Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Problem/Motivation
_batch_page() calls SafeMarkup::setMultiple() which is meant to be for internal use only.
Proposed resolution
Remove the call by refactoring the code.- If refactoring is not possible, thoroughly document where the string is coming from and why it is safe, and why SafeMarkup::set() is required.
Remaining tasks
Evaluate whether the string can be refactored to one of the formats outlined in this change record: https://www.drupal.org/node/2311123- Identify whether there is existing automated test coverage for the sanitization of the string. If there is, list the test in the issue summary. If there isn't, add an automated test for it.
- If the string cannot be refactored, the SafeMarkup::set() usage needs to be thoroughly audited and documented.
Manual testing steps (for XSS and double escaping)
Not necessary, we are only adding documentation.
User interface changes
N/A
API changes
N/A
Comment | File | Size | Author |
---|---|---|---|
#1 | document-2501447-1.patch | 562 bytes | star-szr |
Comments
Comment #1
star-szrI think this is all that's needed.
Comment #2
joelpittetThanks, good to go.
Comment #3
xjmAhh, I remember this one. Yep, that's one of those legit internal uses. And there's that @todo still. :)
This issue only changes documentation and is also a required part of completing a critical, so per https://www.drupal.org/core/beta-changes, this can be completed any time during the Drupal 8 beta phase. Committed and pushed to 8.0.x. Thanks @joelpittet and @Cottser!
Fixed a comma splice on commit:
Comment #5
star-szrThanks for the comma fix!