Commit a9df2baa authored by catch's avatar catch

Issue #1892504 by grisendo, tim.plunkett: Fixed XSS in block titles.

parent f755b694
......@@ -53,7 +53,7 @@ protected function getBuildDefaults(EntityInterface $entity, $view_mode, $langco
'id' => $entity->get('plugin'),
'region' => $entity->get('region'),
'module' => $entity->get('module'),
'subject' => $entity->label(),
'subject' => check_plain($entity->label()),
),
);
}
......
......@@ -141,7 +141,7 @@ public function row($display_plugin_id, array $display_plugin_definition) {
$plugin_definition = $this->getDefinition();
list($plugin, $theme) = explode(':', $this->getPluginId());
$row = array();
$row[] = $display_plugin_definition['subject'];
$row[] = check_plain($display_plugin_definition['subject']);
$row[] = array('data' => array(
'#type' => 'operations',
'#links' => array(
......
<?php
/**
* @file
* Contains \Drupal\block\Tests\BlockTitleXSSTest.
*/
namespace Drupal\block\Tests;
use Drupal\simpletest\WebTestBase;
/**
* Tests block XSS in title.
*/
class BlockTitleXSSTest extends WebTestBase {
/**
* Modules to enable.
*
* @var array
*/
public static $modules = array('block', 'block_test');
public static function getInfo() {
return array(
'name' => 'Block XSS Title',
'description' => 'Test block XSS in title.',
'group' => 'Block',
);
}
protected function setUp() {
parent::setUp();
$this->drupalPlaceBlock('test_xss_title', array(
'label' => '<script>alert("XSS label");</script>',
'machine_name' => 'test_xss_block',
));
}
/**
* Test XSS in title.
*/
function testXSSInTitle() {
state()->set('block_test.content', $this->randomName());
$this->drupalGet('');
$this->assertNoRaw('<script>alert("XSS label");</script>', 'The block title was properly sanitized when rendered.');
$this->drupalLogin($this->drupalCreateUser(array('administer blocks', 'access administration pages')));
$default_theme = variable_get('theme_default', 'stark');
$this->drupalGet('admin/structure/block/list/block_plugin_ui:' . $default_theme . '/add');
$this->assertNoRaw("<script>alert('XSS subject');</script>", 'The block title was properly sanitized in Block Plugin UI Admin page.');
}
}
<?php
/**
* @file
* Contains \Drupal\block_test\Plugin\block\block\TestXSSTitleBlock.
*/
namespace Drupal\block_test\Plugin\block\block;
use Drupal\Core\Annotation\Plugin;
/**
* Provides a block to test XSS in title.
*
* @Plugin(
* id = "test_xss_title",
* subject = "<script>alert('XSS subject');</script>",
* module = "block_test"
* )
*/
class TestXSSTitleBlock extends TestCacheBlock {
/**
* Overrides \Drupal\block\BlockBase::settings().
*
* Sets a different caching strategy for testing purposes.
*/
public function settings() {
return array(
'cache' => DRUPAL_NO_CACHE,
);
}
}
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment