diff --git a/core/includes/common.inc b/core/includes/common.inc index bc6fac6..fbfc99a 100644 --- a/core/includes/common.inc +++ b/core/includes/common.inc @@ -413,7 +413,9 @@ function drupal_add_feed($url = NULL, $title = '') { */ function drupal_get_feeds($delimiter = "\n") { $feeds = drupal_add_feed(); - return drupal_mark_safe(implode($feeds, $delimiter)); + $string = implode($feeds, $delimiter); + $GLOBALS['safe_strings'][$string] = TRUE; + return $string; } /** @@ -3918,7 +3920,7 @@ function drupal_render(&$elements) { $prefix = isset($elements['#prefix']) ? $elements['#prefix'] : ''; $suffix = isset($elements['#suffix']) ? $elements['#suffix'] : ''; - $output = ($prefix) . $elements['#children'] . ($suffix); + $output = $prefix . $elements['#children'] . $suffix; // Cache the processed element if #cache is set. if (isset($elements['#cache'])) { diff --git a/core/lib/Drupal/Component/Utility/String.php b/core/lib/Drupal/Component/Utility/String.php index 81968b3..182518c 100644 --- a/core/lib/Drupal/Component/Utility/String.php +++ b/core/lib/Drupal/Component/Utility/String.php @@ -107,7 +107,9 @@ public static function format($string, array $args = array()) { // Pass-through. } } - return drupal_mark_safe(strtr($string, $args)); + $output = strtr($string, $args); + $GLOBALS['safe_strings'][$output] = TRUE; + return $output; } /** diff --git a/core/lib/Drupal/Component/Utility/Xss.php b/core/lib/Drupal/Component/Utility/Xss.php index 7b0780e..3600825 100644 --- a/core/lib/Drupal/Component/Utility/Xss.php +++ b/core/lib/Drupal/Component/Utility/Xss.php @@ -71,7 +71,7 @@ public static function filter($string, $allowed_tags = array('a', 'em', 'strong' // Named entities. $string = preg_replace('/&([A-Za-z][A-Za-z0-9]*;)/', '&\1', $string); - return drupal_mark_safe(preg_replace_callback('% + $output = preg_replace_callback('% ( <(?=[^a-zA-Z!/]) # a lone < | # or @@ -80,7 +80,9 @@ public static function filter($string, $allowed_tags = array('a', 'em', 'strong' <[^>]*(>|$) # a string that starts with a <, up until the > or the end of the string | # or > # just a > - )%x', '\Drupal\Component\Utility\Xss::split', $string)); + )%x', '\Drupal\Component\Utility\Xss::split', $string); + $GLOBALS['safe_strings'][$output] = TRUE; + return $output; } /** diff --git a/core/lib/Drupal/Core/Template/TwigExtension.php b/core/lib/Drupal/Core/Template/TwigExtension.php index 7425e90..c8aff5b 100644 --- a/core/lib/Drupal/Core/Template/TwigExtension.php +++ b/core/lib/Drupal/Core/Template/TwigExtension.php @@ -41,7 +41,7 @@ public function getFilters() { 'passthrough' => new \Twig_Filter_Function('twig_raw_filter'), 'placeholder' => new \Twig_Filter_Function('twig_raw_filter'), // Helper filter used to replace twig's original raw() filter. - 'twig_raw' => 'twig_raw', + 'twig_raw' => new \Twig_Filter_Function('twig_raw'), ); } diff --git a/core/modules/filter/filter.module b/core/modules/filter/filter.module index 23b9db6..4ca3a13 100644 --- a/core/modules/filter/filter.module +++ b/core/modules/filter/filter.module @@ -712,7 +712,9 @@ function check_markup($text, $format_id = NULL, $langcode = '', $cache = FALSE, $cache_id = $format->format . ':' . $langcode . ':' . hash('sha256', $text); if ($cached = cache('filter')->get($cache_id)) { // @todo: The caller is responsible that this is really safe. - return drupal_mark_safe($cached->data); + $output = $cached->data; + $GLOBALS['safe_strings'][$output] = TRUE; + return $output; } } @@ -754,7 +756,8 @@ function check_markup($text, $format_id = NULL, $langcode = '', $cache = FALSE, } // @todo: The caller is responsible that this is really safe. - return drupal_mark_safe($text); + $GLOBALS['safe_strings'][$text] = TRUE; + return $text; } /** diff --git a/core/themes/engines/twig/twig.engine b/core/themes/engines/twig/twig.engine index bc7e75d..9891cd2 100644 --- a/core/themes/engines/twig/twig.engine +++ b/core/themes/engines/twig/twig.engine @@ -115,8 +115,8 @@ function twig_render_var($arg) { return $arg; } - // Treat output from RenderWrapper as safe, return a Twig_Markup instance. - if ($arg instanceof \Drupal\Core\Template\RenderWrapper) { + // For known objects with __toString() methods, return a Twig_Markup instance. + if ($arg instanceof \Drupal\Core\Template\RenderWrapper || $arg instanceof \Drupal\Core\Template\Attribute) { return new Twig_Markup((string) $arg, 'UTF-8'); } diff --git a/core/vendor/twig/twig/lib/Twig/Extension/Core.php b/core/vendor/twig/twig/lib/Twig/Extension/Core.php index fa92f5e..898eff4 100644 --- a/core/vendor/twig/twig/lib/Twig/Extension/Core.php +++ b/core/vendor/twig/twig/lib/Twig/Extension/Core.php @@ -847,7 +847,9 @@ function twig_in_filter($value, $compare) */ function twig_escape_filter(Twig_Environment $env, $string, $strategy = 'html', $charset = null, $autoescape = false) { - if ($autoescape && $string instanceof Twig_Markup) { + // @todo Create upstream pull request to remove unneeded is_object() call + // for speed. Would be nice to profile this as well. + if ($autoescape && is_object($string) && $string instanceof Twig_Markup) { return $string; }