Skip to content
GitLab
Projects
Groups
Snippets
Help
Loading...
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Sign in
Toggle navigation
D
drupal
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Locked Files
Custom Issue Tracker
Custom Issue Tracker
Labels
Merge Requests
220
Merge Requests
220
Requirements
Requirements
List
Security & Compliance
Security & Compliance
Dependency List
License Compliance
Analytics
Analytics
Code Review
Insights
Issue
Repository
Value Stream
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Commits
Open sidebar
project
drupal
Commits
da31660e
Commit
da31660e
authored
Jan 23, 2013
by
webchick
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Issue
#1892640
by grisendo, larowlan: Fixed XSS in date formats admin page .
parent
3b9b9177
Changes
2
Hide whitespace changes
Inline
Side-by-side
Showing
2 changed files
with
15 additions
and
1 deletion
+15
-1
core/includes/common.inc
core/includes/common.inc
+1
-1
core/modules/system/lib/Drupal/system/Tests/System/DateTimeTest.php
...es/system/lib/Drupal/system/Tests/System/DateTimeTest.php
+14
-0
No files found.
core/includes/common.inc
View file @
da31660e
...
...
@@ -1898,7 +1898,7 @@ function format_date($timestamp, $type = 'medium', $format = '', $timezone = NUL
'langcode'
=>
$langcode
,
'format_string_type'
=>
$key
,
);
return
$date
->
format
(
$format
,
$settings
);
return
filter_xss_admin
(
$date
->
format
(
$format
,
$settings
)
);
}
/**
...
...
core/modules/system/lib/Drupal/system/Tests/System/DateTimeTest.php
View file @
da31660e
...
...
@@ -141,4 +141,18 @@ function testDateFormatStorage() {
$format
=
config
(
'locale.config.en.system.date'
)
->
get
(
'formats.test_short_en.pattern.php'
);
$this
->
assertEqual
(
'dmYHis'
,
$format
,
'Localized date format resides in localized config.'
);
}
/**
* Test that date formats are sanitized.
*/
function
testDateFormatXSS
()
{
$date_format_info
=
array
(
'name'
=>
'XSS format'
,
'pattern'
=>
array
(
'php'
=>
'\<\s\c\r\i\p\t\>\a\l\e\r\t\(\'\X\S\S\'\)\;\<\/\s\c\r\i\p\t\>'
),
);
system_date_format_save
(
'xss_short'
,
$date_format_info
);
$this
->
drupalGet
(
'admin/config/regional/date-time'
);
$this
->
assertNoRaw
(
"<script>alert('XSS');</script>"
,
'The date format was properly sanitized'
);
}
}
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
.
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment