SafeMarkup::set(), SafeMarkup::checkPlain(), and other methods are removed from Drupal 8 core

xjm's picture

Before the release of the first Drupal 8 beta, Twig's autoescape functionality was enabled in Drupal 8 core. At the time, the SafeMarkup class was added in order to integrate Drupal core's own filtering and escaping APIs with Twig's.

Following extensive critical work on Drupal 8's sanitization APIs, most of the public API for the SafeMarkup class has been removed. Of particular note: for the next beta (beta 15), SafeMarkup::set() will be removed and SafeMarkup::checkPlain() will be deprecated for removal before 8.0.0.

SafeMarkup::set() will be removed

The SafeMarkup::set() method was documented for internal use when it was originally added. However, Drupal 8 core (as well as some contrib and custom modules) used it incorrectly to avoid unwanted escaping, because at the time there were not good examples for all usecases, particularly for code that assembled together multiple different strings of markup. Now, all core usages have been removed, and the change record has been updated to include recommended strategies for concatenating markup strings. Refer to this change record to replace any remaining usages of SafeMarkup::set().

SafeMarkup::checkPlain() is deprecated and will be removed

In Drupal 7 and earlier, check_plain() was important for sanitizing untrusted input for output to the page. In Drupal 8, Twig's autoescape provides this functionality for any variables passed to a Twig template, and other APIs are used in other circumstances.

When explicit escaping is needed, the most direct replacement for check_plain() or SafeMarkup::checkPlain() is Html::escape(). See the change record section on escaping text in Drupal 8 for details.

The correct use of t() and SafeMarkup::format() is not affected and these functions will still automatically escape input passed in the second parameter for a @variable or %variable placeholder. See the SafeMarkup::format() documentation for details.