Security update for Core, with self-updated composer

[yaffs-website] / web / core / lib / Drupal / Core / Render / Renderer.php

diff --git a/web/core/lib/Drupal/Core/Render/Renderer.php b/web/core/lib/Drupal/Core/Render/Renderer.php
index 257349f973c2ed2e22a89d7788a790e244afd299..00246943f5471105e4d67b4456b21d3ce9422332 100644 (file)
--- a/web/core/lib/Drupal/Core/Render/Renderer.php
+++ b/web/core/lib/Drupal/Core/Render/Renderer.php
@@ -309,7 +309,9 @@ class Renderer implements RendererInterface {
       if (count($elements['#lazy_builder']) !== 2) {
         throw new \DomainException('The #lazy_builder property must have an array as a value, containing two values: the callback, and the arguments for the callback.');
       }
-      if (count($elements['#lazy_builder'][1]) !== count(array_filter($elements['#lazy_builder'][1], function($v) { return is_null($v) || is_scalar($v); }))) {
+      if (count($elements['#lazy_builder'][1]) !== count(array_filter($elements['#lazy_builder'][1], function ($v) {
+        return is_null($v) || is_scalar($v);
+      }))) {
         throw new \DomainException("A #lazy_builder callback's context may only contain scalar values or NULL.");
       }
       $children = Element::children($elements);
@@ -338,9 +340,9 @@ class Renderer implements RendererInterface {
     // If instructed to create a placeholder, and a #lazy_builder callback is
     // present (without such a callback, it would be impossible to replace the
     // placeholder), replace the current element with a placeholder.
-    // @todo remove the isMethodSafe() check when
+    // @todo remove the isMethodCacheable() check when
     //       https://www.drupal.org/node/2367555 lands.
-    if (isset($elements['#create_placeholder']) && $elements['#create_placeholder'] === TRUE && $this->requestStack->getCurrentRequest()->isMethodSafe()) {
+    if (isset($elements['#create_placeholder']) && $elements['#create_placeholder'] === TRUE && $this->requestStack->getCurrentRequest()->isMethodCacheable()) {
       if (!isset($elements['#lazy_builder'])) {
         throw new \LogicException('When #create_placeholder is set, a #lazy_builder callback must be present as well.');
       }
@@ -507,11 +509,17 @@ class Renderer implements RendererInterface {
     // We store the resulting output in $elements['#markup'], to be consistent
     // with how render cached output gets stored. This ensures that placeholder
     // replacement logic gets the same data to work with, no matter if #cache is
-    // disabled, #cache is enabled, there is a cache hit or miss.
-    $prefix = isset($elements['#prefix']) ? $this->xssFilterAdminIfUnsafe($elements['#prefix']) : '';
-    $suffix = isset($elements['#suffix']) ? $this->xssFilterAdminIfUnsafe($elements['#suffix']) : '';
-
-    $elements['#markup'] = Markup::create($prefix . $elements['#children'] . $suffix);
+    // disabled, #cache is enabled, there is a cache hit or miss. If
+    // #render_children is set the #prefix and #suffix will have already been
+    // added.
+    if (isset($elements['#render_children'])) {
+      $elements['#markup'] = Markup::create($elements['#children']);
+    }
+    else {
+      $prefix = isset($elements['#prefix']) ? $this->xssFilterAdminIfUnsafe($elements['#prefix']) : '';
+      $suffix = isset($elements['#suffix']) ? $this->xssFilterAdminIfUnsafe($elements['#suffix']) : '';
+      $elements['#markup'] = Markup::create($prefix . $elements['#children'] . $suffix);
+    }
 
     // We've rendered this element (and its subtree!), now update the context.
     $context->update($elements);