diff options
| -rw-r--r-- | core/lib/Drupal/Core/Utility/Token.php | 4 | ||||
| -rw-r--r-- | core/modules/file/src/Plugin/Field/FieldType/FileItem.php | 7 | ||||
| -rw-r--r-- | core/modules/tour/src/Plugin/tour/tip/TipPluginText.php | 1 |
3 files changed, 4 insertions, 8 deletions
diff --git a/core/lib/Drupal/Core/Utility/Token.php b/core/lib/Drupal/Core/Utility/Token.php index 1b791af3e59..a62a59f2590 100644 --- a/core/lib/Drupal/Core/Utility/Token.php +++ b/core/lib/Drupal/Core/Utility/Token.php @@ -8,7 +8,7 @@ namespace Drupal\Core\Utility; use Drupal\Component\Utility\Html; -use Drupal\Component\Utility\SafeStringInterface; +use Drupal\Component\Utility\SafeMarkup; use Drupal\Core\Cache\Cache; use Drupal\Core\Cache\CacheableDependencyInterface; use Drupal\Core\Cache\CacheBackendInterface; @@ -207,7 +207,7 @@ class Token { // Escape the tokens, unless they are explicitly markup. foreach ($replacements as $token => $value) { - $replacements[$token] = $value instanceof SafeStringInterface ? $value : Html::escape($value); + $replacements[$token] = SafeMarkup::isSafe($value) ? $value : Html::escape($value); } // Optionally alter the list of replacement values. diff --git a/core/modules/file/src/Plugin/Field/FieldType/FileItem.php b/core/modules/file/src/Plugin/Field/FieldType/FileItem.php index 9174b0feec1..8bbe278f789 100644 --- a/core/modules/file/src/Plugin/Field/FieldType/FileItem.php +++ b/core/modules/file/src/Plugin/Field/FieldType/FileItem.php @@ -261,7 +261,8 @@ class FileItem extends EntityReferenceItem { * An array of token objects to pass to token_replace(). * * @return string - * An unsanitized file directory URI with tokens replaced. + * An unsanitized file directory URI with tokens replaced. The result of + * the token replacement is then converted to plain text and returned. * * @see token_replace() */ @@ -272,10 +273,6 @@ class FileItem extends EntityReferenceItem { // Replace tokens. As the tokens might contain HTML we convert it to plain // text. $destination = PlainTextOutput::renderFromHtml(\Drupal::token()->replace($destination, $data)); - - // @todo Is any valid URI always safe output? If not, handle invalid URIs - // here, and certainly do not return them, see - // https://www.drupal.org/node/2578193. return $settings['uri_scheme'] . '://' . $destination; } diff --git a/core/modules/tour/src/Plugin/tour/tip/TipPluginText.php b/core/modules/tour/src/Plugin/tour/tip/TipPluginText.php index f525d83e327..ac73cee7851 100644 --- a/core/modules/tour/src/Plugin/tour/tip/TipPluginText.php +++ b/core/modules/tour/src/Plugin/tour/tip/TipPluginText.php @@ -8,7 +8,6 @@ namespace Drupal\tour\Plugin\tour\tip; use Drupal\Component\Utility\Html; -use Drupal\Component\Utility\Xss; use Drupal\Core\Plugin\ContainerFactoryPluginInterface; use Drupal\Core\Utility\Token; use Drupal\tour\TipPluginBase; |