Issue #2503963 by Wim Leers, dawehner, nlisgo, mlhess, xjm, effulgentsia, JvE:...

Issue #2503963 by Wim Leers, dawehner, nlisgo, mlhess, xjm, effulgentsia, JvE: XSS in Quick Edit: entity title is not safely encoded

core/modules/editor/src/Tests/QuickEditIntegrationTest.php

@@ -176,7 +176,6 @@ public function testMetadata() {
       'access' => TRUE,
       'label' => 'Long text field',
       'editor' => 'editor',
-      'aria' => 'Entity entity_test 1, field Long text field',
       'custom' => array(
         'format' => 'full_html',
         'formatHasTransformations' => FALSE,

core/modules/quickedit/js/theme.js

@@ -59,7 +59,8 @@
    *   The corresponding HTML.
    */
   Drupal.theme.quickeditEntityToolbarLabel = function (settings) {
-    return '<span class="field">' + settings.fieldLabel + '</span>' + settings.entityLabel;
+    // @todo Add XSS regression test coverage in https://www.drupal.org/node/2547437
+    return '<span class="field">' + Drupal.checkPlain(settings.fieldLabel) + '</span>' + Drupal.checkPlain(settings.entityLabel);
   };
 
   /**

core/modules/quickedit/js/views/EntityToolbarView.js

@@ -454,7 +454,8 @@
         });
       }
       else {
-        label = entityLabel;
+        // @todo Add XSS regression test coverage in https://www.drupal.org/node/2547437
+        label = Drupal.checkPlain(entityLabel);
       }
 
       this.$el

core/modules/quickedit/src/MetadataGenerator.php

@@ -89,10 +89,9 @@ public function generateFieldMetadata(FieldItemListInterface $items, $view_mode)
     $label = $items->getFieldDefinition()->getLabel();
     $editor = $this->editorManager->createInstance($editor_id);
     $metadata = array(
-      'label' => SafeMarkup::checkPlain($label),
+      'label' => $label,
       'access' => TRUE,
       'editor' => $editor_id,
-      'aria' => t('Entity @type @id, field @field', array('@type' => $entity->getEntityTypeId(), '@id' => $entity->id(), '@field' => $label)),
     );
     $custom_metadata = $editor->getMetadata($items);
     if (count($custom_metadata)) {

core/modules/quickedit/src/Tests/MetadataGeneratorTest.php

@@ -107,7 +107,6 @@ public function testSimpleEntityType() {
       'access' => TRUE,
       'label' => 'Plain text field',
       'editor' => 'plain_text',
-      'aria' => 'Entity entity_test 1, field Plain text field',
     );
     $this->assertEqual($expected_1, $metadata_1, 'The correct metadata is generated for the first field.');
 
@@ -118,7 +117,6 @@ public function testSimpleEntityType() {
       'access' => TRUE,
       'label' => 'Simple number field',
       'editor' => 'form',
-      'aria' => 'Entity entity_test 1, field Simple number field',
     );
     $this->assertEqual($expected_2, $metadata_2, 'The correct metadata is generated for the second field.');
   }
@@ -177,7 +175,6 @@ public function testEditorWithCustomMetadata() {
       'access' => TRUE,
       'label' => 'Rich text field',
       'editor' => 'wysiwyg',
-      'aria' => 'Entity entity_test 1, field Rich text field',
       'custom' => array(
         'format' => 'full_html'
       ),

core/modules/quickedit/src/Tests/QuickEditLoadingTest.php

@@ -174,7 +174,6 @@ public function testUserWithPermission() {
         'label' => 'Body',
         'access' => TRUE,
         'editor' => 'form',
-        'aria' => 'Entity node 1, field Body',
       )
     );
     $this->assertIdentical(Json::decode($response), $expected, 'The metadata HTTP request answers with the correct JSON response.');
@@ -333,7 +332,6 @@ public function testTitleBaseField() {
         'label' => 'Title',
         'access' => TRUE,
         'editor' => 'plain_text',
-        'aria' => 'Entity node 1, field Title',
       )
     );
     $this->assertIdentical(Json::decode($response), $expected, 'The metadata HTTP request answers with the correct JSON response.');