Skip to content
Snippets Groups Projects
Verified Commit 80833d64 authored by Alex Pott's avatar Alex Pott
Browse files

Issue #637538 by pooja_sharma, mr.baileys, AaronBauman, Bhanu951, alexpott,... 

Issue #637538 by pooja_sharma, mr.baileys, AaronBauman, Bhanu951, alexpott, rteijeiro, greggles, pwolanin, meba, Nikhil_110, smustgrave, quietone, casey, naveenvalecha, sime, humansky, dawehner: Module and theme names are not filtered on output

(cherry picked from commit 4c82b7ea)
parent 775c7267
No related branches found
No related tags found
17 merge requests!10663Issue #3495778: Update phpdoc in FileSaveHtaccessLoggingTest,!10451Issue #3472458 by watergate, smustgrave: CKEditor 5 show blocks label is not translated,!103032838547 Fix punctuation rules for inline label suffix colon with CSS only,!10150Issue #3467294 by quietone, nod_, smustgrave, catch, longwave: Change string...,!10130Resolve #3480321 "Second level menu",!9936Issue #3483087: Check the module:// prefix in the translation server path and replace it with the actual module path,!9933Issue #3394728 by ankondrat4: Undefined array key "#prefix" and deprecated function: explode() in Drupal\file\Element\ManagedFile::uploadAjaxCallback(),!9914Issue #3451136 by quietone, gapple, ghost of drupal past: Improve...,!9882Draft: Issue #3481777 In bulk_form ensure the triggering element is the bulk_form button,!9839Issue #3445469 by pooja_sharma, smustgrave: Add additional test coverage for...,!9815Issue #3480025: There is no way to remove entity cache items,!9757Issue #3478869 Add "All" or overview links to parent links,!9752Issue #3439910 by pooja_sharma, vensires: Fix Toolbar tests that rely on UID1's super user behavior,!9749Issue #3439910 by pooja_sharma, vensires: Fix Toolbar tests that rely on UID1's super user behavior,!9678Issue #3465132 by catch, Spokje, nod_: Show test run time by class in run-tests.sh output,!9578Issue #3304746 by scott_euser, casey, smustgrave: BigPipe cannot handle (GET)...,!9449Issue #3344041: Allow textarea widgets to be used for text (formatted) fields
Pipeline #238197 passed with warnings
Stage: 🪄 Lint
Stage: 🗜️ Test
Pipeline: drupal

#238224

    Pipeline: drupal

    #238214

      Pipeline: drupal

      #238200

        Hide whitespace changes
        Inline Side-by-side
        core/modules/system/src/Form/ModulesListForm.php
        + 4
        2
        View file @ 80833d64
        ......@@ -17,10 +17,12 @@
        use Drupal\Core\KeyValueStore\KeyValueStoreExpirableInterface;
        use Drupal\Core\Link;
        use Drupal\Core\Render\Element;
        use Drupal\Core\Render\Markup;
        use Drupal\Core\Session\AccountInterface;
        use Drupal\user\PermissionHandlerInterface;
        use Drupal\Core\Url;
        use Symfony\Component\DependencyInjection\ContainerInterface;
        use Drupal\Component\Utility\Xss;
        /**
        * Provides module installation interface.
        ......@@ -207,7 +209,7 @@ public function buildForm(array $form, FormStateInterface $form_state) {
        foreach (Element::children($form['modules']) as $package) {
        $form['modules'][$package] += [
        '#type' => 'details',
        '#title' => $this->t($package),
        '#title' => Markup::create(Xss::filterAdmin($this->t($package))),
        '#open' => TRUE,
        '#theme' => 'system_modules_details',
        '#attributes' => ['class' => ['package-listing']],
        ......@@ -272,7 +274,7 @@ protected function buildRow(array $modules, Extension $module, $distribution) {
        ])
        )->toString();
        }
        $row['description']['#markup'] = $this->t($module->info['description']);
        $row['description']['#markup'] = (string) $this->t($module->info['description']);
        $row['version']['#markup'] = $module->info['version'];
        // Generate link for module's help page. Assume that if a hook_help()
        ......
        core/modules/system/system.admin.inc
        + 3
        1
        View file @ 80833d64
        ......@@ -6,8 +6,10 @@
        */
        use Drupal\Component\Utility\Html;
        use Drupal\Component\Utility\Xss;
        use Drupal\Core\Link;
        use Drupal\Core\Render\Element;
        use Drupal\Core\Render\Markup;
        use Drupal\Core\Template\Attribute;
        use Drupal\Core\Url;
        ......@@ -296,7 +298,7 @@ function template_preprocess_system_themes_page(&$variables) {
        }
        // Localize the theme description.
        $current_theme['description'] = t($theme->info['description']);
        $current_theme['description'] = Markup::create(Xss::filterAdmin(t($theme->info['description'])));
        $current_theme['attributes'] = new Attribute();
        $current_theme['name'] = $theme->info['name'];
        ......
        core/modules/system/tests/modules/evil/evil.info.yml 0 → 100644
        + 5
        0
        View file @ 80833d64
        name: <script>alert('Evil module name');</script>
        type: module
        description: <script>alert('Evil module desc');</script>
        package: Testing
        version: VERSION
        core/modules/system/tests/src/Functional/ModuleThemePageXssVulnerabilityTest.php 0 → 100644
        + 53
        0
        View file @ 80833d64
        <?php
        declare(strict_types=1);
        namespace Drupal\Tests\system\Functional;
        use Drupal\Tests\BrowserTestBase;
        /**
        * Tests module and theme pages do not have XSS vulnerabilities.
        *
        * @group system
        */
        class ModuleThemePageXssVulnerabilityTest extends BrowserTestBase {
        /**
        * {@inheritdoc}
        */
        protected static $modules = ['system'];
        /**
        * {@inheritdoc}
        */
        protected $defaultTheme = 'stark';
        /**
        * {@inheritdoc}
        */
        protected function setUp(): void {
        parent::setUp();
        $admin = $this->drupalCreateUser([
        'administer modules',
        'administer themes',
        ]);
        $this->drupalLogin($admin);
        }
        /**
        * Tests extension info cannot create XSS vulnerabilities.
        */
        public function testExtensionInfoXss(): void {
        $this->drupalGet("admin/modules");
        $this->assertSession()->pageTextContains("alert('Evil module name');");
        $this->assertSession()->pageTextContains("alert('Evil module desc');");
        $this->assertSession()->responseNotContains("<script>alert(");
        $this->drupalGet("admin/appearance");
        $this->assertSession()->pageTextContains("alert('Evil theme name');");
        $this->assertSession()->pageTextContains("alert('Evil theme desc');");
        $this->assertSession()->responseNotContains("<script>alert(");
        }
        }
        core/modules/system/tests/themes/evil/evil.info.yml 0 → 100644
        + 5
        0
        View file @ 80833d64
        name: <script>alert('Evil theme name');</script>
        type: theme
        description: <script>alert('Evil theme desc');</script>
        version: VERSION
        base theme: false
        0% or .
        You are about to add 0 people to the discussion. Proceed with caution.
        Finish editing this message first!
        Please register or to comment