Problem/Motivation
In Drupal 8 we enabled twig autoescape but we also created SafeMarkup::checkPlain() to escape text and then mark it as safe to ensure that Twig does not double escape it.
Proposed resolution
We should rely on Twig auto escape and completely remove SafeMarkup::checkPlain(). SafeMarkup::checkPlain() is dangerous because if the resulting string is modified in any way, for example nl2br(), the result will no longer be marked safe. The patch also adds Html::encodeEntities as the analogous method to Html::decodeEntities which can be used to escape html entities - but not mark the string as safe.
A common pattern is to use [#markup => Html::encodeEntities($value)] as the auto-xss-admin filter applied by the render system will not touch escaped html.
Remaining tasks
- Agree that this is desired
- Review
- Commit
User interface changes
None
API changes
Remove SafeMarkup::checkPlain()
Add Html::encodeEntities
Data model changes
None
Beta phase evaluation
| Issue category | Bug because we have double escaping in HEAD because of incorrect SafeMarkup::checkPlain() usage |
|---|---|
| Issue priority | Major because SafeMarkup::checkPlain() is hard to use correctly and we should be using auto escape |
| Disruption | Disruptive for core/contributed and custom modules/themes because it will require a BC break as SafeMarkup::checkPlain() no longer exists. However, as shown by the patch most cases will be fixed by just removing it - using a render array and Html::encodeEntities(). I think the disruption is worth it for a less complex and entangled SafeMarkup class. |
