Skip to content
Snippets Groups Projects
Verified Commit 62fb9199 authored by Alex Pott's avatar Alex Pott
Browse files

Issue #637538 by pooja_sharma, mr.baileys, AaronBauman, Bhanu951, alexpott,... 

Issue #637538 by pooja_sharma, mr.baileys, AaronBauman, Bhanu951, alexpott, rteijeiro, greggles, pwolanin, meba, Nikhil_110, smustgrave, quietone, casey, naveenvalecha, sime, humansky, dawehner: Module and theme names are not filtered on output

(cherry picked from commit 4c82b7ea)
parent b8de1821
No related branches found
No related tags found
2 merge requests!11185Issue #3477324 by andypost, alexpott: Fix usage of str_getcsv() and fgetcsv() for PHP 8.4,!9944Issue #3483353: Consider making the createCopy config action optionally fail...
Pipeline #238361 passed
Stage: 🪄 Lint
Hide whitespace changes
Inline Side-by-side
core/modules/system/src/Form/ModulesListForm.php
+ 4
2
View file @ 62fb9199
...@@ -17,10 +17,12 @@ ...@@ -17,10 +17,12 @@
use Drupal\Core\KeyValueStore\KeyValueStoreExpirableInterface; use Drupal\Core\KeyValueStore\KeyValueStoreExpirableInterface;
use Drupal\Core\Link; use Drupal\Core\Link;
use Drupal\Core\Render\Element; use Drupal\Core\Render\Element;
use Drupal\Core\Render\Markup;
use Drupal\Core\Session\AccountInterface; use Drupal\Core\Session\AccountInterface;
use Drupal\user\PermissionHandlerInterface; use Drupal\user\PermissionHandlerInterface;
use Drupal\Core\Url; use Drupal\Core\Url;
use Symfony\Component\DependencyInjection\ContainerInterface; use Symfony\Component\DependencyInjection\ContainerInterface;
use Drupal\Component\Utility\Xss;
/** /**
* Provides module installation interface. * Provides module installation interface.
...@@ -207,7 +209,7 @@ public function buildForm(array $form, FormStateInterface $form_state) { ...@@ -207,7 +209,7 @@ public function buildForm(array $form, FormStateInterface $form_state) {
foreach (Element::children($form['modules']) as $package) { foreach (Element::children($form['modules']) as $package) {
$form['modules'][$package] += [ $form['modules'][$package] += [
'#type' => 'details', '#type' => 'details',
'#title' => $this->t($package), '#title' => Markup::create(Xss::filterAdmin($this->t($package))),
'#open' => TRUE, '#open' => TRUE,
'#theme' => 'system_modules_details', '#theme' => 'system_modules_details',
'#attributes' => ['class' => ['package-listing']], '#attributes' => ['class' => ['package-listing']],
...@@ -272,7 +274,7 @@ protected function buildRow(array $modules, Extension $module, $distribution) { ...@@ -272,7 +274,7 @@ protected function buildRow(array $modules, Extension $module, $distribution) {
]) ])
)->toString(); )->toString();
} }
$row['description']['#markup'] = $this->t($module->info['description']); $row['description']['#markup'] = (string) $this->t($module->info['description']);
$row['version']['#markup'] = $module->info['version']; $row['version']['#markup'] = $module->info['version'];
// Generate link for module's help page. Assume that if a hook_help() // Generate link for module's help page. Assume that if a hook_help()
......
core/modules/system/system.admin.inc
+ 3
1
View file @ 62fb9199
...@@ -6,8 +6,10 @@ ...@@ -6,8 +6,10 @@
*/ */
use Drupal\Component\Utility\Html; use Drupal\Component\Utility\Html;
use Drupal\Component\Utility\Xss;
use Drupal\Core\Link; use Drupal\Core\Link;
use Drupal\Core\Render\Element; use Drupal\Core\Render\Element;
use Drupal\Core\Render\Markup;
use Drupal\Core\Template\Attribute; use Drupal\Core\Template\Attribute;
use Drupal\Core\Url; use Drupal\Core\Url;
...@@ -296,7 +298,7 @@ function template_preprocess_system_themes_page(&$variables) { ...@@ -296,7 +298,7 @@ function template_preprocess_system_themes_page(&$variables) {
} }
// Localize the theme description. // Localize the theme description.
$current_theme['description'] = t($theme->info['description']); $current_theme['description'] = Markup::create(Xss::filterAdmin(t($theme->info['description'])));
$current_theme['attributes'] = new Attribute(); $current_theme['attributes'] = new Attribute();
$current_theme['name'] = $theme->info['name']; $current_theme['name'] = $theme->info['name'];
......
core/modules/system/tests/modules/evil/evil.info.yml 0 → 100644
+ 5
0
View file @ 62fb9199
name: <script>alert('Evil module name');</script>
type: module
description: <script>alert('Evil module desc');</script>
package: Testing
version: VERSION
core/modules/system/tests/src/Functional/ModuleThemePageXssVulnerabilityTest.php 0 → 100644
+ 53
0
View file @ 62fb9199
<?php
declare(strict_types=1);
namespace Drupal\Tests\system\Functional;
use Drupal\Tests\BrowserTestBase;
/**
* Tests module and theme pages do not have XSS vulnerabilities.
*
* @group system
*/
class ModuleThemePageXssVulnerabilityTest extends BrowserTestBase {
/**
* {@inheritdoc}
*/
protected static $modules = ['system'];
/**
* {@inheritdoc}
*/
protected $defaultTheme = 'stark';
/**
* {@inheritdoc}
*/
protected function setUp(): void {
parent::setUp();
$admin = $this->drupalCreateUser([
'administer modules',
'administer themes',
]);
$this->drupalLogin($admin);
}
/**
* Tests extension info cannot create XSS vulnerabilities.
*/
public function testExtensionInfoXss(): void {
$this->drupalGet("admin/modules");
$this->assertSession()->pageTextContains("alert('Evil module name');");
$this->assertSession()->pageTextContains("alert('Evil module desc');");
$this->assertSession()->responseNotContains("<script>alert(");
$this->drupalGet("admin/appearance");
$this->assertSession()->pageTextContains("alert('Evil theme name');");
$this->assertSession()->pageTextContains("alert('Evil theme desc');");
$this->assertSession()->responseNotContains("<script>alert(");
}
}
core/modules/system/tests/themes/evil/evil.info.yml 0 → 100644
+ 5
0
View file @ 62fb9199
name: <script>alert('Evil theme name');</script>
type: theme
description: <script>alert('Evil theme desc');</script>
version: VERSION
base theme: false
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment