The $text parameter of Token::replace() is documented as follows:
The caller is responsible for calling \Drupal\Component\Utility\Html::escape() in case the $text was plain text.
There are instances in core where this does not happen, which means that plain text that resembles HTML would be corrupted. For example an Email action with subject What do you think of the <blink> tag? would get corrupted to What do you think of the tag?.
When fixing this bug, we need to consider that sites might have observed this bug and compensated for it, by setting their subject to What do you think of the <blink> tag?. If we fix this bug, these sites would start sending emails without decoding those escaped entities. However it's hard to see how to fix the bug without this problem, so perhaps we just have to document it clearly in the release notes.
This issue was split off from #2580723: Fix token system confusion, with new function Token::replacePlain() β , see lengthy discussion there for further background.
Use the Token::replacePlain() method.
Needs work
10.1 β¨
Used to track the progress of issues reviewed by the Drupal Needs Review Queue Initiative.
The change is currently missing an automated test that fails when run with the original code, and succeeds when the bug has been fixed.
Not all content is available!
It's likely this issue predates Contrib.social: some issue and comment data are missing.
Thank you for reporting.
As a bug will also need a test case showing this issue.
As a bug will also need a test case showing this issue.
Sure however before spending time on that please can we get agreement that this would be accepted and committed?
