Commit c05668e7 authored by alexpott's avatar alexpott

Issue #2304965 by longwave | klausi: Fixed Port form_select_options() XSS fix...

Issue #2304965 by longwave | klausi: Fixed Port form_select_options() XSS fix from SA-CORE-2014-003.
parent 4ac137de
......@@ -888,7 +888,7 @@ function form_select_options($element, $choices = NULL) {
$options = '';
foreach ($choices as $key => $choice) {
if (is_array($choice)) {
$options .= '<optgroup label="' . $key . '">';
$options .= '<optgroup label="' . String::checkPlain($key) . '">';
$options .= form_select_options($element, $choice);
$options .= '</optgroup>';
}
......
......@@ -317,6 +317,7 @@ function testSelectListSingle() {
$this->assertNoOptionSelected('edit-card-1', 1);
$this->assertNoOptionSelected('edit-card-1', 2);
$this->assertRaw('Some dangerous &amp; unescaped markup', 'Option text was properly filtered.');
$this->assertRaw('More &lt;script&gt;dangerous&lt;/script&gt; markup', 'Option group text was properly filtered.');
$this->assertRaw('Group 1', 'Option groups are displayed.');
// Submit form: select first option.
......@@ -437,6 +438,7 @@ function testSelectListMultiple() {
$this->assertNoOptionSelected('edit-card-2', 1);
$this->assertNoOptionSelected('edit-card-2', 2);
$this->assertRaw('Some dangerous &amp; unescaped markup', 'Option text was properly filtered.');
$this->assertRaw('More &lt;script&gt;dangerous&lt;/script&gt; markup', 'Option group text was properly filtered.');
$this->assertRaw('Group 1', 'Option groups are displayed.');
// Submit form: select first option.
......
......@@ -20,6 +20,9 @@ function options_test_allowed_values_callback(FieldDefinitionInterface $field_de
'Group 2' => array(
2 => 'Some <script>dangerous</script> & unescaped <strong>markup</strong>',
),
'More <script>dangerous</script> markup' => array(
3 => 'Three',
),
);
return $values;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment