Update to Drupal 8.0.0-beta15. For more information, see: https://www.drupal.org/node/2563023

core/lib/Drupal/Core/Template/Attribute.php

@@ -40,7 +40,9 @@ use Drupal\Component\Utility\SafeStringInterface;
  * @endcode
  *
  * The attribute keys and values are automatically sanitized for output with
- * htmlspecialchars() and the entire attribute string is marked safe for output.
+ * Html::escape() and the entire attribute string is marked safe for output.
+ *
+ * @see \Drupal\Component\Utility\Html::escape()
  */
 class Attribute implements \ArrayAccess, \IteratorAggregate, SafeStringInterface {
 
@@ -300,4 +302,14 @@ class Attribute implements \ArrayAccess, \IteratorAggregate, SafeStringInterface
     return $this->storage;
   }
 
+  /**
+   * Returns a representation of the object for use in JSON serialization.
+   *
+   * @return string
+   *   The safe string content.
+   */
+  public function jsonSerialize() {
+    return (string) $this;
+  }
+
 }

core/lib/Drupal/Core/Template/AttributeArray.php

@@ -7,6 +7,8 @@
 
 namespace Drupal\Core\Template;
 
+use Drupal\Component\Utility\Html;
+
 /**
  * A class that defines a type of Attribute that can be added to as an array.
  *
@@ -74,7 +76,7 @@ class AttributeArray extends AttributeValueBase implements \ArrayAccess, \Iterat
   public function __toString() {
     // Filter out any empty values before printing.
     $this->value = array_unique(array_filter($this->value));
-    return htmlspecialchars(implode(' ', $this->value), ENT_QUOTES, 'UTF-8');
+    return Html::escape(implode(' ', $this->value));
   }
 
   /**

core/lib/Drupal/Core/Template/AttributeBoolean.php

@@ -7,6 +7,8 @@
 
 namespace Drupal\Core\Template;
 
+use Drupal\Component\Utility\Html;
+
 /**
  * A class that defines a type of boolean HTML attribute.
  *
@@ -40,7 +42,7 @@ class AttributeBoolean extends AttributeValueBase {
    * Implements the magic __toString() method.
    */
   public function __toString() {
-    return $this->value === FALSE ? '' : htmlspecialchars($this->name, ENT_QUOTES, 'UTF-8');
+    return $this->value === FALSE ? '' : Html::escape($this->name);
   }
 
 }

core/lib/Drupal/Core/Template/AttributeString.php

@@ -7,6 +7,8 @@
 
 namespace Drupal\Core\Template;
 
+use Drupal\Component\Utility\Html;
+
 /**
  * A class that represents most standard HTML attributes.
  *
@@ -28,7 +30,7 @@ class AttributeString extends AttributeValueBase {
    * Implements the magic __toString() method.
    */
   public function __toString() {
-    return htmlspecialchars($this->value, ENT_QUOTES, 'UTF-8');
+    return Html::escape($this->value);
   }
 
 }

core/lib/Drupal/Core/Template/AttributeValueBase.php

@@ -6,6 +6,7 @@
  */
 
 namespace Drupal\Core\Template;
+use Drupal\Component\Utility\Html;
 
 /**
  * Defines the base class for an attribute type.
@@ -55,7 +56,7 @@ abstract class AttributeValueBase {
   public function render() {
     $value = (string) $this;
     if (isset($this->value) && static::RENDER_EMPTY_ATTRIBUTE || !empty($value)) {
-      return htmlspecialchars($this->name, ENT_QUOTES, 'UTF-8') . '="' . $value . '"';
+      return Html::escape($this->name) . '="' . $value . '"';
     }
   }
 

core/lib/Drupal/Core/Template/TwigEnvironment.php

@@ -21,9 +21,28 @@ use Drupal\Core\Render\SafeString;
  * @see core\vendor\twig\twig\lib\Twig\Environment.php
  */
 class TwigEnvironment extends \Twig_Environment {
+
+  /**
+   * The cache object used for auto-refresh via mtime.
+   *
+   * @var \Drupal\Core\Cache\CacheBackendInterface
+   */
   protected $cache_object = NULL;
+
+  /**
+   * The PhpStorage object used for storing the templates.
+   *
+   * @var \Drupal\Core\PhpStorage\PhpStorageFactory
+   */
   protected $storage = NULL;
 
+  /**
+   * The template cache filename prefix.
+   *
+   * @var string
+   */
+  protected $templateCacheFilenamePrefix;
+
   /**
    * Static cache of template classes.
    *
@@ -39,13 +58,16 @@ class TwigEnvironment extends \Twig_Environment {
    *   The app root.
    * @param \Drupal\Core\Cache\CacheBackendInterface $cache
    *   The cache bin.
+   * @param string $twig_extension_hash
+   *   The Twig extension hash.
    * @param \Twig_LoaderInterface $loader
    *   The Twig loader or loader chain.
    * @param array $options
    *   The options for the Twig environment.
    */
-  public function __construct($root, CacheBackendInterface $cache, \Twig_LoaderInterface $loader = NULL, $options = array()) {
+  public function __construct($root, CacheBackendInterface $cache, $twig_extension_hash, \Twig_LoaderInterface $loader = NULL, $options = array()) {
     $this->cache_object = $cache;
+    $this->templateCacheFilenamePrefix = $twig_extension_hash;
 
     // Ensure that twig.engine is loaded, given that it is needed to render a
     // template because functions like TwigExtension::escapeFilter() are called.
@@ -88,6 +110,26 @@ class TwigEnvironment extends \Twig_Environment {
     $this->cache_object->set($cid, REQUEST_TIME);
   }
 
+  /**
+   * {@inheritdoc}
+   */
+  public function getCacheFilename($name) {
+    // We override the cache filename in order to avoid issues with not using
+    // shared filesystems. The Twig templates for example rely on available Twig
+    // extensions, so we use the twig extension hash which varies by extensions
+    // and their mtime.
+    // @see \Drupal\Core\DependencyInjection\Compiler\TwigExtensionPass
+
+    if (!$this->cache) {
+      return FALSE;
+    }
+
+    $class = substr($this->getTemplateClass($name), strlen($this->templateClassPrefix));
+
+    // The first part is what is invalidated.
+    return $this->templateCacheFilenamePrefix . '_' . basename($name) . '_' . $class;
+  }
+
   /**
    * Implements Twig_Environment::loadTemplate().
    *

core/lib/Drupal/Core/Template/TwigExtension.php

@@ -12,6 +12,7 @@
 
 namespace Drupal\Core\Template;
 
+use Drupal\Component\Utility\Html;
 use Drupal\Component\Utility\SafeMarkup;
 use Drupal\Component\Utility\SafeStringInterface;
 use Drupal\Core\Render\RendererInterface;
@@ -111,7 +112,6 @@ class TwigExtension extends \Twig_Extension {
       // in \Symfony\Bridge\Twig\Extension\RoutingExtension
       new \Twig_SimpleFunction('url', array($this, 'getUrl'), array('is_safe_callback' => array($this, 'isUrlGenerationSafe'))),
       new \Twig_SimpleFunction('path', array($this, 'getPath'), array('is_safe_callback' => array($this, 'isUrlGenerationSafe'))),
-      new \Twig_SimpleFunction('url_from_path', array($this, 'getUrlFromPath'), array('is_safe_callback' => array($this, 'isUrlGenerationSafe'))),
       new \Twig_SimpleFunction('link', array($this, 'getLink')),
       new \Twig_SimpleFunction('file_url', 'file_create_url'),
       new \Twig_SimpleFunction('attach_library', [$this, 'attachLibrary']),
@@ -141,7 +141,7 @@ class TwigExtension extends \Twig_Extension {
       // Implements safe joining.
       // @todo Make that the default for |join? Upstream issue:
       //   https://github.com/fabpot/Twig/issues/1420
-      new \Twig_SimpleFilter('safe_join', 'twig_drupal_join_filter', array('is_safe' => array('html'))),
+      new \Twig_SimpleFilter('safe_join', [$this, 'safeJoin'], ['needs_environment' => true, 'is_safe' => ['html']]),
 
       // Array filters.
       new \Twig_SimpleFilter('without', 'twig_without'),
@@ -228,31 +228,6 @@ class TwigExtension extends \Twig_Extension {
     return $build;
   }
 
-  /**
-   * Generates an absolute URL given a path.
-   *
-   * @param string $path
-   *   The path.
-   * @param array $options
-   *   (optional) An associative array of additional options. The 'absolute'
-   *   option is forced to be TRUE.
-   *
-   * @return string
-   *   The generated absolute URL for the given path.
-   *
-   * @deprecated in Drupal 8.0.x-dev and will be removed before Drupal 8.0.0.
-   */
-  public function getUrlFromPath($path, $options = array()) {
-    // Generate URL.
-    $options['absolute'] = TRUE;
-    $generated_url = $this->urlGenerator->generateFromPath($path, $options, TRUE);
-
-    // Return as render array, so we can bubble the bubbleable metadata.
-    $build = ['#markup' => $generated_url->getGeneratedUrl()];
-    $generated_url->applyTo($build);
-    return $build;
-  }
-
   /**
    * Gets a rendered link from an url object.
    *
@@ -433,7 +408,7 @@ class TwigExtension extends \Twig_Extension {
       // Drupal only supports the HTML escaping strategy, so provide a
       // fallback for other strategies.
       if ($strategy == 'html') {
-        return SafeMarkup::checkPlain($return);
+        return Html::escape($return);
       }
       return twig_escape_filter($env, $return, $strategy, $charset, $autoescape);
     }
@@ -480,11 +455,7 @@ class TwigExtension extends \Twig_Extension {
       return NULL;
     }
 
-    // Optimize for strings as it is likely they come from the escape filter.
-    if (is_string($arg)) {
-      return $arg;
-    }
-
+    // Optimize for scalars as it is likely they come from the escape filter.
     if (is_scalar($arg)) {
       return $arg;
     }
@@ -513,4 +484,26 @@ class TwigExtension extends \Twig_Extension {
     return $this->renderer->render($arg);
   }
 
+  /**
+   * Joins several strings together safely.
+   *
+   * @param \Twig_Environment $env
+   *   A Twig_Environment instance.
+   * @param mixed[]|\Traversable $value
+   *   The pieces to join.
+   * @param string $glue
+   *   The delimiter with which to join the string. Defaults to an empty string.
+   *   This value is expected to be safe for output and user provided data
+   *   should never be used as a glue.
+   *
+   * @return string
+   *   The strings joined together.
+   */
+  public function safeJoin(\Twig_Environment $env, $value, $glue = '') {
+    return implode($glue, array_map(function($item) use ($env) {
+      // If $item is not marked safe then it will be escaped.
+      return $this->escapeFilter($env, $item, 'html', NULL, TRUE);
+    }, $value));
+  }
+
 }