Commit f7c02dfe authored by Cottser's avatar Cottser

Issue #2579691 by lauriii, alexpott, stefan.r, YesCT, dawehner: Remove usages...

Issue #2579691 by lauriii, alexpott, stefan.r, YesCT, dawehner: Remove usages of SafeMarkup::isSafe()
parent ec829de9
...@@ -10,6 +10,7 @@ ...@@ -10,6 +10,7 @@
use Drupal\Component\Utility\Unicode; use Drupal\Component\Utility\Unicode;
use Drupal\Core\Logger\RfcLogLevel; use Drupal\Core\Logger\RfcLogLevel;
use Drupal\Core\Render\Markup; use Drupal\Core\Render\Markup;
use Drupal\Component\Render\MarkupInterface;
use Drupal\Core\Session\AccountInterface; use Drupal\Core\Session\AccountInterface;
use Drupal\Core\Site\Settings; use Drupal\Core\Site\Settings;
use Drupal\Core\Utility\Error; use Drupal\Core\Utility\Error;
...@@ -441,7 +442,7 @@ function drupal_set_message($message = NULL, $type = 'status', $repeat = FALSE) ...@@ -441,7 +442,7 @@ function drupal_set_message($message = NULL, $type = 'status', $repeat = FALSE)
} }
// Convert strings which are safe to the simplest Markup objects. // Convert strings which are safe to the simplest Markup objects.
if (!($message instanceof Markup) && SafeMarkup::isSafe($message)) { if (!($message instanceof Markup) && $message instanceof MarkupInterface) {
$message = Markup::create((string) $message); $message = Markup::create((string) $message);
} }
......
...@@ -11,7 +11,6 @@ ...@@ -11,7 +11,6 @@
use Drupal\Component\Serialization\Json; use Drupal\Component\Serialization\Json;
use Drupal\Component\Utility\Crypt; use Drupal\Component\Utility\Crypt;
use Drupal\Component\Utility\Html; use Drupal\Component\Utility\Html;
use Drupal\Component\Utility\SafeMarkup;
use Drupal\Component\Render\MarkupInterface; use Drupal\Component\Render\MarkupInterface;
use Drupal\Component\Utility\Unicode; use Drupal\Component\Utility\Unicode;
use Drupal\Core\Config\Config; use Drupal\Core\Config\Config;
...@@ -428,7 +427,7 @@ function theme_render_and_autoescape($arg) { ...@@ -428,7 +427,7 @@ function theme_render_and_autoescape($arg) {
// We have a string or an object converted to a string: Escape it! // We have a string or an object converted to a string: Escape it!
if (isset($return)) { if (isset($return)) {
return SafeMarkup::isSafe($return, 'html') ? $return : Html::escape($return); return $return instanceof MarkupInterface ? $return : Html::escape($return);
} }
// This is a normal render array, which is safe by definition, with special // This is a normal render array, which is safe by definition, with special
......
...@@ -8,7 +8,6 @@ ...@@ -8,7 +8,6 @@
namespace Drupal\Component\Render; namespace Drupal\Component\Render;
use Drupal\Component\Utility\Html; use Drupal\Component\Utility\Html;
use Drupal\Component\Utility\SafeMarkup;
use Drupal\Component\Utility\Unicode; use Drupal\Component\Utility\Unicode;
use Drupal\Component\Utility\UrlHelper; use Drupal\Component\Utility\UrlHelper;
...@@ -199,22 +198,21 @@ protected static function placeholderFormat($string, array $args) { ...@@ -199,22 +198,21 @@ protected static function placeholderFormat($string, array $args) {
// Escape if the value is not an object from a class that implements // Escape if the value is not an object from a class that implements
// \Drupal\Component\Render\MarkupInterface, for example strings will // \Drupal\Component\Render\MarkupInterface, for example strings will
// be escaped. // be escaped.
// \Drupal\Component\Utility\SafeMarkup\SafeMarkup::isSafe() may // Strings that are safe within HTML fragments, but not within other
// return TRUE for content that is safe within HTML fragments, but not // contexts, may still be an instance of
// within other contexts, so this placeholder type must not be used // \Drupal\Component\Render\MarkupInterface, so this placeholder type
// within HTML attributes, JavaScript, or CSS. // must not be used within HTML attributes, JavaScript, or CSS.
$args[$key] = static::placeholderEscape($value); $args[$key] = static::placeholderEscape($value);
break; break;
case ':': case ':':
// Strip URL protocols that can be XSS vectors. // Strip URL protocols that can be XSS vectors.
$value = UrlHelper::stripDangerousProtocols($value); $value = UrlHelper::stripDangerousProtocols($value);
// Escape unconditionally, without checking // Escape unconditionally, without checking whether the value is an
// \Drupal\Component\Utility\SafeMarkup\SafeMarkup::isSafe(). This // instance of \Drupal\Component\Render\MarkupInterface. This forces
// forces characters that are unsafe for use in an "href" HTML // characters that are unsafe for use in an "href" HTML attribute to
// attribute to be encoded. If a caller wants to pass a value that is // be encoded. If a caller wants to pass a value that is extracted
// extracted from HTML and therefore is already HTML encoded, it must // from HTML and therefore is already HTML encoded, it must invoke
// invoke
// \Drupal\Component\Render\OutputStrategyInterface::renderFromHtml() // \Drupal\Component\Render\OutputStrategyInterface::renderFromHtml()
// on it prior to passing it in as a placeholder value of this type. // on it prior to passing it in as a placeholder value of this type.
// @todo Add some advice and stronger warnings. // @todo Add some advice and stronger warnings.
...@@ -226,8 +224,8 @@ protected static function placeholderFormat($string, array $args) { ...@@ -226,8 +224,8 @@ protected static function placeholderFormat($string, array $args) {
// Similarly to @, escape non-safe values. Also, add wrapping markup // Similarly to @, escape non-safe values. Also, add wrapping markup
// in order to render as a placeholder. Not for use within attributes, // in order to render as a placeholder. Not for use within attributes,
// per the warning above about // per the warning above about
// \Drupal\Component\Utility\SafeMarkup\SafeMarkup::isSafe() and also // \Drupal\Component\Render\MarkupInterface and also due to the
// due to the wrapping markup. // wrapping markup.
$args[$key] = '<em class="placeholder">' . static::placeholderEscape($value) . '</em>'; $args[$key] = '<em class="placeholder">' . static::placeholderEscape($value) . '</em>';
break; break;
...@@ -256,7 +254,7 @@ protected static function placeholderFormat($string, array $args) { ...@@ -256,7 +254,7 @@ protected static function placeholderFormat($string, array $args) {
* The properly escaped replacement value. * The properly escaped replacement value.
*/ */
protected static function placeholderEscape($value) { protected static function placeholderEscape($value) {
return SafeMarkup::isSafe($value) ? (string) $value : Html::escape($value); return $value instanceof MarkupInterface ? (string) $value : Html::escape($value);
} }
} }
...@@ -26,7 +26,6 @@ ...@@ -26,7 +26,6 @@
* implement \Countable so it can be used in if statements. * implement \Countable so it can be used in if statements.
* *
* @see \Drupal\Component\Render\MarkupTrait * @see \Drupal\Component\Render\MarkupTrait
* @see \Drupal\Component\Utility\SafeMarkup::isSafe()
* @see \Drupal\Core\Template\TwigExtension::escapeFilter() * @see \Drupal\Core\Template\TwigExtension::escapeFilter()
* @see \Drupal\Component\Render\FormattableMarkup * @see \Drupal\Component\Render\FormattableMarkup
* @see \Drupal\Core\StringTranslation\TranslatableMarkup * @see \Drupal\Core\StringTranslation\TranslatableMarkup
......
...@@ -7,8 +7,8 @@ ...@@ -7,8 +7,8 @@
namespace Drupal\Core\Render\Element; namespace Drupal\Core\Render\Element;
use Drupal\Component\Render\MarkupInterface;
use Drupal\Component\Utility\Html as HtmlUtility; use Drupal\Component\Utility\Html as HtmlUtility;
use Drupal\Component\Utility\SafeMarkup;
use Drupal\Core\Render\Markup; use Drupal\Core\Render\Markup;
use Drupal\Component\Utility\Xss; use Drupal\Component\Utility\Xss;
use Drupal\Core\Template\Attribute; use Drupal\Core\Template\Attribute;
...@@ -97,7 +97,7 @@ public static function preRenderHtmlTag($element) { ...@@ -97,7 +97,7 @@ public static function preRenderHtmlTag($element) {
// Construct all other elements. // Construct all other elements.
else { else {
$markup .= '>'; $markup .= '>';
$markup .= SafeMarkup::isSafe($element['#value']) ? $element['#value'] : Xss::filterAdmin($element['#value']); $markup .= $element['#value'] instanceof MarkupInterface ? $element['#value'] : Xss::filterAdmin($element['#value']);
$markup .= '</' . $escaped_tag . ">\n"; $markup .= '</' . $escaped_tag . ">\n";
} }
if (!empty($element['#noscript'])) { if (!empty($element['#noscript'])) {
...@@ -171,11 +171,11 @@ public static function preRenderConditionalComments($element) { ...@@ -171,11 +171,11 @@ public static function preRenderConditionalComments($element) {
// Ensure what we are dealing with is safe. // Ensure what we are dealing with is safe.
// This would be done later anyway in drupal_render(). // This would be done later anyway in drupal_render().
$prefix = isset($element['#prefix']) ? $element['#prefix'] : ''; $prefix = isset($element['#prefix']) ? $element['#prefix'] : '';
if ($prefix && !SafeMarkup::isSafe($prefix)) { if ($prefix && !($prefix instanceof MarkupInterface)) {
$prefix = Xss::filterAdmin($prefix); $prefix = Xss::filterAdmin($prefix);
} }
$suffix = isset($element['#suffix']) ? $element['#suffix'] : ''; $suffix = isset($element['#suffix']) ? $element['#suffix'] : '';
if ($suffix && !SafeMarkup::isSafe($suffix)) { if ($suffix && !($suffix instanceof MarkupInterface)) {
$suffix = Xss::filterAdmin($suffix); $suffix = Xss::filterAdmin($suffix);
} }
......
...@@ -7,7 +7,6 @@ ...@@ -7,7 +7,6 @@
namespace Drupal\Core\Render; namespace Drupal\Core\Render;
use Drupal\Component\Utility\SafeMarkup;
use Drupal\Core\Cache\Cache; use Drupal\Core\Cache\Cache;
use Drupal\Core\Cache\CacheableMetadata; use Drupal\Core\Cache\CacheableMetadata;
use Drupal\Core\Cache\Context\CacheContextsManager; use Drupal\Core\Cache\Context\CacheContextsManager;
...@@ -341,12 +340,6 @@ public function getCacheableRenderArray(array $elements) { ...@@ -341,12 +340,6 @@ public function getCacheableRenderArray(array $elements) {
// the cache entry size. // the cache entry size.
if (!empty($elements['#cache_properties']) && is_array($elements['#cache_properties'])) { if (!empty($elements['#cache_properties']) && is_array($elements['#cache_properties'])) {
$data['#cache_properties'] = $elements['#cache_properties']; $data['#cache_properties'] = $elements['#cache_properties'];
// Ensure that any safe strings are a Markup object.
foreach (Element::properties(array_flip($elements['#cache_properties'])) as $cache_property) {
if (isset($elements[$cache_property]) && is_scalar($elements[$cache_property]) && SafeMarkup::isSafe($elements[$cache_property])) {
$elements[$cache_property] = Markup::create($elements[$cache_property]);
}
}
// Extract all the cacheable items from the element using cache // Extract all the cacheable items from the element using cache
// properties. // properties.
......
...@@ -7,8 +7,8 @@ ...@@ -7,8 +7,8 @@
namespace Drupal\Core\Render; namespace Drupal\Core\Render;
use Drupal\Component\Render\MarkupInterface;
use Drupal\Component\Utility\Html; use Drupal\Component\Utility\Html;
use Drupal\Component\Utility\SafeMarkup;
use Drupal\Component\Utility\Xss; use Drupal\Component\Utility\Xss;
use Drupal\Core\Access\AccessResultInterface; use Drupal\Core\Access\AccessResultInterface;
use Drupal\Core\Cache\Cache; use Drupal\Core\Cache\Cache;
...@@ -675,11 +675,12 @@ public function addCacheableDependency(array &$elements, $dependency) { ...@@ -675,11 +675,12 @@ public function addCacheableDependency(array &$elements, $dependency) {
* A string. * A string.
* *
* @return \Drupal\Core\Render\Markup * @return \Drupal\Core\Render\Markup
* The escaped string wrapped in a Markup object. If * The escaped string wrapped in a Markup object. If the string is an
* SafeMarkup::isSafe($string) returns TRUE, it won't be escaped again. * instance of \Drupal\Component\Render\MarkupInterface, it won't be escaped
* again.
*/ */
protected function xssFilterAdminIfUnsafe($string) { protected function xssFilterAdminIfUnsafe($string) {
if (!SafeMarkup::isSafe($string)) { if (!($string instanceof MarkupInterface)) {
$string = Xss::filterAdmin($string); $string = Xss::filterAdmin($string);
} }
return Markup::create($string); return Markup::create($string);
...@@ -704,8 +705,8 @@ protected function xssFilterAdminIfUnsafe($string) { ...@@ -704,8 +705,8 @@ protected function xssFilterAdminIfUnsafe($string) {
* A render array with #markup set. * A render array with #markup set.
* *
* @return \Drupal\Component\Render\MarkupInterface|string * @return \Drupal\Component\Render\MarkupInterface|string
* The escaped markup wrapped in a Markup object. If * The escaped markup wrapped in a Markup object. If $elements['#markup']
* SafeMarkup::isSafe($elements['#markup']) returns TRUE, it won't be * is an instance of \Drupal\Component\Render\MarkupInterface, it won't be
* escaped or filtered again. * escaped or filtered again.
* *
* @see \Drupal\Component\Utility\Html::escape() * @see \Drupal\Component\Utility\Html::escape()
...@@ -720,7 +721,7 @@ protected function ensureMarkupIsSafe(array $elements) { ...@@ -720,7 +721,7 @@ protected function ensureMarkupIsSafe(array $elements) {
if (!empty($elements['#plain_text'])) { if (!empty($elements['#plain_text'])) {
$elements['#markup'] = Markup::create(Html::escape($elements['#plain_text'])); $elements['#markup'] = Markup::create(Html::escape($elements['#plain_text']));
} }
elseif (!SafeMarkup::isSafe($elements['#markup'])) { elseif (!($elements['#markup'] instanceof MarkupInterface)) {
// The default behaviour is to XSS filter using the admin tag list. // The default behaviour is to XSS filter using the admin tag list.
$tags = isset($elements['#allowed_tags']) ? $elements['#allowed_tags'] : Xss::getAdminTagList(); $tags = isset($elements['#allowed_tags']) ? $elements['#allowed_tags'] : Xss::getAdminTagList();
$elements['#markup'] = Markup::create(Xss::filter($elements['#markup'], $tags)); $elements['#markup'] = Markup::create(Xss::filter($elements['#markup'], $tags));
......
...@@ -8,7 +8,6 @@ ...@@ -8,7 +8,6 @@
namespace Drupal\Core\Template; namespace Drupal\Core\Template;
use Drupal\Component\Render\PlainTextOutput; use Drupal\Component\Render\PlainTextOutput;
use Drupal\Component\Utility\SafeMarkup;
use Drupal\Component\Render\MarkupInterface; use Drupal\Component\Render\MarkupInterface;
/** /**
...@@ -139,7 +138,7 @@ protected function createAttributeValue($name, $value) { ...@@ -139,7 +138,7 @@ protected function createAttributeValue($name, $value) {
$value = new AttributeBoolean($name, $value); $value = new AttributeBoolean($name, $value);
} }
// As a development aid, we allow the value to be a safe string object. // As a development aid, we allow the value to be a safe string object.
elseif (SafeMarkup::isSafe($value)) { elseif ($value instanceof MarkupInterface) {
// Attributes are not supposed to display HTML markup, so we just convert // Attributes are not supposed to display HTML markup, so we just convert
// the value to plain text. // the value to plain text.
$value = PlainTextOutput::renderFromHtml($value); $value = PlainTextOutput::renderFromHtml($value);
......
...@@ -13,7 +13,6 @@ ...@@ -13,7 +13,6 @@
namespace Drupal\Core\Template; namespace Drupal\Core\Template;
use Drupal\Component\Utility\Html; use Drupal\Component\Utility\Html;
use Drupal\Component\Utility\SafeMarkup;
use Drupal\Component\Render\MarkupInterface; use Drupal\Component\Render\MarkupInterface;
use Drupal\Core\Datetime\DateFormatterInterface; use Drupal\Core\Datetime\DateFormatterInterface;
use Drupal\Core\Render\RenderableInterface; use Drupal\Core\Render\RenderableInterface;
...@@ -446,7 +445,7 @@ public function escapeFilter(\Twig_Environment $env, $arg, $strategy = 'html', $ ...@@ -446,7 +445,7 @@ public function escapeFilter(\Twig_Environment $env, $arg, $strategy = 'html', $
// We have a string or an object converted to a string: Autoescape it! // We have a string or an object converted to a string: Autoescape it!
if (isset($return)) { if (isset($return)) {
if ($autoescape && SafeMarkup::isSafe($return, $strategy)) { if ($autoescape && $return instanceof MarkupInterface) {
return $return; return $return;
} }
// Drupal only supports the HTML escaping strategy, so provide a // Drupal only supports the HTML escaping strategy, so provide a
......
...@@ -9,7 +9,6 @@ ...@@ -9,7 +9,6 @@
use Drupal\Component\Serialization\Json; use Drupal\Component\Serialization\Json;
use Drupal\Component\Utility\Html; use Drupal\Component\Utility\Html;
use Drupal\Component\Utility\SafeMarkup;
use Drupal\Component\Render\MarkupInterface; use Drupal\Component\Render\MarkupInterface;
use Drupal\Core\Extension\ModuleHandlerInterface; use Drupal\Core\Extension\ModuleHandlerInterface;
use Drupal\Core\GeneratedLink; use Drupal\Core\GeneratedLink;
...@@ -166,7 +165,7 @@ public function generate($text, Url $url) { ...@@ -166,7 +165,7 @@ public function generate($text, Url $url) {
$attributes['href'] = $generated_url->getGeneratedUrl(); $attributes['href'] = $generated_url->getGeneratedUrl();
} }
if (!SafeMarkup::isSafe($variables['text'])) { if (!($variables['text'] instanceof MarkupInterface)) {
$variables['text'] = Html::escape($variables['text']); $variables['text'] = Html::escape($variables['text']);
} }
$attributes = new Attribute($attributes); $attributes = new Attribute($attributes);
......
...@@ -8,7 +8,7 @@ ...@@ -8,7 +8,7 @@
namespace Drupal\comment\Tests; namespace Drupal\comment\Tests;
use Drupal\comment\CommentManagerInterface; use Drupal\comment\CommentManagerInterface;
use Drupal\Component\Utility\SafeMarkup; use Drupal\Component\Render\MarkupInterface;
use Drupal\Core\Datetime\DrupalDateTime; use Drupal\Core\Datetime\DrupalDateTime;
use Drupal\comment\Entity\Comment; use Drupal\comment\Entity\Comment;
...@@ -54,7 +54,7 @@ function testCommentPreview() { ...@@ -54,7 +54,7 @@ function testCommentPreview() {
\Drupal::state()->set('user_hooks_test_user_format_name_alter_safe', TRUE); \Drupal::state()->set('user_hooks_test_user_format_name_alter_safe', TRUE);
$this->drupalPostForm('node/' . $this->node->id(), $edit, t('Preview')); $this->drupalPostForm('node/' . $this->node->id(), $edit, t('Preview'));
$this->assertTrue(SafeMarkup::isSafe($this->webUser->getDisplayName()), 'Username is marked safe'); $this->assertTrue($this->webUser->getDisplayName() instanceof MarkupInterface, 'Username is marked safe');
$this->assertNoEscaped('<em>' . $this->webUser->id() . '</em>'); $this->assertNoEscaped('<em>' . $this->webUser->id() . '</em>');
$this->assertRaw('<em>' . $this->webUser->id() . '</em>'); $this->assertRaw('<em>' . $this->webUser->id() . '</em>');
......
...@@ -7,7 +7,6 @@ ...@@ -7,7 +7,6 @@
namespace Drupal\menu_link_content\Tests; namespace Drupal\menu_link_content\Tests;
use Drupal\Component\Utility\SafeMarkup;
use Drupal\Core\Menu\MenuTreeParameters; use Drupal\Core\Menu\MenuTreeParameters;
use Drupal\Core\StringTranslation\TranslatableMarkup; use Drupal\Core\StringTranslation\TranslatableMarkup;
use Drupal\menu_link_content\Entity\MenuLinkContent; use Drupal\menu_link_content\Entity\MenuLinkContent;
...@@ -72,7 +71,6 @@ public function testRediscover() { ...@@ -72,7 +71,6 @@ public function testRediscover() {
$title = $tree_element->link->getTitle(); $title = $tree_element->link->getTitle();
$this->assertFalse($title instanceof TranslatableMarkup); $this->assertFalse($title instanceof TranslatableMarkup);
$this->assertIdentical('<script>alert("Welcome to the discovered jungle!")</script>', $title); $this->assertIdentical('<script>alert("Welcome to the discovered jungle!")</script>', $title);
$this->assertFalse(SafeMarkup::isSafe($title));
// Create a hierarchy. // Create a hierarchy.
\Drupal::state()->set('menu_link_content_dynamic_route.routes', [ \Drupal::state()->set('menu_link_content_dynamic_route.routes', [
......
...@@ -7,7 +7,7 @@ ...@@ -7,7 +7,7 @@
namespace Drupal\system\Tests\Utility; namespace Drupal\system\Tests\Utility;
use Drupal\Component\Utility\SafeMarkup; use Drupal\Component\Render\MarkupInterface;
use Drupal\Core\Render\RenderContext; use Drupal\Core\Render\RenderContext;
use Drupal\Core\Url; use Drupal\Core\Url;
use Drupal\simpletest\KernelTestBase; use Drupal\simpletest\KernelTestBase;
...@@ -32,7 +32,7 @@ function testHookLinkAlter() { ...@@ -32,7 +32,7 @@ function testHookLinkAlter() {
return \Drupal::l(['#markup' => '<em>link with markup</em>'], $url); return \Drupal::l(['#markup' => '<em>link with markup</em>'], $url);
}); });
$this->setRawContent($link); $this->setRawContent($link);
$this->assertTrue(SafeMarkup::isSafe($link), 'The output of link generation is marked safe as it is a link.'); $this->assertTrue($link instanceof MarkupInterface, 'The output of link generation is marked safe as it is a link.');
// Ensure the content of the link is not escaped. // Ensure the content of the link is not escaped.
$this->assertRaw('<em>link with markup</em>'); $this->assertRaw('<em>link with markup</em>');
...@@ -42,7 +42,7 @@ function testHookLinkAlter() { ...@@ -42,7 +42,7 @@ function testHookLinkAlter() {
return \Drupal::l(['#markup' => '<em>link with markup</em>'], $url); return \Drupal::l(['#markup' => '<em>link with markup</em>'], $url);
}); });
$this->setRawContent($link); $this->setRawContent($link);
$this->assertTrue(SafeMarkup::isSafe($link), 'The output of link generation is marked safe as it is a link.'); $this->assertTrue($link instanceof MarkupInterface, 'The output of link generation is marked safe as it is a link.');
// Ensure the content of the link is escaped. // Ensure the content of the link is escaped.
$this->assertEscaped('<em>link with markup</em> <strong>Test!</strong>'); $this->assertEscaped('<em>link with markup</em> <strong>Test!</strong>');
...@@ -52,7 +52,7 @@ function testHookLinkAlter() { ...@@ -52,7 +52,7 @@ function testHookLinkAlter() {
return \Drupal::l(['#markup' => '<em>link with markup</em>'], $url); return \Drupal::l(['#markup' => '<em>link with markup</em>'], $url);
}); });
$this->setRawContent($link); $this->setRawContent($link);
$this->assertTrue(SafeMarkup::isSafe($link), 'The output of link generation is marked safe as it is a link.'); $this->assertTrue($link instanceof MarkupInterface, 'The output of link generation is marked safe as it is a link.');
// Ensure the content of the link is escaped. // Ensure the content of the link is escaped.
$this->assertRaw('<em>link with markup</em> <strong>Test!</strong>'); $this->assertRaw('<em>link with markup</em> <strong>Test!</strong>');
...@@ -61,7 +61,7 @@ function testHookLinkAlter() { ...@@ -61,7 +61,7 @@ function testHookLinkAlter() {
return \Drupal::l('<em>link with markup</em>', $url); return \Drupal::l('<em>link with markup</em>', $url);
}); });
$this->setRawContent($link); $this->setRawContent($link);
$this->assertTrue(SafeMarkup::isSafe($link), 'The output of link generation is marked safe as it is a link.'); $this->assertTrue($link instanceof MarkupInterface, 'The output of link generation is marked safe as it is a link.');
// Ensure the content of the link is escaped. // Ensure the content of the link is escaped.
$this->assertEscaped('<em>link with markup</em>'); $this->assertEscaped('<em>link with markup</em>');
$this->assertRaw('<strong>Test!</strong>'); $this->assertRaw('<strong>Test!</strong>');
......
...@@ -8,7 +8,6 @@ ...@@ -8,7 +8,6 @@
namespace Drupal\views\Plugin\views\field; namespace Drupal\views\Plugin\views\field;
use Drupal\Component\Utility\Html; use Drupal\Component\Utility\Html;
use Drupal\Component\Utility\SafeMarkup;
use Drupal\Component\Render\MarkupInterface; use Drupal\Component\Render\MarkupInterface;
use Drupal\Component\Utility\Unicode; use Drupal\Component\Utility\Unicode;
use Drupal\Component\Utility\UrlHelper; use Drupal\Component\Utility\UrlHelper;
...@@ -1221,7 +1220,7 @@ public function renderText($alter) { ...@@ -1221,7 +1220,7 @@ public function renderText($alter) {
// alterations made by this method. Any alterations or replacements made // alterations made by this method. Any alterations or replacements made
// within this method need to ensure that at the minimum the result is // within this method need to ensure that at the minimum the result is
// XSS admin filtered. See self::renderAltered() as an example that does. // XSS admin filtered. See self::renderAltered() as an example that does.
$value_is_safe = SafeMarkup::isSafe($this->last_render); $value_is_safe = $this->last_render instanceof MarkupInterface;
// Cast to a string so that empty checks and string functions work as // Cast to a string so that empty checks and string functions work as
// expected. // expected.
$value = (string) $this->last_render; $value = (string) $this->last_render;
...@@ -1299,9 +1298,10 @@ public function renderText($alter) { ...@@ -1299,9 +1298,10 @@ public function renderText($alter) {
} }
// Preserve whether or not the string is safe. Since $more_link comes from // Preserve whether or not the string is safe. Since $more_link comes from
// \Drupal::l(), it is safe to append. Use SafeMarkup::isSafe() here because // \Drupal::l(), it is safe to append. Check if the value is an instance of
// renderAsLink() can return both safe and unsafe values. // \Drupal\Component\Render\MarkupInterface here because renderAsLink()
if (SafeMarkup::isSafe($value)) { // can return both safe and unsafe values.
if ($value instanceof MarkupInterface) {
return ViewsRenderPipelineMarkup::create($value . $more_link); return ViewsRenderPipelineMarkup::create($value . $more_link);
} }
else { else {
......
...@@ -5,8 +5,8 @@ ...@@ -5,8 +5,8 @@
* Primarily Drupal hooks and global API functions to manipulate views. * Primarily Drupal hooks and global API functions to manipulate views.
*/ */
use Drupal\Component\Render\MarkupInterface;
use Drupal\Component\Utility\Html; use Drupal\Component\Utility\Html;
use Drupal\Component\Utility\SafeMarkup;
use Drupal\Core\Database\Query\AlterableInterface; use Drupal\Core\Database\Query\AlterableInterface;
use Drupal\Core\Entity\EntityInterface; use Drupal\Core\Entity\EntityInterface;
use Drupal\Core\Form\FormStateInterface; use Drupal\Core\Form\FormStateInterface;
...@@ -622,7 +622,7 @@ function views_pre_render_views_form_views_form($element) { ...@@ -622,7 +622,7 @@ function views_pre_render_views_form_views_form($element) {
foreach ($substitutions as $placeholder => $substitution) { foreach ($substitutions as $placeholder => $substitution) {
$search[] = Html::escape($placeholder); $search[] = Html::escape($placeholder);
// Ensure that any replacements made are safe to make. // Ensure that any replacements made are safe to make.
if (!SafeMarkup::isSafe($substitution)) { if (!($substitution instanceof MarkupInterface)) {
$substitution = Html::escape($substitution); $substitution = Html::escape($substitution);
} }
$replace[] = $substitution; $replace[] = $substitution;
......
...@@ -7,7 +7,6 @@ ...@@ -7,7 +7,6 @@
namespace Drupal\Tests\views_ui\Unit; namespace Drupal\Tests\views_ui\Unit;
use Drupal\Component\Utility\SafeMarkup;
use Drupal\Core\DependencyInjection\ContainerBuilder; use Drupal\Core\DependencyInjection\ContainerBuilder;
use Drupal\Core\Entity\EntityInterface; use Drupal\Core\Entity\EntityInterface;
use Drupal\Tests\UnitTestCase; use Drupal\Tests\UnitTestCase;
...@@ -168,8 +167,6 @@ public function testBuildRowEntityList() { ...@@ -168,8 +167,6 @@ public function testBuildRowEntityList() {
$display_paths = $row['data']['path']['data']['#items']; $display_paths = $row['data']['path']['data']['#items'];
// These values will be escaped by Twig when rendered. // These values will be escaped by Twig when rendered.
$this->assertEquals('/test_page, /<object>malformed_path</object>, /<script>alert("placeholder_page/%")</script>', implode(', ', $display_paths)); $this->assertEquals('/test_page, /<object>malformed_path</object>, /<script>alert("placeholder_page/%")</script>', implode(', ', $display_paths));
$this->assertFalse(SafeMarkup::isSafe('/<object>malformed_path</object>'), '/<script>alert("/<object>malformed_path</object> is not marked safe.');
$this->assertFalse(SafeMarkup::isSafe('/<script>alert("placeholder_page/%")'), '/<script>alert("/<script>alert("placeholder_page/%") is not marked safe.');
} }
} }
......
...@@ -138,7 +138,7 @@ public function testFormat($string, array $args, $expected, $message, $expected_ ...@@ -138,7 +138,7 @@ public function testFormat($string, array $args, $expected, $message, $expected_
$result = SafeMarkup::format($string, $args); $result = SafeMarkup::format($string, $args);
$this->assertEquals($expected, $result, $message); $this->assertEquals($expected, $result, $message);
$this->assertEquals($expected_is_safe, SafeMarkup::isSafe($result), 'SafeMarkup::format correctly sets the result as safe or not safe.'); $this->assertEquals($expected_is_safe, $result instanceof MarkupInterface, 'SafeMarkup::format correctly sets the result as safe or not safe.');
foreach ($args as $arg) { foreach ($args as $arg) {
$this->assertSame($arg instanceof SafeMarkupTestMarkup, SafeMarkup::isSafe($arg)); $this->assertSame($arg instanceof SafeMarkupTestMarkup, SafeMarkup::isSafe($arg));
......
...@@ -7,7 +7,7 @@ ...@@ -7,7 +7,7 @@
namespace Drupal\Tests\Core\Render; namespace Drupal\Tests\Core\Render;
use Drupal\Component\Utility\SafeMarkup; use Drupal\Component\Render\MarkupInterface;
use Drupal\Core\Access\AccessResult; use Drupal\Core\Access\AccessResult;
use Drupal\Core\Access\AccessResultInterface; use Drupal\Core\Access\AccessResultInterface;
use Drupal\Core\Cache\Cache; use Drupal\Core\Cache\Cache;
...@@ -47,13 +47,13 @@ public function testRenderBasic($build, $expected, callable $setup_code = NULL) ...@@ -47,13 +47,13 @@ public function testRenderBasic($build, $expected, callable $setup_code = NULL)
} }
if (isset($build['#markup'])) { if (isset($build['#markup'])) {
$this->assertFalse(SafeMarkup::isSafe($build['#markup']), 'The #markup value is not marked safe before rendering.'); $this->assertNotInstanceOf(MarkupInterface::class, $build['#markup'], 'The #markup value is not marked safe before rendering.');
} }
$render_output = $this->renderer->renderRoot($build); $render_output = $this->renderer->renderRoot($build);
$this->assertSame($expected, (string) $render_output); $this->assertSame($expected, (string) $render_output);
if ($render_output !== '') { if ($render_output !== '') {
$this->assertTrue(SafeMarkup::isSafe($render_output), 'Output of render is marked safe.'); $this->assertInstanceOf(MarkupInterface::class, $render_output, 'Output of render is marked safe.');
$this->assertTrue(SafeMarkup::isSafe($build['#markup']), 'The #markup value is marked safe after rendering.'); $this->assertInstanceOf(MarkupInterface::class, $build['#markup'], 'The #markup value is marked safe after rendering.');
} }
} }
...@@ -751,7 +751,7 @@ public function testRenderCacheProperties(array $expected_results) { ...@@ -751,7 +751,7 @@ public function testRenderCacheProperties(array $expected_results) {
// #custom_property_array can not be a safe_cache_property. // #custom_property_array can not be a safe_cache_property.
$safe_cache_properties = array_diff(Element::properties(array_filter($expected_results)), ['#custom_property_array']); $safe_cache_properties = array_diff(Element::properties(array_filter($expected_results)), ['#custom_property_array']);
foreach ($safe_cache_properties as $cache_property) { foreach ($safe_cache_properties as $cache_property) {
$this->assertTrue(SafeMarkup::isSafe($data[$cache_property]), "$cache_property is marked as a safe string"); $this->assertInstanceOf(MarkupInterface::class, $data[$cache_property], "$cache_property is marked as a safe string");
} }
} }
......
...@@ -7,7 +7,6 @@ ...@@ -7,7 +7,6 @@
namespace Drupal\Tests\Core\StringTranslation; namespace Drupal\Tests\Core\StringTranslation;
use Drupal\Component\Utility\SafeMarkup;
use Drupal\Component\Render\MarkupInterface; use Drupal\Component\Render\MarkupInterface;
use Drupal\Core\StringTranslation\TranslationManager; use Drupal\Core\StringTranslation\TranslationManager;
use Drupal\Tests\UnitTestCase; use Drupal\Tests\UnitTestCase;
...@@ -64,7 +63,7 @@ public function testFormatPlural($count, $singular, $plural, array $args = array ...@@ -64,7 +63,7 @@ public function testFormatPlural($count, $singular, $plural, array $args = array
$this->translationManager->addTranslator($translator); $this->translationManager->addTranslator($translator);
$result = $this->translationManager->formatPlural($count, $singular, $plural, $args, $options); $result = $this->translationManager->formatPlural($count, $singular, $plural, $args, $options);
$this->assertEquals($expected, $result); $this->assertEquals($expected, $result);
$this->assertTrue(SafeMarkup::isSafe($result)); $this->assertInstanceOf(MarkupInterface::class, $result);
} }
/** /**
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment