Commit 33377912 authored by webchick's avatar webchick

Issue #1179424 by aspilicious, Heine, pwolanin, scor: Fixed Color module...

Issue #1179424 by aspilicious, Heine, pwolanin, scor: Fixed Color module security fixes from SA-CORE-2011-001 not yet applied to Drupal 8.
parent 0e5bc01b
......@@ -42,6 +42,7 @@ function color_form_system_theme_settings_alter(&$form, &$form_state) {
'#theme' => 'color_scheme_form',
);
$form['color'] += color_scheme_form($form, $form_state, $theme);
$form['#validate'][] = 'color_scheme_form_validate';
$form['#submit'][] = 'color_scheme_form_submit';
}
}
......@@ -270,6 +271,18 @@ function theme_color_scheme_form($variables) {
return $output;
}
/**
* Validation handler for color change form.
*/
function color_scheme_form_validate($form, &$form_state) {
// Only accept hexadecimal CSS color strings to avoid XSS upon use.
foreach ($form_state['values']['palette'] as $key => $color) {
if (!preg_match('/^#([a-f0-9]{3}){1,2}$/iD', $color)) {
form_set_error('palette][' . $key, t('You must enter a valid hexadecimal color value for %name.', array('%name' => $form['color']['palette'][$key]['#title'])));
}
}
}
/**
* Submit handler for color change form.
*/
......
......@@ -11,6 +11,7 @@
class ColorTestCase extends DrupalWebTestCase {
protected $big_user;
protected $themes;
protected $colorTests;
public static function getInfo() {
return array(
......@@ -40,6 +41,19 @@ class ColorTestCase extends DrupalWebTestCase {
),
);
theme_enable(array_keys($this->themes));
// Array filled with valid and not valid color values
$this->colorTests = array(
'#000' => TRUE,
'#123456' => TRUE,
'#abcdef' => TRUE,
'#0' => FALSE,
'#00' => FALSE,
'#0000' => FALSE,
'#00000' => FALSE,
'123456' => FALSE,
'#00000g' => FALSE,
);
}
/**
......@@ -93,4 +107,27 @@ class ColorTestCase extends DrupalWebTestCase {
$this->assertTrue(strpos($stylesheet_content, 'public://') === FALSE, 'Make sure the color paths have been translated to local paths. (' . $theme . ')');
variable_set('preprocess_css', 0);
}
/**
* Test to see if the provided color is valid
*/
function testValidColor() {
variable_set('theme_default', 'bartik');
$settings_path = 'admin/appearance/settings/bartik';
$this->drupalLogin($this->big_user);
$edit['scheme'] = '';
foreach ($this->colorTests as $color => $is_valid) {
$edit['palette[bg]'] = $color;
$this->drupalPost($settings_path, $edit, t('Save configuration'));
if($is_valid) {
$this->assertText('The configuration options have been saved.');
}
else {
$this->assertText('You must enter a valid hexadecimal color value for Main background.');
}
}
}
}
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment