Issue #3380624 by danflanagan8, lauriii, ioannis.cherouvim: Toolbar username...

Issue #3380624 by danflanagan8, lauriii, ioannis.cherouvim: Toolbar username lazy builder only XSS filters but doesn't escape user display name - stored remote request

core/modules/user/src/ToolbarLinkBuilder.php

@@ -80,7 +80,7 @@ public function renderToolbarLinks() {
    */
   public function renderDisplayName() {
     return [
-      '#markup' => $this->account->getDisplayName(),
+      '#plain_text' => $this->account->getDisplayName(),
     ];
   }
 

core/modules/user/tests/src/Unit/ToolbarLinkBuilderTest.php

+<?php
+
+namespace Drupal\Tests\user\Unit;
+
+use Drupal\Core\Session\AccountProxyInterface;
+use Drupal\Tests\UnitTestCase;
+use Drupal\user\ToolbarLinkBuilder;
+
+/**
+ * Tests user's ToolbarLinkBuilder.
+ *
+ * @coversDefaultClass \Drupal\user\ToolbarLinkBuilder
+ * @group user
+ */
+class ToolbarLinkBuilderTest extends UnitTestCase {
+
+  /**
+   * Tests structure of display name render array.
+   *
+   * @covers ::renderDisplayName
+   */
+  public function testRenderDisplayName() {
+    $account = $this->prophesize(AccountProxyInterface::class);
+    $display_name = 'Something suspicious that should be #plain_text, not #markup';
+    $account->getDisplayName()->willReturn($display_name);
+    $toolbar_link_builder = new ToolbarLinkBuilder($account->reveal());
+    $expected = ['#plain_text' => $display_name];
+    $this->assertSame($expected, $toolbar_link_builder->renderDisplayName());
+  }
+
+}