Attribute class to check safe strings before escaping (has tests)

Created on 12 July 2015, over 9 years ago
Updated 16 February 2023, almost 2 years ago

Follow-up to #2506133: Replace SafeMarkup::set() in \Drupal\Core\Template\Attribute

Problem/Motivation

#2506133: Replace SafeMarkup::set() in \Drupal\Core\Template\Attribute has overlooked a fairly common use case, which now gets double escaped when translated titles are used as attributes.

Translated attribute values.

Example in core: feed_icon

$variables['attributes']['title'] = t('Message: @escaped', ['@escaped' => '<>']);

Will escape it once in t, if not marked safe, once in attributes, then once more in twig because the string changed in attributes.

If we mark it safe it still gets escaped at least twice...

Proposed resolution

Avoid htmlspecialchars() escaping in attribute if it's marked safe?

Remaining tasks

Review & commit

User interface changes

None

API changes

N/A

🐛 Bug report
Status

Closed: outdated

Version

9.5

Component
Theme 

Last updated 5 days ago

Created by

🇨🇦Canada joelpittet Vancouver

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

Production build 0.71.5 2024