From c05668e747ab36e055dee6b138bbd6498b4d808e Mon Sep 17 00:00:00 2001
From: Alex Pott <alex.a.pott@googlemail.com>
Date: Fri, 18 Jul 2014 08:51:59 +0100
Subject: [PATCH] Issue #2304965 by longwave | klausi: Fixed Port
 form_select_options() XSS fix from SA-CORE-2014-003.

---
 core/includes/form.inc                                | 2 +-
 core/modules/options/src/Tests/OptionsWidgetsTest.php | 2 ++
 core/modules/options/tests/options_test.module        | 3 +++
 3 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/core/includes/form.inc b/core/includes/form.inc
index acb81e866106..649a8a1ae129 100644
--- a/core/includes/form.inc
+++ b/core/includes/form.inc
@@ -888,7 +888,7 @@ function form_select_options($element, $choices = NULL) {
   $options = '';
   foreach ($choices as $key => $choice) {
     if (is_array($choice)) {
-      $options .= '<optgroup label="' . $key . '">';
+      $options .= '<optgroup label="' . String::checkPlain($key) . '">';
       $options .= form_select_options($element, $choice);
       $options .= '</optgroup>';
     }
diff --git a/core/modules/options/src/Tests/OptionsWidgetsTest.php b/core/modules/options/src/Tests/OptionsWidgetsTest.php
index d124840ce597..4f809fcaa9fa 100644
--- a/core/modules/options/src/Tests/OptionsWidgetsTest.php
+++ b/core/modules/options/src/Tests/OptionsWidgetsTest.php
@@ -317,6 +317,7 @@ function testSelectListSingle() {
     $this->assertNoOptionSelected('edit-card-1', 1);
     $this->assertNoOptionSelected('edit-card-1', 2);
     $this->assertRaw('Some dangerous &amp; unescaped markup', 'Option text was properly filtered.');
+    $this->assertRaw('More &lt;script&gt;dangerous&lt;/script&gt; markup', 'Option group text was properly filtered.');
     $this->assertRaw('Group 1', 'Option groups are displayed.');
 
     // Submit form: select first option.
@@ -437,6 +438,7 @@ function testSelectListMultiple() {
     $this->assertNoOptionSelected('edit-card-2', 1);
     $this->assertNoOptionSelected('edit-card-2', 2);
     $this->assertRaw('Some dangerous &amp; unescaped markup', 'Option text was properly filtered.');
+    $this->assertRaw('More &lt;script&gt;dangerous&lt;/script&gt; markup', 'Option group text was properly filtered.');
     $this->assertRaw('Group 1', 'Option groups are displayed.');
 
     // Submit form: select first option.
diff --git a/core/modules/options/tests/options_test.module b/core/modules/options/tests/options_test.module
index 1416fa0e6ca9..bfd4315d48ba 100644
--- a/core/modules/options/tests/options_test.module
+++ b/core/modules/options/tests/options_test.module
@@ -20,6 +20,9 @@ function options_test_allowed_values_callback(FieldDefinitionInterface $field_de
     'Group 2' => array(
       2 => 'Some <script>dangerous</script> & unescaped <strong>markup</strong>',
     ),
+    'More <script>dangerous</script> markup' => array(
+      3 => 'Three',
+    ),
   );
 
   return $values;
-- 
GitLab