Issue #2512106 by cilefen, droplet, alexpott: Inline templates are XSS filtered incorrectly

0f9ebb2a · catch · 484b071d · 0f9ebb2a · 0f9ebb2a · 0f9ebb2a
Commit 0f9ebb2a authored Jul 20, 2015 by catch
3 changed files
--- a/core/lib/Drupal/Core/Template/TwigEnvironment.php
+++ b/core/lib/Drupal/Core/Template/TwigEnvironment.php
@@ -7,6 +7,7 @@

 namespace Drupal\Core\Template;

+use Drupal\Component\Utility\SafeMarkup;
 use Drupal\Core\PhpStorage\PhpStorageFactory;

 /**
@@ -201,7 +202,9 @@ public function getTemplateClass($name, $index = NULL) {
  public function renderInline($template_string, array $context = array()) {
    // Prefix all inline templates with a special comment.
    $template_string = '{# inline_template_start #}' . $template_string;
-    return $this->loadTemplate($template_string, NULL)->render($context);
+    // @todo replace with object implementating SafeStringInterface in
+    //   https://www.drupal.org/node/2506581.
+    return SafeMarkup::set($this->loadTemplate($template_string, NULL)->render($context));
  }

 }
--- a/core/modules/system/src/Tests/Module/UninstallTest.php
+++ b/core/modules/system/src/Tests/Module/UninstallTest.php
@@ -57,6 +57,10 @@ function testUninstallPage() {
    $this->drupalGet('admin/modules/uninstall');
    $this->assertTitle(t('Uninstall') . ' | Drupal');

+    // Be sure labels are rendered properly.
+    // @see regression https://www.drupal.org/node/2512106
+    $this->assertRaw('<label for="edit-uninstall-node" class="module-name table-filter-text-source">Node</label>');
+
    $this->assertText(\Drupal::translation()->translate('The following reason prevents Node from being uninstalled:'));
    $this->assertText(\Drupal::translation()->translate('There is content for the entity type: Content'));
    // Delete the node to allow node to be uninstalled.

--- a/core/modules/system/src/Tests/Theme/TwigEnvironmentTest.php
+++ b/core/modules/system/src/Tests/Theme/TwigEnvironmentTest.php
@@ -41,10 +41,10 @@ public function testInlineTemplate() {
    $unsafe_string = '<script>alert(\'Danger! High voltage!\');</script>';
    $element['test'] = array(
      '#type' => 'inline_template',
-      '#template' => 'test-with-context {{ unsafe_content }}',
+      '#template' => 'test-with-context <label>{{ unsafe_content }}</label>',
      '#context' => array('unsafe_content' => $unsafe_string),
    );
-    $this->assertEqual($renderer->renderRoot($element), 'test-with-context ' . SafeMarkup::checkPlain($unsafe_string));
+    $this->assertEqual($renderer->renderRoot($element), 'test-with-context <label>' . SafeMarkup::checkPlain($unsafe_string) . '</label>');

    // Enable twig_auto_reload and twig_debug.
    $settings = Settings::getAll();