Commit fd671837 authored by xjm's avatar xjm

Issue #2505701 by pwolanin, YesCT, akalata: Document SafeMarkup::set and Use...

Issue #2505701 by pwolanin, YesCT, akalata: Document SafeMarkup::set and Use htmlspecialchars() directly in Attribute() so we don't bloat the list of safe strings
parent 2916dc8f
......@@ -40,7 +40,7 @@
* @endcode
*
* The attribute keys and values are automatically sanitized for output with
* \Drupal\Component\Utility\SafeMarkup::checkPlain().
* htmlspecialchars() and the entire attribute string is marked safe for output.
*/
class Attribute implements \ArrayAccess, \IteratorAggregate {
......@@ -252,12 +252,16 @@ public function hasClass($class) {
*/
public function __toString() {
$return = '';
/** @var \Drupal\Core\Template\AttributeValueBase $value */
foreach ($this->storage as $name => $value) {
$rendered = $value->render();
if ($rendered) {
$return .= ' ' . $rendered;
}
}
// The implementations of AttributeValueBase::render() call
// htmlspecialchars() on the attribute name and value so we are confident
// that the return value can be set as safe.
return SafeMarkup::set($return);
}
......
......@@ -7,8 +7,6 @@
namespace Drupal\Core\Template;
use Drupal\Component\Utility\SafeMarkup;
/**
* A class that defines a type of Attribute that can be added to as an array.
*
......@@ -76,7 +74,7 @@ public function offsetExists($offset) {
public function __toString() {
// Filter out any empty values before printing.
$this->value = array_unique(array_filter($this->value));
return SafeMarkup::checkPlain(implode(' ', $this->value));
return htmlspecialchars(implode(' ', $this->value), ENT_QUOTES, 'UTF-8');
}
/**
......
......@@ -7,8 +7,6 @@
namespace Drupal\Core\Template;
use Drupal\Component\Utility\SafeMarkup;
/**
* A class that defines a type of boolean HTML attribute.
*
......@@ -42,7 +40,7 @@ public function render() {
* Implements the magic __toString() method.
*/
public function __toString() {
return $this->value === FALSE ? '' : SafeMarkup::checkPlain($this->name);
return $this->value === FALSE ? '' : htmlspecialchars($this->name, ENT_QUOTES, 'UTF-8');
}
}
......@@ -7,8 +7,6 @@
namespace Drupal\Core\Template;
use Drupal\Component\Utility\SafeMarkup;
/**
* A class that represents most standard HTML attributes.
*
......@@ -30,7 +28,7 @@ class AttributeString extends AttributeValueBase {
* Implements the magic __toString() method.
*/
public function __toString() {
return SafeMarkup::checkPlain($this->value);
return htmlspecialchars($this->value, ENT_QUOTES, 'UTF-8');
}
}
......@@ -7,8 +7,6 @@
namespace Drupal\Core\Template;
use Drupal\Component\Utility\SafeMarkup;
/**
* Defines the base class for an attribute type.
*
......@@ -57,7 +55,7 @@ public function __construct($name, $value) {
public function render() {
$value = (string) $this;
if (isset($this->value) && static::RENDER_EMPTY_ATTRIBUTE || !empty($value)) {
return SafeMarkup::checkPlain($this->name) . '="' . $value . '"';
return htmlspecialchars($this->name, ENT_QUOTES, 'UTF-8') . '="' . $value . '"';
}
}
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment