EntityStorageException;
use Drupal\Core\Utility\Error;
......@@ -215,7 +215,7 @@ function update_do_one($module, $number, $dependency_map, &$context) {
drupal_set_installed_schema_version($module, $number);
}
$context['message'] = 'Updating ' . SafeMarkup::checkPlain($module) . ' module';
$context['message'] = 'Updating ' . Html::escape($module) . ' module';
}
/**
......
......@@ -7,7 +7,7 @@
namespace Drupal\Core\Asset;
use Drupal\Component\Utility\SafeMarkup;
use Drupal\Component\Utility\Html;
use Drupal\Core\State\StateInterface;
/**
......@@ -168,7 +168,7 @@ public function render(array $css_assets) {
// control browser-caching. IE7 does not support a media type on
// the @import statement, so we instead specify the media for
// the group on the STYLE tag.
$import[] = '@import url("' . SafeMarkup::checkPlain(file_create_url($next_css_asset['data']) . '?' . $query_string) . '");';
$import[] = '@import url("' . Html::escape(file_create_url($next_css_asset['data']) . '?' . $query_string) . '");';
// Move the outer for loop skip the next item, since we
// processed it here.
$i = $j;
......
......@@ -8,7 +8,7 @@
namespace Drupal\Core\EventSubscriber;
use Drupal\Core\Config\ConfigFactoryInterface;
use Drupal\Component\Utility\SafeMarkup;
use Drupal\Component\Utility\Html;
use Symfony\Component\HttpFoundation\Response;
use Symfony\Component\HttpKernel\Event\GetResponseForExceptionEvent;
use Symfony\Component\HttpKernel\HttpKernelInterface;
......@@ -79,7 +79,7 @@ public function on404(GetResponseForExceptionEvent $event) {
if ($config->get('fast_404.enabled') && $exclude_paths && !preg_match($exclude_paths, $request->getPathInfo())) {
$fast_paths = $config->get('fast_404.paths');
if ($fast_paths && preg_match($fast_paths, $request->getPathInfo())) {
$fast_404_html = strtr($config->get('fast_404.html'), ['@path' => SafeMarkup::checkPlain($request->getUri())]);
$fast_404_html = strtr($config->get('fast_404.html'), ['@path' => Html::escape($request->getUri())]);
$response = new Response($fast_404_html, Response::HTTP_NOT_FOUND);
$event->setResponse($response);
}
......
......@@ -12,6 +12,7 @@
namespace Drupal\Core\Template;
use Drupal\Component\Utility\Html;
use Drupal\Component\Utility\SafeMarkup;
use Drupal\Component\Utility\SafeStringInterface;
use Drupal\Core\Render\RendererInterface;
......@@ -433,7 +434,7 @@ public function escapeFilter(\Twig_Environment $env, $arg, $strategy = 'html', $
// Drupal only supports the HTML escaping strategy, so provide a
// fallback for other strategies.
if ($strategy == 'html') {
return SafeMarkup::checkPlain($return);
return Html::escape($return);
}
return twig_escape_filter($env, $return, $strategy, $charset, $autoescape);
}
......
......@@ -5,7 +5,7 @@
* Hooks related to the Token system.
*/
use Drupal\Component\Utility\SafeMarkup;
use Drupal\Component\Utility\Html;
use Drupal\user\Entity\User;
/**
......@@ -97,7 +97,7 @@ function hook_tokens($type, $tokens, array $data, array $options, \Drupal\Core\R
break;
case 'title':
$replacements[$original] = $sanitize ? SafeMarkup::checkPlain($node->getTitle()) : $node->getTitle();
$replacements[$original] = $sanitize ? Html::escape($node->getTitle()) : $node->getTitle();
break;
case 'edit-url':
......@@ -107,7 +107,7 @@ function hook_tokens($type, $tokens, array $data, array $options, \Drupal\Core\R
// Default values for the chained tokens handled below.
case 'author':
$account = $node->getOwner() ? $node->getOwner() : User::load(0);
$replacements[$original] = $sanitize ? SafeMarkup::checkPlain($account->label()) : $account->label();
$replacements[$original] = $sanitize ? Html::escape($account->label()) : $account->label();
$bubbleable_metadata->addCacheableDependency($account);
break;
......
......@@ -5,7 +5,7 @@
* Builds placeholder replacement tokens for comment-related data.
*/
use Drupal\Component\Utility\SafeMarkup;
use Drupal\Component\Utility\Html;
use Drupal\Component\Utility\Xss;
use Drupal\Core\Datetime\Entity\DateFormat;
use Drupal\Core\Render\BubbleableMetadata;
......@@ -135,7 +135,7 @@ function comment_tokens($type, $tokens, array $data, array $options, BubbleableM
// Poster identity information for comments.
case 'hostname':
$replacements[$original] = $sanitize ? SafeMarkup::checkPlain($comment->getHostname()) : $comment->getHostname();
$replacements[$original] = $sanitize ? Html::escape($comment->getHostname()) : $comment->getHostname();
break;
case 'mail':
......@@ -145,7 +145,7 @@ function comment_tokens($type, $tokens, array $data, array $options, BubbleableM
if ($comment->getOwnerId()) {
$bubbleable_metadata->addCacheableDependency($comment->getOwner());
}
$replacements[$original] = $sanitize ? SafeMarkup::checkPlain($mail) : $mail;
$replacements[$original] = $sanitize ? Html::escape($mail) : $mail;
break;
case 'homepage':
......@@ -161,7 +161,7 @@ function comment_tokens($type, $tokens, array $data, array $options, BubbleableM
break;
case 'langcode':
$replacements[$original] = $sanitize ? SafeMarkup::checkPlain($comment->language()->getId()) : $comment->language()->getId();
$replacements[$original] = $sanitize ? Html::escape($comment->language()->getId()) : $comment->language()->getId();
break;
// Comment related URLs.
......
......@@ -8,7 +8,7 @@
namespace Drupal\comment\Form;
use Drupal\comment\CommentStorageInterface;
use Drupal\Component\Utility\SafeMarkup;
use Drupal\Component\Utility\Html;
use Drupal\Core\Form\ConfirmFormBase;
use Drupal\Core\Form\FormStateInterface;
use Drupal\Core\Url;
......@@ -100,7 +100,7 @@ public function buildForm(array $form, FormStateInterface $form_state) {
'#type' => 'hidden',
'#value' => $cid,
'#prefix' => '<li>',
'#suffix' => SafeMarkup::checkPlain($comment->label()) . '</li>'
'#suffix' => Html::escape($comment->label()) . '</li>'
);
$comment_counter++;
}
......
......@@ -7,7 +7,7 @@
namespace Drupal\comment\Tests;
use Drupal\Component\Utility\SafeMarkup;
use Drupal\Component\Utility\Html;
use Drupal\Component\Utility\Xss;
use Drupal\comment\Entity\Comment;
use Drupal\Core\Render\BubbleableMetadata;
......@@ -52,26 +52,26 @@ function testCommentTokenReplacement() {
// Generate and test sanitized tokens.
$tests = array();
$tests['[comment:cid]'] = $comment->id();
$tests['[comment:hostname]'] = SafeMarkup::checkPlain($comment->getHostname());
$tests['[comment:hostname]'] = Html::escape($comment->getHostname());
$tests['[comment:author]'] = Xss::filter($comment->getAuthorName());
$tests['[comment:mail]'] = SafeMarkup::checkPlain($this->adminUser->getEmail());
$tests['[comment:mail]'] = Html::escape($this->adminUser->getEmail());
$tests['[comment:homepage]'] = check_url($comment->getHomepage());
$tests['[comment:title]'] = Xss::filter($comment->getSubject());
$tests['[comment:body]'] = $comment->comment_body->processed;
$tests['[comment:langcode]'] = SafeMarkup::checkPlain($comment->language()->getId());
$tests['[comment:langcode]'] = Html::escape($comment->language()->getId());
$tests['[comment:url]'] = $comment->url('canonical', $url_options + array('fragment' => 'comment-' . $comment->id()));
$tests['[comment:edit-url]'] = $comment->url('edit-form', $url_options);
$tests['[comment:created]'] = \Drupal::service('date.formatter')->format($comment->getCreatedTime(), 'medium', array('langcode' => $language_interface->getId()));
$tests['[comment:created:since]'] = \Drupal::service('date.formatter')->formatTimeDiffSince($comment->getCreatedTime(), array('langcode' => $language_interface->getId()));
$tests['[comment:changed:since]'] = \Drupal::service('date.formatter')->formatTimeDiffSince($comment->getChangedTimeAcrossTranslations(), array('langcode' => $language_interface->getId()));
$tests['[comment:parent:cid]'] = $comment->hasParentComment() ? $comment->getParentComment()->id() : NULL;
$tests['[comment:parent:title]'] = SafeMarkup::checkPlain($parent_comment->getSubject());
$tests['[comment:entity]'] = SafeMarkup::checkPlain($node->getTitle());
$tests['[comment:parent:title]'] = Html::escape($parent_comment->getSubject());
$tests['[comment:entity]'] = Html::escape($node->getTitle());
// Test node specific tokens.
$tests['[comment:entity:nid]'] = $comment->getCommentedEntityId();
$tests['[comment:entity:title]'] = SafeMarkup::checkPlain($node->getTitle());
$tests['[comment:entity:title]'] = Html::escape($node->getTitle());
$tests['[comment:author:uid]'] = $comment->getOwnerId();
$tests['[comment:author:name]'] = SafeMarkup::checkPlain($this->adminUser->getUsername());
$tests['[comment:author:name]'] = Html::escape($this->adminUser->getUsername());
$base_bubbleable_metadata = BubbleableMetadata::createFromObject($comment);
$metadata_tests = [];
......
......@@ -9,7 +9,6 @@
use Drupal\Component\Utility\Html;
use Drupal\Component\Utility\Xss;
use Drupal\Component\Utility\SafeMarkup;
use Drupal\filter\FilterFormatInterface;
use Drupal\editor\EditorXssFilterInterface;
......@@ -114,7 +113,7 @@ protected static function filterXssDataAttributes($html) {
// value. There is no need to explicitly decode $node->value, since the
// DOMAttr::value getter returns the decoded value.
$value = Xss::filterAdmin($node->value);
$node->value = SafeMarkup::checkPlain($value);
$node->value = Html::escape($value);
}
$html = Html::serialize($dom);
}
......
......@@ -9,7 +9,6 @@
use Drupal\Component\Serialization\Json;
use Drupal\simpletest\WebTestBase;
use Drupal\Component\Utility\SafeMarkup;
/**
* Tests XSS protection for content creators when using text editors.
......@@ -388,7 +387,6 @@ function testSwitchingSecurity() {
// Log in as the privileged user, and for every sample, do the following:
// - switch to every other text format/editor
// - assert the XSS-filtered values that we get from the server
$value_original_attribute = SafeMarkup::checkPlain(self::$sampleContent);
$this->drupalLogin($this->privilegedUser);
foreach ($expected as $case) {
$this->drupalGet('node/' . $case['node_id'] . '/edit');
......
......@@ -7,7 +7,7 @@
namespace Drupal\field\Tests;
use Drupal\Component\Utility\SafeMarkup;
use Drupal\Component\Utility\Html;
use Drupal\Core\Field\FieldStorageDefinitionInterface;
use Drupal\Core\Form\FormState;
use Drupal\field\Entity\FieldConfig;
......@@ -105,7 +105,7 @@ function testFieldFormSingle() {
$this->drupalGet('entity_test/add');
// Create token value expected for description.
$token_description = SafeMarkup::checkPlain($this->config('system.site')->get('name')) . '_description';
$token_description = Html::escape($this->config('system.site')->get('name')) . '_description';
$this->assertText($token_description, 'Token replacement for description is displayed');
$this->assertFieldByName("{$field_name}[0][value]", '', 'Widget is displayed');
$this->assertNoField("{$field_name}[1][value]", 'No extraneous widget is displayed');
......
......@@ -7,7 +7,7 @@
namespace Drupal\field\Tests\String;
use Drupal\Component\Utility\SafeMarkup;
use Drupal\Component\Utility\Html;
use Drupal\Component\Utility\Unicode;
use Drupal\Core\Entity\Display\EntityViewDisplayInterface;
use Drupal\Core\Entity\FieldableEntityInterface;
......@@ -119,7 +119,7 @@ public function testStringFormatter() {
// Verify that all HTML is escaped and newlines are retained.
$this->renderEntityFields($entity, $this->display);
$this->assertNoRaw($value);
$this->assertRaw(nl2br(SafeMarkup::checkPlain($value)));
$this->assertRaw(nl2br(Html::escape($value)));
// Verify the cache tags.
$build = $entity->{$this->fieldName}->view();
......
......@@ -7,7 +7,7 @@
namespace Drupal\field\Tests\String;
use Drupal\Component\Utility\SafeMarkup;
use Drupal\Component\Utility\Html;
use Drupal\Component\Utility\Unicode;
use Drupal\Core\Entity\Display\EntityViewDisplayInterface;
use Drupal\Core\Entity\FieldableEntityInterface;
......@@ -119,7 +119,7 @@ public function testStringFormatter() {
// Verify that all HTML is escaped and newlines are retained.
$this->renderEntityFields($entity, $this->display);
$this->assertNoRaw($value);
$this->assertRaw(nl2br(SafeMarkup::checkPlain($value)));
$this->assertRaw(nl2br(Html::escape($value)));
// Verify the cache tags.
$build = $entity->{$this->fieldName}->view();
......
......@@ -5,6 +5,7 @@
* Defines a "managed_file" Form API field and a "file" field for Field module.
*/
use Drupal\Component\Utility\Html;
use Drupal\Component\Utility\SafeMarkup;
use Drupal\Core\Datetime\Entity\DateFormat;
use Drupal\Core\Field\FieldDefinitionInterface;
......@@ -968,15 +969,15 @@ function file_tokens($type, $tokens, array $data, array $options, BubbleableMeta
// Essential file data
case 'name':
$replacements[$original] = $sanitize ? SafeMarkup::checkPlain($file->getFilename()) : $file->getFilename();
$replacements[$original] = $sanitize ? Html::escape($file->getFilename()) : $file->getFilename();
break;
case 'path':
$replacements[$original] = $sanitize ? SafeMarkup::checkPlain($file->getFileUri()) : $file->getFileUri();
$replacements[$original] = $sanitize ? Html::escape($file->getFileUri()) : $file->getFileUri();
break;
case 'mime':
$replacements[$original] = $sanitize ? SafeMarkup::checkPlain($file->getMimeType()) : $file->getMimeType();
$replacements[$original] = $sanitize ? Html::escape($file->getMimeType()) : $file->getMimeType();
break;
case 'size':
......@@ -984,7 +985,7 @@ function file_tokens($type, $tokens, array $data, array $options, BubbleableMeta
break;
case 'url':
$replacements[$original] = $sanitize ? SafeMarkup::checkPlain(file_create_url($file->getFileUri())) : file_create_url($file->getFileUri());
$replacements[$original] = $sanitize ? Html::escape(file_create_url($file->getFileUri())) : file_create_url($file->getFileUri());
break;
// These tokens are default variations on the chained tokens handled below.
......@@ -1004,7 +1005,7 @@ function file_tokens($type, $tokens, array $data, array $options, BubbleableMeta
$owner = $file->getOwner();
$bubbleable_metadata->addCacheableDependency($owner);
$name = $owner->label();
$replacements[$original] = $sanitize ? SafeMarkup::checkPlain($name) : $name;
$replacements[$original] = $sanitize ? Html::escape($name) : $name;
break;
}
}
......
......@@ -7,7 +7,7 @@
namespace Drupal\file\Tests;
use Drupal\Component\Utility\SafeMarkup;
use Drupal\Component\Utility\Html;
use Drupal\Core\Render\BubbleableMetadata;
use Drupal\file\Entity\File;
......@@ -47,16 +47,16 @@ function testFileTokenReplacement() {
// Generate and test sanitized tokens.
$tests = array();
$tests['[file:fid]'] = $file->id();
$tests['[file:name]'] = SafeMarkup::checkPlain($file->getFilename());
$tests['[file:path]'] = SafeMarkup::checkPlain($file->getFileUri());
$tests['[file:mime]'] = SafeMarkup::checkPlain($file->getMimeType());
$tests['[file:name]'] = Html::escape($file->getFilename());
$tests['[file:path]'] = Html::escape($file->getFileUri());
$tests['[file:mime]'] = Html::escape($file->getMimeType());
$tests['[file:size]'] = format_size($file->getSize());
$tests['[file:url]'] = SafeMarkup::checkPlain(file_create_url($file->getFileUri()));
$tests['[file:url]'] = Html::escape(file_create_url($file->getFileUri()));
$tests['[file:created]'] = format_date($file->getCreatedTime(), 'medium', '', NULL, $language_interface->getId());
$tests['[file:created:short]'] = format_date($file->getCreatedTime(), 'short', '', NULL, $language_interface->getId());
$tests['[file:changed]'] = format_date($file->getChangedTime(), 'medium', '', NULL, $language_interface->getId());
$tests['[file:changed:short]'] = format_date($file->getChangedTime(), 'short', '', NULL, $language_interface->getId());
$tests['[file:owner]'] = SafeMarkup::checkPlain(user_format_name($this->adminUser));
$tests['[file:owner]'] = Html::escape(user_format_name($this->adminUser));
$tests['[file:owner:uid]'] = $file->getOwnerId();
$base_bubbleable_metadata = BubbleableMetadata::createFromObject($file);
......
......@@ -616,8 +616,8 @@ function _filter_url_parse_full_links($match) {
$i = 1;
$match[$i] = Html::decodeEntities($match[$i]);
$caption = SafeMarkup::checkPlain(_filter_url_trim($match[$i]));
$match[$i] = SafeMarkup::checkPlain($match[$i]);
$caption = Html::escape(_filter_url_trim($match[$i]));
$match[$i] = Html::escape($match[$i]);
return '<a href="' . $match[$i] . '">' . $caption . '</a>';
}
......@@ -631,8 +631,8 @@ function _filter_url_parse_email_links($match) {
$i = 0;
$match[$i] = Html::decodeEntities($match[$i]);
$caption = SafeMarkup::checkPlain(_filter_url_trim($match[$i]));
$match[$i] = SafeMarkup::checkPlain($match[$i]);
$caption = Html::escape(_filter_url_trim($match[$i]));
$match[$i] = Html::escape($match[$i]);
return '<a href="mailto:' . $match[$i] . '">' . $caption . '</a>';
}
......@@ -646,8 +646,8 @@ function _filter_url_parse_partial_links($match) {
$i = 1;
$match[$i] = Html::decodeEntities($match[$i]);
$caption = SafeMarkup::checkPlain(_filter_url_trim($match[$i]));
$match[$i] = SafeMarkup::checkPlain($match[$i]);
$caption = Html::escape(_filter_url_trim($match[$i]));
$match[$i] = Html::escape($match[$i]);
return '<a href="http://' . $match[$i] . '">' . $caption . '</a>';
}
......@@ -778,7 +778,7 @@ function _filter_autop($text) {
* Escapes all HTML tags, so they will be visible instead of being effective.
*/
function _filter_html_escape($text) {
return trim(SafeMarkup::checkPlain($text));
return trim(Html::escape($text));
}
/**
......
......@@ -8,7 +8,6 @@
namespace Drupal\filter\Plugin\Filter;
use Drupal\Component\Utility\Html;
use Drupal\Component\Utility\SafeMarkup;
use Drupal\Component\Utility\Unicode;
use Drupal\Component\Utility\Xss;
use Drupal\filter\FilterProcessResult;
......@@ -40,7 +39,7 @@ public function process($text, $langcode) {
$xpath = new \DOMXPath($dom);
foreach ($xpath->query('//*[@data-caption]') as $node) {
// Read the data-caption attribute's value, then delete it.
$caption = SafeMarkup::checkPlain($node->getAttribute('data-caption'));
$caption = Html::escape($node->getAttribute('data-caption'));
$node->removeAttribute('data-caption');
// Sanitize caption: decode HTML encoding, limit allowed HTML tags; only
......
......@@ -849,10 +849,10 @@ function assertFilteredString($filter, $tests) {
)));
}
if (!$success) {
$this->verbose('Source:<pre>' . SafeMarkup::checkPlain(var_export($source, TRUE)) . '</pre>'
. '<hr />' . 'Result:<pre>' . SafeMarkup::checkPlain(var_export($result, TRUE)) . '</pre>'
$this->verbose('Source:<pre>' . Html::escape(var_export($source, TRUE)) . '</pre>'
. '<hr />' . 'Result:<pre>' . Html::escape(var_export($result, TRUE)) . '</pre>'
. '<hr />' . ($is_expected ? 'Expected:' : 'Not expected:')
. '<pre>' . SafeMarkup::checkPlain(var_export($value, TRUE)) . '</pre>'
. '<pre>' . Html::escape(var_export($value, TRUE)) . '</pre>'
);
}
}
......
......@@ -7,7 +7,7 @@
namespace Drupal\language\Form;
use Drupal\Component\Utility\SafeMarkup;
use Drupal\Component\Utility\Html;
use Drupal\Core\Entity\EntityForm;
use Drupal\Core\Form\FormStateInterface;
use Drupal\Core\Language\LanguageInterface;
......@@ -106,7 +106,7 @@ public function validateCommon(array $form, FormStateInterface $form_state) {
'@url' => 'http://www.w3.org/International/articles/language-tags/',
)));
}
if ($form_state->getValue('label') != SafeMarkup::checkPlain($form_state->getValue('label'))) {
if ($form_state->getValue('label') != Html::escape($form_state->getValue('label'))) {
$form_state->setErrorByName('label', $this->t('%field cannot contain any markup.', array('%field' => $form['label']['#title'])));
}
}
......
......@@ -7,7 +7,7 @@
namespace Drupal\link\Tests;
use Drupal\Component\Utility\SafeMarkup;
use Drupal\Component\Utility\Html;
use Drupal\Component\Utility\Unicode;
use Drupal\Core\Url;
use Drupal\link\LinkItemInterface;
......@@ -420,39 +420,39 @@ function testLinkFormatter() {
case 'trim_length':
$url = $url1;
$title = isset($new_value) ? Unicode::truncate($title1, $new_value, FALSE, TRUE) : $title1;
$this->assertRaw('<a href="' . SafeMarkup::checkPlain($url) . '">' . SafeMarkup::checkPlain($title) . '</a>');
$this->assertRaw('<a href="' . Html::escape($url) . '">' . Html::escape($title) . '</a>');
$url = $url2;
$title = isset($new_value) ? Unicode::truncate($title2, $new_value, FALSE, TRUE) : $title2;
$this->assertRaw('<a href="' . SafeMarkup::checkPlain($url) . '">' . SafeMarkup::checkPlain($title) . '</a>');
$this->assertRaw('<a href="' . Html::escape($url) . '">' . Html::escape($title) . '</a>');
break;
case 'rel':
$rel = isset($new_value) ? ' rel="' . $new_value . '"' : '';
$this->assertRaw('<a href="' . SafeMarkup::checkPlain($url1) . '"' . $rel . '>' . SafeMarkup::checkPlain($title1) . '</a>');
$this->assertRaw('<a href="' . SafeMarkup::checkPlain($url2) . '"' . $rel . '>' . SafeMarkup::checkPlain($title2) . '</a>');
$this->assertRaw('<a href="' . Html::escape($url1) . '"' . $rel . '>' . Html::escape($title1) . '</a>');
$this->assertRaw('<a href="' . Html::escape($url2) . '"' . $rel . '>' . Html::escape($title2) . '</a>');
break;
case 'target':
$target = isset($new_value) ? ' target="' . $new_value . '"' : '';
$this->assertRaw('<a href="' . SafeMarkup::checkPlain($url1) . '"' . $target . '>' . SafeMarkup::checkPlain($title1) . '</a>');
$this->assertRaw('<a href="' . SafeMarkup::checkPlain($url2) . '"' . $target . '>' . SafeMarkup::checkPlain($title2) . '</a>');
$this->assertRaw('<a href="' . Html::escape($url1) . '"' . $target . '>' . Html::escape($title1) . '</a>');
$this->assertRaw('<a href="' . Html::escape($url2) . '"' . $target . '>' . Html::escape($title2) . '</a>');
break;
case 'url_only':
// In this case, $new_value is an array.
if (!$new_value['url_only']) {
$this->assertRaw('<a href="' . SafeMarkup::checkPlain($url1) . '">' . SafeMarkup::checkPlain($title1) . '</a>');
$this->assertRaw('<a href="' . SafeMarkup::checkPlain($url2) . '">' . SafeMarkup::checkPlain($title2) . '</a>');
$this->assertRaw('<a href="' . Html::escape($url1) . '">' . Html::escape($title1) . '</a>');
$this->assertRaw('<a href="' . Html::escape($url2) . '">' . Html::escape($title2) . '</a>');
}
else {
if (empty($new_value['url_plain'])) {
$this->assertRaw('<a href="' . SafeMarkup::checkPlain($url1) . '">' . SafeMarkup::checkPlain($url1) . '</a>');
$this->assertRaw('<a href="' . SafeMarkup::checkPlain($url2) . '">' . SafeMarkup::checkPlain($url2) . '</a>');
$this->assertRaw('<a href="' . Html::escape($url1) . '">' . Html::escape($url1) . '</a>');
$this->assertRaw('<a href="' . Html::escape($url2) . '">' . Html::escape($url2) . '</a>');
}
else {
$this->assertNoRaw('<a href="' . SafeMarkup::checkPlain($url1) . '">' . SafeMarkup::checkPlain($url1) . '</a>');
$this->assertNoRaw('<a href="' . SafeMarkup::checkPlain($url2) . '">' . SafeMarkup::checkPlain($url2) . '</a>');
$this->assertNoRaw('<a href="' . Html::escape($url1) . '">' . Html::escape($url1) . '</a>');
$this->assertNoRaw('<a href="' . Html::escape($url2) . '">' . Html::escape($url2) . '</a>');
$this->assertEscaped($url1);
$this->assertEscaped($url2);
}
......@@ -540,7 +540,7 @@ function testLinkSeparateFormatter() {
$url = $url1;
$url_title = isset($new_value) ? Unicode::truncate($url, $new_value, FALSE, TRUE) : $url;
$expected = '<div class="link-item">';
$expected .= '<div class="link-url"><a href="' . SafeMarkup::checkPlain($url) . '">' . SafeMarkup::checkPlain($url_title) . '</a></div>';
$expected .= '<div class="link-url"><a href="' . Html::escape($url) . '">' . Html::escape($url_title) . '</a></div>';
$expected .= '</div>';
$this->assertRaw($expected);
......@@ -548,22 +548,22 @@ function testLinkSeparateFormatter() {
$url_title = isset($new_value) ? Unicode::truncate($url, $new_value, FALSE, TRUE) : $url;
$title = isset($new_value) ? Unicode::truncate($title2, $new_value, FALSE, TRUE) : $title2;
$expected = '<div class="link-item">';
$expected .= '<div class="link-title">' . SafeMarkup::checkPlain($title) . '</div>';
$expected .= '<div class="link-url"><a href="' . SafeMarkup::checkPlain($url) . '">' . SafeMarkup::checkPlain($url_title) . '</a></div>';
$expected .= '<div class="link-title">' . Html::escape($title) . '</div>';
$expected .= '<div class="link-url"><a href="' . Html::escape($url) . '">' . Html::escape($url_title) . '</a></div>';
$expected .= '</div>';
$this->assertRaw($expected);
break;
case 'rel':
$rel = isset($new_value) ? ' rel="' . $new_value . '"' : '';
$this->assertRaw('<div class="link-url"><a href="' . SafeMarkup::checkPlain($url1) . '"' . $rel . '>' . SafeMarkup::checkPlain($url1) . '</a></div>');
$this->assertRaw('<div class="link-url"><a href="' . SafeMarkup::checkPlain($url2) . '"' . $rel . '>' . SafeMarkup::checkPlain($url2) . '</a></div>');
$this->assertRaw('<div class="link-url"><a href="' . Html::escape($url1) . '"' . $rel . '>' . Html::escape($url1) . '</a></div>');
$this->assertRaw('<div class="link-url"><a href="' . Html::escape($url2) . '"' . $rel . '>' . Html::escape($url2) . '</a></div>');
break;
case 'target':
$target = isset($new_value) ? ' target="' . $new_value . '"' : '';
$this->assertRaw('<div class="link-url"><a href="' . SafeMarkup::checkPlain($url1) . '"' . $target . '>' . SafeMarkup::checkPlain($url1) . '</a></div>');
$this->assertRaw('<div class="link-url"><a href="' . SafeMarkup::checkPlain($url2) . '"' . $target . '>' . SafeMarkup::checkPlain($url2) . '</a></div>');
$this->assertRaw('<div class="link-url"><a href="' . Html::escape($url1) . '"' . $target . '>' . Html::escape($url1) . '</a></div>');
$this->assertRaw('<div class="link-url"><a href="' . Html::escape($url2) . '"' . $target . '>' . Html::escape($url2) . '</a></div>');
break;
}
}
......
......@@ -7,7 +7,7 @@
namespace Drupal\locale\Form;
use Drupal\Component\Utility\SafeMarkup;
use Drupal\Component\Utility\Html;
use Drupal\Core\Form\FormStateInterface;
use Drupal\Core\Render\Element;
use Drupal\locale\SourceString;
......@@ -73,7 +73,7 @@ public function buildForm(array $form, FormStateInterface $form_state) {
'#type' => 'item',
'#title' => $this->t('Source string (@language)', array('@language' => $this->t('Built-in English'))),
'#title_display' => 'invisible',
'#markup' => '<span lang="en">' . SafeMarkup::checkPlain($source_array[0]) . '</span>',
'#markup' => '<span lang="en">' . Html::escape($source_array[0]) . '</span>',
);
}
else {
......@@ -82,13 +82,13 @@ public function buildForm(array $form, FormStateInterface $form_state) {
$original_singular = [
'#type' => 'item',
'#title' => $this->t('Singular form'),
'#markup' => '<span lang="en">' . SafeMarkup::checkPlain($source_array[0]) . '</span>',
'#markup' => '<span lang="en">' . Html::escape($source_array[0]) . '</span>',
'#prefix' => '<span class="visually-hidden">' . $this->t('Source string (@language)', array('@language' => $this->t('Built-in English'))) . '</span>',
];
$original_plural = [
'#type' => 'item',
'#title' => $this->t('Plural form'),
'#markup' => '<span lang="en">' . SafeMarkup::checkPlain($source_array[1]) . '</span>',
'#markup' => '<span lang="en">' . Html::escape($source_array[1]) . '</span>',
];
$form['strings'][$string->lid]['original'] = [
$original_singular,
......
<?php
use Drupal\node\NodeInterface;
use Drupal\Component\Utility\SafeMarkup;
use Drupal\Component\Utility\Html;
use Drupal\Component\Utility\Xss;
use Drupal\Core\Access\AccessResult;
......@@ -403,7 +403,7 @@ function hook_node_update_index(\Drupal\node\NodeInterface $node, $langcode) {
$text = '';
$ratings = db_query('SELECT title, description FROM {my_ratings} WHERE nid = :nid', array(':nid' => $node->id()));
foreach ($ratings as $rating) {
$text .= '<h2>' . SafeMarkup::checkPlain($rating->title) . '</h2>' . Xss::filter($rating->description);
$text .= '<h2>' . Html::escape($rating->title) . '</h2>' . Xss::filter($rating->description);
}
return $text;
}
......
......@@ -5,7 +5,7 @@
* Builds placeholder replacement tokens for node-related data.
*/
use Drupal\Component\Utility\SafeMarkup;