Issue #2304965 by longwave | klausi: Fixed Port form_select_options() XSS fix...

Issue #2304965 by longwave | klausi: Fixed Port form_select_options() XSS fix from SA-CORE-2014-003.

Issue #2304965 by longwave | klausi: Fixed Port form_select_options() XSS fix...
c05668e7 · Alex Pott · 4ac137de · c05668e7 · c05668e7 · c05668e7
Commit c05668e7 authored 10 years ago by Alex Pott
--- a/core/includes/form.inc
+++ b/core/includes/form.inc
@@ -888,7 +888,7 @@ function form_select_options($element, $choices = NULL) {
  $options = '';
  foreach ($choices as $key => $choice) {
    if (is_array($choice)) {
-      $options .= '<optgroup label="' . $key . '">';
+      $options .= '<optgroup label="' . String::checkPlain($key) . '">';
      $options .= form_select_options($element, $choice);
      $options .= '</optgroup>';
    }

--- a/core/modules/options/src/Tests/OptionsWidgetsTest.php
+++ b/core/modules/options/src/Tests/OptionsWidgetsTest.php
@@ -317,6 +317,7 @@ function testSelectListSingle() {
    $this->assertNoOptionSelected('edit-card-1', 1);
    $this->assertNoOptionSelected('edit-card-1', 2);
    $this->assertRaw('Some dangerous &amp; unescaped markup', 'Option text was properly filtered.');
+    $this->assertRaw('More &lt;script&gt;dangerous&lt;/script&gt; markup', 'Option group text was properly filtered.');
    $this->assertRaw('Group 1', 'Option groups are displayed.');

    // Submit form: select first option.
@@ -437,6 +438,7 @@ function testSelectListMultiple() {
    $this->assertNoOptionSelected('edit-card-2', 1);
    $this->assertNoOptionSelected('edit-card-2', 2);
    $this->assertRaw('Some dangerous &amp; unescaped markup', 'Option text was properly filtered.');
+    $this->assertRaw('More &lt;script&gt;dangerous&lt;/script&gt; markup', 'Option group text was properly filtered.');
    $this->assertRaw('Group 1', 'Option groups are displayed.');

    // Submit form: select first option.

--- a/core/modules/options/tests/options_test.module
+++ b/core/modules/options/tests/options_test.module
@@ -20,6 +20,9 @@ function options_test_allowed_values_callback(FieldDefinitionInterface $field_de
    'Group 2' => array(
      2 => 'Some <script>dangerous</script> & unescaped <strong>markup</strong>',
    ),
+    'More <script>dangerous</script> markup' => array(
+      3 => 'Three',
+    ),
  );

  return $values;