Problem/Motivation
Found when working on #2488538: Add SafeMarkup::remove() to free memory from marked strings when they're printed.
\Drupal\filter\Plugin\Filter\FilterHtml<?php
// Paraphrased.
$tips[$tag][1] = '<a href="'. $base_url . '">'. SafeMarkup::checkPlain(\Drupal::config('system.site')->get('name')) . '</a>';
array('data'=> SafeMarkup::format('<code>@var</code>', array('@var'=> $tips[$tag][1])), 'class'=> array('type')),
array('data'=> SafeMarkup::format($tips[$tag][1]), 'class'=> array('get'))
?>When you have two different formats configured to show the HTML formatting tips, the SafeMarkup calls run twice.
1, When $tips[$tag][1] is passed as @var, it's escaped and marked as safe.
2. When its passed to SafeMarkup::format() as the first argument, it's also marked as safe (unescaped).
3. When once again it's passed as @var, both the escaped and unescaped versions have both been marked as safe, so SafeMarkup doesn't bother to escape something it can see has already been escaped.
The problem is in this case that we actually want the 'double-escaping' here, because we're literally escaping the same string twice.
Proposed resolution
We need to remove SafeMarkup use from FilterHtml since the whole point of this page is print out both escaped and unescaped versions of the same html. Even better, our current test for this is proving that it is broken by testing for unescaped html between the code tags.
Remaining tasks
Determine whether there's a security issue here. If a string is marked as safe in one context, could it be unsafe in another? The approach taken mitigates all security concerns by falling back to the admin filter and all html that ends up on the page is actually contained in FilterHtml and there is nothing unsafe it that.
User interface changes
None.
API changes
None