Markup Saved to Arguments for Token Replacement returns as __PHP_Incomplete_Class #252
Description
After upgrading from Drupal 8.5.3. to 8.5.14, message tokens which were created using Markup were no longer displaying.
This may not be a widespread issue, as our implementation is slightly customized where we dynamically create messages when events on the. website occur. In this case, we pass through custom tokens to get replaced by the template, some of which include HTML.
$message->setArguments([
'@user' => Markup::create('<a href="/user/'.$user->id().'">'.$user->getAccountName().'</a>'),
'@text' => ' posted a Blog - ',
'@content' => Markup::create('<a href="'.$node->url().'">'.$node->getTitle().'</a>'),
]);
After the upgrade, anything wrapped in Markup::create() started throwing an error as it was being returned as __PHP_Incomplete_Class. Digging into this, and finally coming across a post on the shopify module queue here: https://www.drupal.org/project/shopify/issues/3034741 it was clear it was due to SA-CORE-2019-003 security release which uses unserialize($values, ['allowed_classes' => FALSE]); and thus turns the unserialized object into a "__PHP_Incomplete_Class" object.