Problem/Motivation
Issue title says it all.
Proposed resolution
Change String::format() to not call SafeMarkup::set() on the result if there are one or more passthrough arguments that are not safe.
Remaining tasks
Review. Commit.
User interface changes
None.
API changes
No change to any documented API. But code that was relying on the broken behavior will now need to ensure that passthrough arguments are safe if it wants the result to be marked safe.
Beta phase evaluation
| Issue category | Bug because SafeMarkup::isSafe() is returning incorrect information. |
|---|---|
| Issue priority | Major because incorrectly marking a string as safe can lead to security vulnerabilities. Not critical because String::format() documents that passthrough arguments must already be safe, so this bug only affects code that violates that documentation. Prior versions of Drupal were released with the same expectation that sanitizing passthrough arguments is the responsibility of the caller, so this bug is not a regression. |
| Prioritized changes | The main goal of this issue is security. |
| Disruption | Only disruptive for modules that are passing strings not marked as safe and expecting the result to be treated as safe. There are some cases in which this is a not-insecure expectation, such as when the input string is known to be safe due to custom validation but isn't marked as such, but it isn't hard to fix such code to comply with D8 SafeMarkup rules, as is shown in the cases within the patch. |