Commit f7c02dfe authored by Cottser's avatar Cottser

Issue #2579691 by lauriii, alexpott, stefan.r, YesCT, dawehner: Remove usages...

Issue #2579691 by lauriii, alexpott, stefan.r, YesCT, dawehner: Remove usages of SafeMarkup::isSafe()
parent ec829de9
......@@ -10,6 +10,7 @@
use Drupal\Component\Utility\Unicode;
use Drupal\Core\Logger\RfcLogLevel;
use Drupal\Core\Render\Markup;
use Drupal\Component\Render\MarkupInterface;
use Drupal\Core\Session\AccountInterface;
use Drupal\Core\Site\Settings;
use Drupal\Core\Utility\Error;
......@@ -441,7 +442,7 @@ function drupal_set_message($message = NULL, $type = 'status', $repeat = FALSE)
}
// Convert strings which are safe to the simplest Markup objects.
if (!($message instanceof Markup) && SafeMarkup::isSafe($message)) {
if (!($message instanceof Markup) && $message instanceof MarkupInterface) {
$message = Markup::create((string) $message);
}
......
......@@ -11,7 +11,6 @@
use Drupal\Component\Serialization\Json;
use Drupal\Component\Utility\Crypt;
use Drupal\Component\Utility\Html;
use Drupal\Component\Utility\SafeMarkup;
use Drupal\Component\Render\MarkupInterface;
use Drupal\Component\Utility\Unicode;
use Drupal\Core\Config\Config;
......@@ -428,7 +427,7 @@ function theme_render_and_autoescape($arg) {
// We have a string or an object converted to a string: Escape it!
if (isset($return)) {
return SafeMarkup::isSafe($return, 'html') ? $return : Html::escape($return);
return $return instanceof MarkupInterface ? $return : Html::escape($return);
}
// This is a normal render array, which is safe by definition, with special
......
......@@ -8,7 +8,6 @@
namespace Drupal\Component\Render;
use Drupal\Component\Utility\Html;
use Drupal\Component\Utility\SafeMarkup;
use Drupal\Component\Utility\Unicode;
use Drupal\Component\Utility\UrlHelper;
......@@ -199,22 +198,21 @@ protected static function placeholderFormat($string, array $args) {
// Escape if the value is not an object from a class that implements
// \Drupal\Component\Render\MarkupInterface, for example strings will
// be escaped.
// \Drupal\Component\Utility\SafeMarkup\SafeMarkup::isSafe() may
// return TRUE for content that is safe within HTML fragments, but not
// within other contexts, so this placeholder type must not be used
// within HTML attributes, JavaScript, or CSS.
// Strings that are safe within HTML fragments, but not within other
// contexts, may still be an instance of
// \Drupal\Component\Render\MarkupInterface, so this placeholder type
// must not be used within HTML attributes, JavaScript, or CSS.
$args[$key] = static::placeholderEscape($value);
break;
case ':':
// Strip URL protocols that can be XSS vectors.
$value = UrlHelper::stripDangerousProtocols($value);
// Escape unconditionally, without checking
// \Drupal\Component\Utility\SafeMarkup\SafeMarkup::isSafe(). This
// forces characters that are unsafe for use in an "href" HTML
// attribute to be encoded. If a caller wants to pass a value that is
// extracted from HTML and therefore is already HTML encoded, it must
// invoke
// Escape unconditionally, without checking whether the value is an
// instance of \Drupal\Component\Render\MarkupInterface. This forces
// characters that are unsafe for use in an "href" HTML attribute to
// be encoded. If a caller wants to pass a value that is extracted
// from HTML and therefore is already HTML encoded, it must invoke
// \Drupal\Component\Render\OutputStrategyInterface::renderFromHtml()
// on it prior to passing it in as a placeholder value of this type.
// @todo Add some advice and stronger warnings.
......@@ -226,8 +224,8 @@ protected static function placeholderFormat($string, array $args) {
// Similarly to @, escape non-safe values. Also, add wrapping markup
// in order to render as a placeholder. Not for use within attributes,
// per the warning above about
// \Drupal\Component\Utility\SafeMarkup\SafeMarkup::isSafe() and also
// due to the wrapping markup.
// \Drupal\Component\Render\MarkupInterface and also due to the
// wrapping markup.
$args[$key] = '<em class="placeholder">' . static::placeholderEscape($value) . '</em>';
break;
......@@ -256,7 +254,7 @@ protected static function placeholderFormat($string, array $args) {
* The properly escaped replacement value.
*/
protected static function placeholderEscape($value) {
return SafeMarkup::isSafe($value) ? (string) $value : Html::escape($value);
return $value instanceof MarkupInterface ? (string) $value : Html::escape($value);
}
}
......@@ -26,7 +26,6 @@
* implement \Countable so it can be used in if statements.
*
* @see \Drupal\Component\Render\MarkupTrait
* @see \Drupal\Component\Utility\SafeMarkup::isSafe()
* @see \Drupal\Core\Template\TwigExtension::escapeFilter()
* @see \Drupal\Component\Render\FormattableMarkup
* @see \Drupal\Core\StringTranslation\TranslatableMarkup
......
......@@ -7,8 +7,8 @@
namespace Drupal\Core\Render\Element;
use Drupal\Component\Render\MarkupInterface;
use Drupal\Component\Utility\Html as HtmlUtility;
use Drupal\Component\Utility\SafeMarkup;
use Drupal\Core\Render\Markup;
use Drupal\Component\Utility\Xss;
use Drupal\Core\Template\Attribute;
......@@ -97,7 +97,7 @@ public static function preRenderHtmlTag($element) {
// Construct all other elements.
else {
$markup .= '>';
$markup .= SafeMarkup::isSafe($element['#value']) ? $element['#value'] : Xss::filterAdmin($element['#value']);
$markup .= $element['#value'] instanceof MarkupInterface ? $element['#value'] : Xss::filterAdmin($element['#value']);
$markup .= '</' . $escaped_tag . ">\n";
}
if (!empty($element['#noscript'])) {
......@@ -171,11 +171,11 @@ public static function preRenderConditionalComments($element) {
// Ensure what we are dealing with is safe.
// This would be done later anyway in drupal_render().
$prefix = isset($element['#prefix']) ? $element['#prefix'] : '';
if ($prefix && !SafeMarkup::isSafe($prefix)) {
if ($prefix && !($prefix instanceof MarkupInterface)) {
$prefix = Xss::filterAdmin($prefix);
}
$suffix = isset($element['#suffix']) ? $element['#suffix'] : '';
if ($suffix && !SafeMarkup::isSafe($suffix)) {
if ($suffix && !($suffix instanceof MarkupInterface)) {
$suffix = Xss::filterAdmin($suffix);
}
......
......@@ -7,7 +7,6 @@
namespace Drupal\Core\Render;
use Drupal\Component\Utility\SafeMarkup;
use Drupal\Core\Cache\Cache;
use Drupal\Core\Cache\CacheableMetadata;
use Drupal\Core\Cache\Context\CacheContextsManager;
......@@ -341,12 +340,6 @@ public function getCacheableRenderArray(array $elements) {
// the cache entry size.
if (!empty($elements['#cache_properties']) && is_array($elements['#cache_properties'])) {
$data['#cache_properties'] = $elements['#cache_properties'];
// Ensure that any safe strings are a Markup object.
foreach (Element::properties(array_flip($elements['#cache_properties'])) as $cache_property) {
if (isset($elements[$cache_property]) && is_scalar($elements[$cache_property]) && SafeMarkup::isSafe($elements[$cache_property])) {
$elements[$cache_property] = Markup::create($elements[$cache_property]);
}
}
// Extract all the cacheable items from the element using cache
// properties.
......
......@@ -7,8 +7,8 @@
namespace Drupal\Core\Render;
use Drupal\Component\Render\MarkupInterface;
use Drupal\Component\Utility\Html;
use Drupal\Component\Utility\SafeMarkup;
use Drupal\Component\Utility\Xss;
use Drupal\Core\Access\AccessResultInterface;
use Drupal\Core\Cache\Cache;
......@@ -675,11 +675,12 @@ public function addCacheableDependency(array &$elements, $dependency) {
* A string.
*
* @return \Drupal\Core\Render\Markup
* The escaped string wrapped in a Markup object. If
* SafeMarkup::isSafe($string) returns TRUE, it won't be escaped again.
* The escaped string wrapped in a Markup object. If the string is an
* instance of \Drupal\Component\Render\MarkupInterface, it won't be escaped
* again.
*/
protected function xssFilterAdminIfUnsafe($string) {
if (!SafeMarkup::isSafe($string)) {
if (!($string instanceof MarkupInterface)) {
$string = Xss::filterAdmin($string);
}
return Markup::create($string);
......@@ -704,8 +705,8 @@ protected function xssFilterAdminIfUnsafe($string) {
* A render array with #markup set.
*
* @return \Drupal\Component\Render\MarkupInterface|string
* The escaped markup wrapped in a Markup object. If
* SafeMarkup::isSafe($elements['#markup']) returns TRUE, it won't be
* The escaped markup wrapped in a Markup object. If $elements['#markup']
* is an instance of \Drupal\Component\Render\MarkupInterface, it won't be
* escaped or filtered again.
*
* @see \Drupal\Component\Utility\Html::escape()
......@@ -720,7 +721,7 @@ protected function ensureMarkupIsSafe(array $elements) {
if (!empty($elements['#plain_text'])) {
$elements['#markup'] = Markup::create(Html::escape($elements['#plain_text']));
}
elseif (!SafeMarkup::isSafe($elements['#markup'])) {
elseif (!($elements['#markup'] instanceof MarkupInterface)) {
// The default behaviour is to XSS filter using the admin tag list.
$tags = isset($elements['#allowed_tags']) ? $elements['#allowed_tags'] : Xss::getAdminTagList();
$elements['#markup'] = Markup::create(Xss::filter($elements['#markup'], $tags));
......
......@@ -8,7 +8,6 @@
namespace Drupal\Core\Template;
use Drupal\Component\Render\PlainTextOutput;
use Drupal\Component\Utility\SafeMarkup;
use Drupal\Component\Render\MarkupInterface;
/**
......@@ -139,7 +138,7 @@ protected function createAttributeValue($name, $value) {
$value = new AttributeBoolean($name, $value);
}
// As a development aid, we allow the value to be a safe string object.
elseif (SafeMarkup::isSafe($value)) {
elseif ($value instanceof MarkupInterface) {
// Attributes are not supposed to display HTML markup, so we just convert
// the value to plain text.
$value = PlainTextOutput::renderFromHtml($value);
......
......@@ -13,7 +13,6 @@
namespace Drupal\Core\Template;
use Drupal\Component\Utility\Html;
use Drupal\Component\Utility\SafeMarkup;
use Drupal\Component\Render\MarkupInterface;
use Drupal\Core\Datetime\DateFormatterInterface;
use Drupal\Core\Render\RenderableInterface;
......@@ -446,7 +445,7 @@ public function escapeFilter(\Twig_Environment $env, $arg, $strategy = 'html', $
// We have a string or an object converted to a string: Autoescape it!
if (isset($return)) {
if ($autoescape && SafeMarkup::isSafe($return, $strategy)) {
if ($autoescape && $return instanceof MarkupInterface) {
return $return;
}
// Drupal only supports the HTML escaping strategy, so provide a
......
......@@ -9,7 +9,6 @@
use Drupal\Component\Serialization\Json;
use Drupal\Component\Utility\Html;
use Drupal\Component\Utility\SafeMarkup;
use Drupal\Component\Render\MarkupInterface;
use Drupal\Core\Extension\ModuleHandlerInterface;
use Drupal\Core\GeneratedLink;
......@@ -166,7 +165,7 @@ public function generate($text, Url $url) {
$attributes['href'] = $generated_url->getGeneratedUrl();
}
if (!SafeMarkup::isSafe($variables['text'])) {
if (!($variables['text'] instanceof MarkupInterface)) {
$variables['text'] = Html::escape($variables['text']);
}
$attributes = new Attribute($attributes);
......
......@@ -8,7 +8,7 @@
namespace Drupal\comment\Tests;
use Drupal\comment\CommentManagerInterface;
use Drupal\Component\Utility\SafeMarkup;
use Drupal\Component\Render\MarkupInterface;
use Drupal\Core\Datetime\DrupalDateTime;
use Drupal\comment\Entity\Comment;
......@@ -54,7 +54,7 @@ function testCommentPreview() {
\Drupal::state()->set('user_hooks_test_user_format_name_alter_safe', TRUE);
$this->drupalPostForm('node/' . $this->node->id(), $edit, t('Preview'));
$this->assertTrue(SafeMarkup::isSafe($this->webUser->getDisplayName()), 'Username is marked safe');
$this->assertTrue($this->webUser->getDisplayName() instanceof MarkupInterface, 'Username is marked safe');
$this->assertNoEscaped('<em>' . $this->webUser->id() . '</em>');
$this->assertRaw('<em>' . $this->webUser->id() . '</em>');
......
......@@ -7,7 +7,6 @@
namespace Drupal\menu_link_content\Tests;
use Drupal\Component\Utility\SafeMarkup;
use Drupal\Core\Menu\MenuTreeParameters;
use Drupal\Core\StringTranslation\TranslatableMarkup;
use Drupal\menu_link_content\Entity\MenuLinkContent;
......@@ -72,7 +71,6 @@ public function testRediscover() {
$title = $tree_element->link->getTitle();
$this->assertFalse($title instanceof TranslatableMarkup);
$this->assertIdentical('<script>alert("Welcome to the discovered jungle!")</script>', $title);
$this->assertFalse(SafeMarkup::isSafe($title));
// Create a hierarchy.
\Drupal::state()->set('menu_link_content_dynamic_route.routes', [
......
......@@ -7,7 +7,7 @@
namespace Drupal\system\Tests\Utility;
use Drupal\Component\Utility\SafeMarkup;
use Drupal\Component\Render\MarkupInterface;
use Drupal\Core\Render\RenderContext;
use Drupal\Core\Url;
use Drupal\simpletest\KernelTestBase;
......@@ -32,7 +32,7 @@ function testHookLinkAlter() {
return \Drupal::l(['#markup' => '<em>link with markup</em>'], $url);
});
$this->setRawContent($link);
$this->assertTrue(SafeMarkup::isSafe($link), 'The output of link generation is marked safe as it is a link.');
$this->assertTrue($link instanceof MarkupInterface, 'The output of link generation is marked safe as it is a link.');
// Ensure the content of the link is not escaped.
$this->assertRaw('<em>link with markup</em>');
......@@ -42,7 +42,7 @@ function testHookLinkAlter() {
return \Drupal::l(['#markup' => '<em>link with markup</em>'], $url);
});
$this->setRawContent($link);
$this->assertTrue(SafeMarkup::isSafe($link), 'The output of link generation is marked safe as it is a link.');
$this->assertTrue($link instanceof MarkupInterface, 'The output of link generation is marked safe as it is a link.');
// Ensure the content of the link is escaped.
$this->assertEscaped('<em>link with markup</em> <strong>Test!</strong>');
......@@ -52,7 +52,7 @@ function testHookLinkAlter() {
return \Drupal::l(['#markup' => '<em>link with markup</em>'], $url);
});
$this->setRawContent($link);
$this->assertTrue(SafeMarkup::isSafe($link), 'The output of link generation is marked safe as it is a link.');
$this->assertTrue($link instanceof MarkupInterface, 'The output of link generation is marked safe as it is a link.');
// Ensure the content of the link is escaped.
$this->assertRaw('<em>link with markup</em> <strong>Test!</strong>');
......@@ -61,7 +61,7 @@ function testHookLinkAlter() {
return \Drupal::l('<em>link with markup</em>', $url);
});
$this->setRawContent($link);
$this->assertTrue(SafeMarkup::isSafe($link), 'The output of link generation is marked safe as it is a link.');
$this->assertTrue($link instanceof MarkupInterface, 'The output of link generation is marked safe as it is a link.');
// Ensure the content of the link is escaped.
$this->assertEscaped('<em>link with markup</em>');
$this->assertRaw('<strong>Test!</strong>');
......
......@@ -8,7 +8,6 @@
namespace Drupal\views\Plugin\views\field;
use Drupal\Component\Utility\Html;
use Drupal\Component\Utility\SafeMarkup;
use Drupal\Component\Render\MarkupInterface;
use Drupal\Component\Utility\Unicode;
use Drupal\Component\Utility\UrlHelper;
......@@ -1221,7 +1220,7 @@ public function renderText($alter) {
// alterations made by this method. Any alterations or replacements made
// within this method need to ensure that at the minimum the result is
// XSS admin filtered. See self::renderAltered() as an example that does.
$value_is_safe = SafeMarkup::isSafe($this->last_render);
$value_is_safe = $this->last_render instanceof MarkupInterface;
// Cast to a string so that empty checks and string functions work as
// expected.
$value = (string) $this->last_render;
......@@ -1299,9 +1298,10 @@ public function renderText($alter) {
}
// Preserve whether or not the string is safe. Since $more_link comes from
// \Drupal::l(), it is safe to append. Use SafeMarkup::isSafe() here because
// renderAsLink() can return both safe and unsafe values.
if (SafeMarkup::isSafe($value)) {
// \Drupal::l(), it is safe to append. Check if the value is an instance of
// \Drupal\Component\Render\MarkupInterface here because renderAsLink()
// can return both safe and unsafe values.
if ($value instanceof MarkupInterface) {
return ViewsRenderPipelineMarkup::create($value . $more_link);
}
else {
......
......@@ -5,8 +5,8 @@
* Primarily Drupal hooks and global API functions to manipulate views.
*/
use Drupal\Component\Render\MarkupInterface;
use Drupal\Component\Utility\Html;
use Drupal\Component\Utility\SafeMarkup;
use Drupal\Core\Database\Query\AlterableInterface;
use Drupal\Core\Entity\EntityInterface;
use Drupal\Core\Form\FormStateInterface;
......@@ -622,7 +622,7 @@ function views_pre_render_views_form_views_form($element) {
foreach ($substitutions as $placeholder => $substitution) {
$search[] = Html::escape($placeholder);
// Ensure that any replacements made are safe to make.
if (!SafeMarkup::isSafe($substitution)) {
if (!($substitution instanceof MarkupInterface)) {
$substitution = Html::escape($substitution);
}
$replace[] = $substitution;
......
......@@ -7,7 +7,6 @@
namespace Drupal\Tests\views_ui\Unit;
use Drupal\Component\Utility\SafeMarkup;
use Drupal\Core\DependencyInjection\ContainerBuilder;
use Drupal\Core\Entity\EntityInterface;
use Drupal\Tests\UnitTestCase;
......@@ -168,8 +167,6 @@ public function testBuildRowEntityList() {
$display_paths = $row['data']['path']['data']['#items'];
// These values will be escaped by Twig when rendered.
$this->assertEquals('/test_page, /<object>malformed_path</object>, /<script>alert("placeholder_page/%")</script>', implode(', ', $display_paths));
$this->assertFalse(SafeMarkup::isSafe('/<object>malformed_path</object>'), '/<script>alert("/<object>malformed_path</object> is not marked safe.');
$this->assertFalse(SafeMarkup::isSafe('/<script>alert("placeholder_page/%")'), '/<script>alert("/<script>alert("placeholder_page/%") is not marked safe.');
}
}
......
......@@ -138,7 +138,7 @@ public function testFormat($string, array $args, $expected, $message, $expected_
$result = SafeMarkup::format($string, $args);
$this->assertEquals($expected, $result, $message);
$this->assertEquals($expected_is_safe, SafeMarkup::isSafe($result), 'SafeMarkup::format correctly sets the result as safe or not safe.');
$this->assertEquals($expected_is_safe, $result instanceof MarkupInterface, 'SafeMarkup::format correctly sets the result as safe or not safe.');
foreach ($args as $arg) {
$this->assertSame($arg instanceof SafeMarkupTestMarkup, SafeMarkup::isSafe($arg));
......
......@@ -7,7 +7,7 @@
namespace Drupal\Tests\Core\Render;
use Drupal\Component\Utility\SafeMarkup;
use Drupal\Component\Render\MarkupInterface;
use Drupal\Core\Access\AccessResult;
use Drupal\Core\Access\AccessResultInterface;
use Drupal\Core\Cache\Cache;
......@@ -47,13 +47,13 @@ public function testRenderBasic($build, $expected, callable $setup_code = NULL)
}
if (isset($build['#markup'])) {
$this->assertFalse(SafeMarkup::isSafe($build['#markup']), 'The #markup value is not marked safe before rendering.');
$this->assertNotInstanceOf(MarkupInterface::class, $build['#markup'], 'The #markup value is not marked safe before rendering.');
}
$render_output = $this->renderer->renderRoot($build);
$this->assertSame($expected, (string) $render_output);
if ($render_output !== '') {
$this->assertTrue(SafeMarkup::isSafe($render_output), 'Output of render is marked safe.');
$this->assertTrue(SafeMarkup::isSafe($build['#markup']), 'The #markup value is marked safe after rendering.');
$this->assertInstanceOf(MarkupInterface::class, $render_output, 'Output of render is marked safe.');
$this->assertInstanceOf(MarkupInterface::class, $build['#markup'], 'The #markup value is marked safe after rendering.');
}
}
......@@ -751,7 +751,7 @@ public function testRenderCacheProperties(array $expected_results) {
// #custom_property_array can not be a safe_cache_property.
$safe_cache_properties = array_diff(Element::properties(array_filter($expected_results)), ['#custom_property_array']);
foreach ($safe_cache_properties as $cache_property) {
$this->assertTrue(SafeMarkup::isSafe($data[$cache_property]), "$cache_property is marked as a safe string");
$this->assertInstanceOf(MarkupInterface::class, $data[$cache_property], "$cache_property is marked as a safe string");
}
}
......
......@@ -7,7 +7,6 @@
namespace Drupal\Tests\Core\StringTranslation;
use Drupal\Component\Utility\SafeMarkup;
use Drupal\Component\Render\MarkupInterface;
use Drupal\Core\StringTranslation\TranslationManager;
use Drupal\Tests\UnitTestCase;
......@@ -64,7 +63,7 @@ public function testFormatPlural($count, $singular, $plural, array $args = array
$this->translationManager->addTranslator($translator);
$result = $this->translationManager->formatPlural($count, $singular, $plural, $args, $options);
$this->assertEquals($expected, $result);
$this->assertTrue(SafeMarkup::isSafe($result));
$this->assertInstanceOf(MarkupInterface::class, $result);
}
/**
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment