brummbar
commented
8 months ago Never use Markup::create() on content, especially on something that can be entered by editors. Since the issue lacks information on how the data is being injected, I can only deduce from the ELA ticket that the content of a field was directly outputted to the card field instead of having something like
'#type' => 'processed_text',
'#text' => '<p>the text</p>',
'#format' => 'the_format',So the suggested solution not only is wrong but also very dangerous. See #362 video at the bottom.
Solution: Wrap the text into the Drupal\Core\Render\Markup::create() method. Proposed patch : https://github.com/openeuropa/oe_bootstrap_theme/pull/329