Update to Drupal 8.0.0 beta 14. For more information, see https://drupal.org/node/2544542
This commit is contained in:
Pantheon Automation
Greg Anderson
parent
3b2511d96d
commit
81ccda77eb
2155 changed files with 54307 additions and 46870 deletions
|
|
@ -15,9 +15,9 @@ namespace Drupal\Component\Utility;
|
|||
* provides a store for known safe strings and methods to manage them
|
||||
* throughout the page request.
|
||||
*
|
||||
* Strings sanitized by self::checkPlain() or Xss::filter() are automatically
|
||||
* marked safe, as are markup strings created from render arrays via
|
||||
* drupal_render().
|
||||
* Strings sanitized by self::checkPlain() and self::escape() or
|
||||
* self::xssFilter() are automatically marked safe, as are markup strings
|
||||
* created from @link theme_render render arrays @endlink via drupal_render().
|
||||
*
|
||||
* This class should be limited to internal use only. Module developers should
|
||||
* instead use the appropriate
|
||||
|
|
@ -141,17 +141,79 @@ class SafeMarkup {
|
|||
/**
|
||||
* Applies a very permissive XSS/HTML filter for admin-only use.
|
||||
*
|
||||
* @param string $string
|
||||
* A string.
|
||||
* Note: This method only filters if $string is not marked safe already.
|
||||
*
|
||||
* @return string
|
||||
* The escaped string. If $string was already set as safe with
|
||||
* self::set(), it won't be escaped again.
|
||||
* @deprecated as of Drupal 8.0.x, will be removed before Drupal 8.0.0. If the
|
||||
* string used as part of a @link theme_render render array @endlink use
|
||||
* #markup to allow the render system to filter automatically. If the result
|
||||
* is not being used directly in the rendering system (for example, when its
|
||||
* result is being combined with other strings before rendering), use
|
||||
* Xss::filterAdmin(). Otherwise, use SafeMarkup::xssFilter() and the tag
|
||||
* list provided by Xss::getAdminTagList() instead. In the rare instance
|
||||
* that the caller does not want to filter strings that are marked safe
|
||||
* already, it needs to check SafeMarkup::isSafe() itself.
|
||||
*
|
||||
* @see \Drupal\Component\Utility\SafeMarkup::xssFilter()
|
||||
* @see \Drupal\Component\Utility\SafeMarkup::isSafe()
|
||||
* @see \Drupal\Component\Utility\Xss::filterAdmin()
|
||||
* @see \Drupal\Component\Utility\Xss::getAdminTagList()
|
||||
*/
|
||||
public static function checkAdminXss($string) {
|
||||
return static::isSafe($string) ? $string : Xss::filterAdmin($string);
|
||||
return static::isSafe($string) ? $string : static::xssFilter($string, Xss::getAdminTagList());
|
||||
}
|
||||
|
||||
/**
|
||||
* Filters HTML for XSS vulnerabilities and marks the result as safe.
|
||||
*
|
||||
* Calling this method unnecessarily will result in bloating the safe string
|
||||
* list and increases the chance of unintended side effects.
|
||||
*
|
||||
* If Twig receives a value that is not marked as safe then it will
|
||||
* automatically encode special characters in a plain-text string for display
|
||||
* as HTML. Therefore, SafeMarkup::xssFilter() should only be used when the
|
||||
* string might contain HTML that needs to be rendered properly by the
|
||||
* browser.
|
||||
*
|
||||
* If you need to filter for admin use, like Xss::filterAdmin(), then:
|
||||
* - If the string is used as part of a @link theme_render render array @endlink,
|
||||
* use #markup to allow the render system to filter by the admin tag list
|
||||
* automatically.
|
||||
* - Otherwise, use the SafeMarkup::xssFilter() with tag list provided by
|
||||
* Xss::getAdminTagList() instead.
|
||||
*
|
||||
* This method should only be used instead of Xss::filter() when the result is
|
||||
* being added to a render array that is constructed before rendering begins.
|
||||
*
|
||||
* In the rare instance that the caller does not want to filter strings that
|
||||
* are marked safe already, it needs to check SafeMarkup::isSafe() itself.
|
||||
*
|
||||
* @param $string
|
||||
* The string with raw HTML in it. It will be stripped of everything that
|
||||
* can cause an XSS attack. The string provided will always be escaped
|
||||
* regardless of whether the string is already marked as safe.
|
||||
* @param array $html_tags
|
||||
* (optional) An array of HTML tags. If omitted, it uses the default tag
|
||||
* list defined by \Drupal\Component\Utility\Xss::filter().
|
||||
*
|
||||
* @return string
|
||||
* An XSS-safe version of $string, or an empty string if $string is not
|
||||
* valid UTF-8. The string is marked as safe.
|
||||
*
|
||||
* @ingroup sanitization
|
||||
*
|
||||
* @see \Drupal\Component\Utility\Xss::filter()
|
||||
* @see \Drupal\Component\Utility\Xss::filterAdmin()
|
||||
* @see \Drupal\Component\Utility\Xss::getAdminTagList()
|
||||
* @see \Drupal\Component\Utility\SafeMarkup::isSafe()
|
||||
*/
|
||||
public static function xssFilter($string, $html_tags = NULL) {
|
||||
if (is_null($html_tags)) {
|
||||
$string = Xss::filter($string);
|
||||
}
|
||||
else {
|
||||
$string = Xss::filter($string, $html_tags);
|
||||
}
|
||||
return static::set($string);
|
||||
}
|
||||
|
||||
/**
|
||||
|
|
|
|||
Reference in a new issue