Commit 602a1443 authored by webchick's avatar webchick
Browse files

Issue #2369781 by larowlan: Ensure twig_debug output has needed sanitization

parent 33d9b651
......@@ -48,8 +48,10 @@ function testTwigDebugMarkup() {
$build = node_view($node);
$output = drupal_render($build);
$this->assertTrue(strpos($output, '<!-- THEME DEBUG -->') !== FALSE, 'Twig debug markup found in theme output when debug is enabled.');
$this->setRawContent($output);
$this->assertTrue(strpos($output, "THEME HOOK: 'node'") !== FALSE, 'Theme call information found.');
$this->assertTrue(strpos($output, '* node--1--full' . $extension . PHP_EOL . ' x node--1' . $extension . PHP_EOL . ' * node--page--full' . $extension . PHP_EOL . ' * node--page' . $extension . PHP_EOL . ' * node--full' . $extension . PHP_EOL . ' * node' . $extension) !== FALSE, 'Suggested template files found in order and node ID specific template shown as current template.');
$this->assertEscaped('node--<script type="text/javascript">alert(\'yo\');</script>');
$template_filename = $templates['node__1']['path'] . '/' . $templates['node__1']['template'] . $extension;
$this->assertTrue(strpos($output, "BEGIN OUTPUT from '$template_filename'") !== FALSE, 'Full path to current template file found.');
......@@ -67,7 +69,7 @@ function testTwigDebugMarkup() {
$build += node_view($node3);
$output = drupal_render($build);
$this->assertTrue(strpos($output, "THEME HOOK: 'node__foo__bar'") !== FALSE, 'Theme call information found.');
$this->assertTrue(strpos($output, '* node--foo--bar' . $extension . PHP_EOL . ' * node--foo' . $extension . PHP_EOL . ' * node--3--full' . $extension . PHP_EOL . ' * node--3' . $extension . PHP_EOL . ' * node--page--full' . $extension . PHP_EOL . ' * node--page' . $extension . PHP_EOL . ' * node--full' . $extension . PHP_EOL . ' x node' . $extension) !== FALSE, 'Suggested template files found in order and base template shown as current template.');
$this->assertTrue(strpos($output, '* node--foo--bar' . $extension . PHP_EOL . ' * node--foo' . $extension . PHP_EOL . ' * node--&lt;script type=&quot;text/javascript&quot;&gt;alert(&#039;yo&#039;);&lt;/script&gt;' . $extension . PHP_EOL . ' * node--3--full' . $extension . PHP_EOL . ' * node--3' . $extension . PHP_EOL . ' * node--page--full' . $extension . PHP_EOL . ' * node--page' . $extension . PHP_EOL . ' * node--full' . $extension . PHP_EOL . ' x node' . $extension) !== FALSE, 'Suggested template files found in order and base template shown as current template.');
// Disable debug, rebuild the service container, and clear all caches.
$parameters = $this->container->getParameter('twig.config');
......
......@@ -164,3 +164,13 @@ function theme_test_system_info_alter(array &$info, Extension $file, $type) {
$info['libraries'][] = 'core/backbone';
}
}
/**
* Implements hook_theme_suggestions_HOOK().
*/
function theme_test_theme_suggestions_node(array $variables) {
$xss = '<script type="text/javascript">alert(\'yo\');</script>';
$suggestions[] = 'node__' . $xss;
return $suggestions;
}
......@@ -64,7 +64,7 @@ function twig_render_template($template_file, $variables) {
}
if ($twig_service->isDebug()) {
$output['debug_prefix'] .= "\n\n<!-- THEME DEBUG -->";
$output['debug_prefix'] .= "\n<!-- THEME HOOK: '{$variables['theme_hook_original']}' -->";
$output['debug_prefix'] .= "\n<!-- THEME HOOK: '" . String::checkPlain($variables['theme_hook_original']) . "' -->";
// If there are theme suggestions, reverse the array so more specific
// suggestions are shown first.
if (!empty($variables['theme_hook_suggestions'])) {
......@@ -98,10 +98,10 @@ function twig_render_template($template_file, $variables) {
$prefix = ($template == $current_template) ? 'x' : '*';
$suggestion = $prefix . ' ' . $template;
}
$output['debug_info'] .= "\n<!-- FILE NAME SUGGESTIONS:\n " . implode("\n ", $suggestions) . "\n-->";
$output['debug_info'] .= "\n<!-- FILE NAME SUGGESTIONS:\n " . String::checkPlain(implode("\n ", $suggestions)) . "\n-->";
}
$output['debug_info'] .= "\n<!-- BEGIN OUTPUT from '{$template_file}' -->\n";
$output['debug_suffix'] .= "\n<!-- END OUTPUT from '{$template_file}' -->\n\n";
$output['debug_info'] .= "\n<!-- BEGIN OUTPUT from '" . String::checkPlain($template_file) . "' -->\n";
$output['debug_suffix'] .= "\n<!-- END OUTPUT from '" . String::checkPlain($template_file) . "' -->\n\n";
}
return SafeMarkup::set(implode('', $output));
}
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment