Skip to content
Snippets Groups Projects
Verified Commit 9a572693 authored by Alex Pott's avatar Alex Pott
Browse files

Issue #637538 by pooja_sharma, mr.baileys, AaronBauman, Bhanu951, alexpott,... 

Issue #637538 by pooja_sharma, mr.baileys, AaronBauman, Bhanu951, alexpott, rteijeiro, greggles, pwolanin, meba, Nikhil_110, smustgrave, quietone, casey, naveenvalecha, sime, humansky, dawehner: Module and theme names are not filtered on output

(cherry picked from commit 4c82b7ea)
parent 387e4e94
No related branches found
No related tags found
10 merge requests!10602Issue #3438769 by vinmayiswamy, antonnavi, michelle, amateescu: Sub workspace does not clear,!10301Issue #3469309 by mstrelan, smustgrave, moshe weitzman: Use one-time login...,!10187Issue #3487488 by dakwamine: ExtensionMimeTypeGuesser::guessMimeType must support file names with "0" (zero) like foo.0.zip,!9929Issue #3445469 by pooja_sharma, smustgrave: Add additional test coverage for...,!9787Resolve issue 3479427 - bootstrap barrio issue under Windows,!9742Issue #3463908 by catch, quietone: Split OptionsFieldUiTest into two,!9526Issue #3458177 by mondrake, catch, quietone, godotislate, longwave, larowlan,...,!6502Draft: Resolve #2938524 "Plach testing issue",!38582585169-10.1.x,!3226Issue #2987537: Custom menu link entity type should not declare "bundle" entity key
Pipeline #238195 passed with warnings
Stage: 🪄 Lint
Stage: 🗜️ Test
Pipeline: drupal

#238230

    Pipeline: drupal

    #238223

      Pipeline: drupal

      #238213

        +1
        Hide whitespace changes
        Inline Side-by-side
        core/modules/system/src/Form/ModulesListForm.php
        + 4
        2
        View file @ 9a572693
        ...@@ -17,10 +17,12 @@ ...@@ -17,10 +17,12 @@
        use Drupal\Core\KeyValueStore\KeyValueStoreExpirableInterface; use Drupal\Core\KeyValueStore\KeyValueStoreExpirableInterface;
        use Drupal\Core\Link; use Drupal\Core\Link;
        use Drupal\Core\Render\Element; use Drupal\Core\Render\Element;
        use Drupal\Core\Render\Markup;
        use Drupal\Core\Session\AccountInterface; use Drupal\Core\Session\AccountInterface;
        use Drupal\user\PermissionHandlerInterface; use Drupal\user\PermissionHandlerInterface;
        use Drupal\Core\Url; use Drupal\Core\Url;
        use Symfony\Component\DependencyInjection\ContainerInterface; use Symfony\Component\DependencyInjection\ContainerInterface;
        use Drupal\Component\Utility\Xss;
        /** /**
        * Provides module installation interface. * Provides module installation interface.
        ...@@ -207,7 +209,7 @@ public function buildForm(array $form, FormStateInterface $form_state) { ...@@ -207,7 +209,7 @@ public function buildForm(array $form, FormStateInterface $form_state) {
        foreach (Element::children($form['modules']) as $package) { foreach (Element::children($form['modules']) as $package) {
        $form['modules'][$package] += [ $form['modules'][$package] += [
        '#type' => 'details', '#type' => 'details',
        '#title' => $this->t($package), '#title' => Markup::create(Xss::filterAdmin($this->t($package))),
        '#open' => TRUE, '#open' => TRUE,
        '#theme' => 'system_modules_details', '#theme' => 'system_modules_details',
        '#attributes' => ['class' => ['package-listing']], '#attributes' => ['class' => ['package-listing']],
        ...@@ -272,7 +274,7 @@ protected function buildRow(array $modules, Extension $module, $distribution) { ...@@ -272,7 +274,7 @@ protected function buildRow(array $modules, Extension $module, $distribution) {
        ]) ])
        )->toString(); )->toString();
        } }
        $row['description']['#markup'] = $this->t($module->info['description']); $row['description']['#markup'] = (string) $this->t($module->info['description']);
        $row['version']['#markup'] = $module->info['version']; $row['version']['#markup'] = $module->info['version'];
        // Generate link for module's help page. Assume that if a hook_help() // Generate link for module's help page. Assume that if a hook_help()
        ......
        core/modules/system/system.admin.inc
        + 3
        1
        View file @ 9a572693
        ...@@ -6,8 +6,10 @@ ...@@ -6,8 +6,10 @@
        */ */
        use Drupal\Component\Utility\Html; use Drupal\Component\Utility\Html;
        use Drupal\Component\Utility\Xss;
        use Drupal\Core\Link; use Drupal\Core\Link;
        use Drupal\Core\Render\Element; use Drupal\Core\Render\Element;
        use Drupal\Core\Render\Markup;
        use Drupal\Core\Template\Attribute; use Drupal\Core\Template\Attribute;
        use Drupal\Core\Url; use Drupal\Core\Url;
        ...@@ -296,7 +298,7 @@ function template_preprocess_system_themes_page(&$variables) { ...@@ -296,7 +298,7 @@ function template_preprocess_system_themes_page(&$variables) {
        } }
        // Localize the theme description. // Localize the theme description.
        $current_theme['description'] = t($theme->info['description']); $current_theme['description'] = Markup::create(Xss::filterAdmin(t($theme->info['description'])));
        $current_theme['attributes'] = new Attribute(); $current_theme['attributes'] = new Attribute();
        $current_theme['name'] = $theme->info['name']; $current_theme['name'] = $theme->info['name'];
        ......
        core/modules/system/tests/modules/evil/evil.info.yml 0 → 100644
        + 5
        0
        View file @ 9a572693
        name: <script>alert('Evil module name');</script>
        type: module
        description: <script>alert('Evil module desc');</script>
        package: Testing
        version: VERSION
        core/modules/system/tests/src/Functional/ModuleThemePageXssVulnerabilityTest.php 0 → 100644
        + 53
        0
        View file @ 9a572693
        <?php
        declare(strict_types=1);
        namespace Drupal\Tests\system\Functional;
        use Drupal\Tests\BrowserTestBase;
        /**
        * Tests module and theme pages do not have XSS vulnerabilities.
        *
        * @group system
        */
        class ModuleThemePageXssVulnerabilityTest extends BrowserTestBase {
        /**
        * {@inheritdoc}
        */
        protected static $modules = ['system'];
        /**
        * {@inheritdoc}
        */
        protected $defaultTheme = 'stark';
        /**
        * {@inheritdoc}
        */
        protected function setUp(): void {
        parent::setUp();
        $admin = $this->drupalCreateUser([
        'administer modules',
        'administer themes',
        ]);
        $this->drupalLogin($admin);
        }
        /**
        * Tests extension info cannot create XSS vulnerabilities.
        */
        public function testExtensionInfoXss(): void {
        $this->drupalGet("admin/modules");
        $this->assertSession()->pageTextContains("alert('Evil module name');");
        $this->assertSession()->pageTextContains("alert('Evil module desc');");
        $this->assertSession()->responseNotContains("<script>alert(");
        $this->drupalGet("admin/appearance");
        $this->assertSession()->pageTextContains("alert('Evil theme name');");
        $this->assertSession()->pageTextContains("alert('Evil theme desc');");
        $this->assertSession()->responseNotContains("<script>alert(");
        }
        }
        core/modules/system/tests/themes/evil/evil.info.yml 0 → 100644
        + 5
        0
        View file @ 9a572693
        name: <script>alert('Evil theme name');</script>
        type: theme
        description: <script>alert('Evil theme desc');</script>
        version: VERSION
        base theme: false
        0% or .
        You are about to add 0 people to the discussion. Proceed with caution.
        Finish editing this message first!
        Please register or to comment