Issue #1892504 by grisendo, tim.plunkett: Fixed XSS in block titles.

core/modules/block/lib/Drupal/block/BlockRenderController.php

@@ -53,7 +53,7 @@ protected function getBuildDefaults(EntityInterface $entity, $view_mode, $langco
         'id' => $entity->get('plugin'),
         'region' => $entity->get('region'),
         'module' => $entity->get('module'),
-        'subject' => $entity->label(),
+        'subject' => check_plain($entity->label()),
       ),
     );
   }

core/modules/block/lib/Drupal/block/Plugin/system/plugin_ui/BlockPluginUI.php

@@ -141,7 +141,7 @@ public function row($display_plugin_id, array $display_plugin_definition) {
     $plugin_definition = $this->getDefinition();
     list($plugin, $theme) = explode(':', $this->getPluginId());
     $row = array();
-    $row[] = $display_plugin_definition['subject'];
+    $row[] = check_plain($display_plugin_definition['subject']);
     $row[] = array('data' => array(
       '#type' => 'operations',
       '#links' => array(

core/modules/block/lib/Drupal/block/Tests/BlockTitleXSSTest.php

+<?php
+
+/**
+ * @file
+ * Contains \Drupal\block\Tests\BlockTitleXSSTest.
+ */
+
+namespace Drupal\block\Tests;
+
+use Drupal\simpletest\WebTestBase;
+
+/**
+ * Tests block XSS in title.
+ */
+class BlockTitleXSSTest extends WebTestBase {
+
+  /**
+   * Modules to enable.
+   *
+   * @var array
+   */
+  public static $modules = array('block', 'block_test');
+
+  public static function getInfo() {
+    return array(
+      'name' => 'Block XSS Title',
+      'description' => 'Test block XSS in title.',
+      'group' => 'Block',
+    );
+  }
+
+  protected function setUp() {
+    parent::setUp();
+
+    $this->drupalPlaceBlock('test_xss_title', array(
+      'label' => '<script>alert("XSS label");</script>',
+      'machine_name' => 'test_xss_block',
+    ));
+  }
+
+  /**
+   * Test XSS in title.
+   */
+  function testXSSInTitle() {
+    state()->set('block_test.content', $this->randomName());
+    $this->drupalGet('');
+    $this->assertNoRaw('<script>alert("XSS label");</script>', 'The block title was properly sanitized when rendered.');
+
+    $this->drupalLogin($this->drupalCreateUser(array('administer blocks', 'access administration pages')));
+    $default_theme = variable_get('theme_default', 'stark');
+    $this->drupalGet('admin/structure/block/list/block_plugin_ui:' . $default_theme . '/add');
+    $this->assertNoRaw("<script>alert('XSS subject');</script>", 'The block title was properly sanitized in Block Plugin UI Admin page.');
+  }
+
+}

core/modules/block/tests/lib/Drupal/block_test/Plugin/block/block/TestXSSTitleBlock.php

+<?php
+
+/**
+ * @file
+ * Contains \Drupal\block_test\Plugin\block\block\TestXSSTitleBlock.
+ */
+
+namespace Drupal\block_test\Plugin\block\block;
+
+use Drupal\Core\Annotation\Plugin;
+
+/**
+ * Provides a block to test XSS in title.
+ *
+ * @Plugin(
+ *   id = "test_xss_title",
+ *   subject = "<script>alert('XSS subject');</script>",
+ *   module = "block_test"
+ * )
+ */
+class TestXSSTitleBlock extends TestCacheBlock {
+
+  /**
+   * Overrides \Drupal\block\BlockBase::settings().
+   *
+   * Sets a different caching strategy for testing purposes.
+   */
+  public function settings() {
+    return array(
+      'cache' => DRUPAL_NO_CACHE,
+    );
+  }
+
+}