Commit 8ce1c80c authored by Dries's avatar Dries

- Patch #829484 by Berdir, Dave Reid, dereine: uncaught PDO Exception - XSS.

parent 267ebfb7
......@@ -135,7 +135,7 @@ function _drupal_decode_exception($exception) {
* An error message.
*/
function _drupal_render_exception_safe($exception) {
return strtr('%type: %message in %function (line %line of %file).', _drupal_decode_exception($exception));
return check_plain(strtr('%type: %message in %function (line %line of %file).', _drupal_decode_exception($exception)));
}
/**
......
......@@ -303,5 +303,11 @@ function _system_test_second_shutdown_function($arg1, $arg2) {
// Output something, page has already been printed and the session stored
// so we can't use drupal_set_message.
print t('Second shutdown function, arg1 : @arg1, arg2: @arg2', array('@arg1' => $arg1, '@arg2' => $arg2));
// Throw an exception with an HTML tag. Since this is called in a shutdown
// function, it will not bubble up to the default exception handler but will
// be catched in _drupal_shutdown_function() and be displayed through
// _drupal_render_exception_safe().
throw new Exception('Drupal is <blink>awesome</blink>.');
}
......@@ -1818,6 +1818,10 @@ class ShutdownFunctionsTest extends DrupalWebTestCase {
$this->drupalGet('system-test/shutdown-functions/' . $arg1 . '/' . $arg2);
$this->assertText(t('First shutdown function, arg1 : @arg1, arg2: @arg2', array('@arg1' => $arg1, '@arg2' => $arg2)));
$this->assertText(t('Second shutdown function, arg1 : @arg1, arg2: @arg2', array('@arg1' => $arg1, '@arg2' => $arg2)));
// Make sure exceptions displayed through _drupal_render_exception_safe()
// are correctly escaped.
$this->assertText('Drupal is &lt;blink&gt;awesome&lt;/blink&gt;.');
}
}
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment