Skip to content
GitLab
Projects
Groups
Snippets
/
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Sign in
Toggle navigation
Menu
Open sidebar
project
drupal
Commits
a9df2baa
Commit
a9df2baa
authored
Jan 28, 2013
by
Nathaniel Catchpole
Browse files
Issue
#1892504
by grisendo, tim.plunkett: Fixed XSS in block titles.
parent
f755b694
Changes
4
Hide whitespace changes
Inline
Side-by-side
core/modules/block/lib/Drupal/block/BlockRenderController.php
View file @
a9df2baa
...
...
@@ -53,7 +53,7 @@ protected function getBuildDefaults(EntityInterface $entity, $view_mode, $langco
'id'
=>
$entity
->
get
(
'plugin'
),
'region'
=>
$entity
->
get
(
'region'
),
'module'
=>
$entity
->
get
(
'module'
),
'subject'
=>
$entity
->
label
(),
'subject'
=>
check_plain
(
$entity
->
label
()
)
,
),
);
}
...
...
core/modules/block/lib/Drupal/block/Plugin/system/plugin_ui/BlockPluginUI.php
View file @
a9df2baa
...
...
@@ -141,7 +141,7 @@ public function row($display_plugin_id, array $display_plugin_definition) {
$plugin_definition
=
$this
->
getDefinition
();
list
(
$plugin
,
$theme
)
=
explode
(
':'
,
$this
->
getPluginId
());
$row
=
array
();
$row
[]
=
$display_plugin_definition
[
'subject'
];
$row
[]
=
check_plain
(
$display_plugin_definition
[
'subject'
]
)
;
$row
[]
=
array
(
'data'
=>
array
(
'#type'
=>
'operations'
,
'#links'
=>
array
(
...
...
core/modules/block/lib/Drupal/block/Tests/BlockTitleXSSTest.php
0 → 100644
View file @
a9df2baa
<?php
/**
* @file
* Contains \Drupal\block\Tests\BlockTitleXSSTest.
*/
namespace
Drupal\block\Tests
;
use
Drupal\simpletest\WebTestBase
;
/**
* Tests block XSS in title.
*/
class
BlockTitleXSSTest
extends
WebTestBase
{
/**
* Modules to enable.
*
* @var array
*/
public
static
$modules
=
array
(
'block'
,
'block_test'
);
public
static
function
getInfo
()
{
return
array
(
'name'
=>
'Block XSS Title'
,
'description'
=>
'Test block XSS in title.'
,
'group'
=>
'Block'
,
);
}
protected
function
setUp
()
{
parent
::
setUp
();
$this
->
drupalPlaceBlock
(
'test_xss_title'
,
array
(
'label'
=>
'<script>alert("XSS label");</script>'
,
'machine_name'
=>
'test_xss_block'
,
));
}
/**
* Test XSS in title.
*/
function
testXSSInTitle
()
{
state
()
->
set
(
'block_test.content'
,
$this
->
randomName
());
$this
->
drupalGet
(
''
);
$this
->
assertNoRaw
(
'<script>alert("XSS label");</script>'
,
'The block title was properly sanitized when rendered.'
);
$this
->
drupalLogin
(
$this
->
drupalCreateUser
(
array
(
'administer blocks'
,
'access administration pages'
)));
$default_theme
=
variable_get
(
'theme_default'
,
'stark'
);
$this
->
drupalGet
(
'admin/structure/block/list/block_plugin_ui:'
.
$default_theme
.
'/add'
);
$this
->
assertNoRaw
(
"<script>alert('XSS subject');</script>"
,
'The block title was properly sanitized in Block Plugin UI Admin page.'
);
}
}
core/modules/block/tests/lib/Drupal/block_test/Plugin/block/block/TestXSSTitleBlock.php
0 → 100644
View file @
a9df2baa
<?php
/**
* @file
* Contains \Drupal\block_test\Plugin\block\block\TestXSSTitleBlock.
*/
namespace
Drupal\block_test\Plugin\block\block
;
use
Drupal\Core\Annotation\Plugin
;
/**
* Provides a block to test XSS in title.
*
* @Plugin(
* id = "test_xss_title",
* subject = "<script>alert('XSS subject');</script>",
* module = "block_test"
* )
*/
class
TestXSSTitleBlock
extends
TestCacheBlock
{
/**
* Overrides \Drupal\block\BlockBase::settings().
*
* Sets a different caching strategy for testing purposes.
*/
public
function
settings
()
{
return
array
(
'cache'
=>
DRUPAL_NO_CACHE
,
);
}
}
Write
Preview
Supports
Markdown
0%
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment