From 60f2a21d48e122d29c9996fc2970f7b4e4644556 Mon Sep 17 00:00:00 2001
From: Dave Long <dave@longwaveconsulting.com>
Date: Tue, 12 Sep 2023 21:45:49 +0100
Subject: [PATCH] Issue #3380624 by danflanagan8, lauriii, ioannis.cherouvim:
Toolbar username lazy builder only XSS filters but doesn't escape user
display name - stored remote request
---
core/modules/user/src/ToolbarLinkBuilder.php | 2 +-
.../tests/src/Unit/ToolbarLinkBuilderTest.php | 31 +++++++++++++++++++
2 files changed, 32 insertions(+), 1 deletion(-)
create mode 100644 core/modules/user/tests/src/Unit/ToolbarLinkBuilderTest.php
diff --git a/core/modules/user/src/ToolbarLinkBuilder.php b/core/modules/user/src/ToolbarLinkBuilder.php
index b278db6dba4c..8d989b339e52 100644
--- a/core/modules/user/src/ToolbarLinkBuilder.php
+++ b/core/modules/user/src/ToolbarLinkBuilder.php
@@ -80,7 +80,7 @@ public function renderToolbarLinks() {
*/
public function renderDisplayName() {
return [
- '#markup' => $this->account->getDisplayName(),
+ '#plain_text' => $this->account->getDisplayName(),
];
}
diff --git a/core/modules/user/tests/src/Unit/ToolbarLinkBuilderTest.php b/core/modules/user/tests/src/Unit/ToolbarLinkBuilderTest.php
new file mode 100644
index 000000000000..40be72a66645
--- /dev/null
+++ b/core/modules/user/tests/src/Unit/ToolbarLinkBuilderTest.php
@@ -0,0 +1,31 @@
+<?php
+
+namespace Drupal\Tests\user\Unit;
+
+use Drupal\Core\Session\AccountProxyInterface;
+use Drupal\Tests\UnitTestCase;
+use Drupal\user\ToolbarLinkBuilder;
+
+/**
+ * Tests user's ToolbarLinkBuilder.
+ *
+ * @coversDefaultClass \Drupal\user\ToolbarLinkBuilder
+ * @group user
+ */
+class ToolbarLinkBuilderTest extends UnitTestCase {
+
+ /**
+ * Tests structure of display name render array.
+ *
+ * @covers ::renderDisplayName
+ */
+ public function testRenderDisplayName() {
+ $account = $this->prophesize(AccountProxyInterface::class);
+ $display_name = 'Something suspicious that should be #plain_text, not #markup';
+ $account->getDisplayName()->willReturn($display_name);
+ $toolbar_link_builder = new ToolbarLinkBuilder($account->reveal());
+ $expected = ['#plain_text' => $display_name];
+ $this->assertSame($expected, $toolbar_link_builder->renderDisplayName());
+ }
+
+}
--
GitLab