Commit da31660e authored by webchick's avatar webchick

Issue #1892640 by grisendo, larowlan: Fixed XSS in date formats admin page .

parent 3b9b9177
......@@ -1898,7 +1898,7 @@ function format_date($timestamp, $type = 'medium', $format = '', $timezone = NUL
'langcode' => $langcode,
'format_string_type' => $key,
);
return $date->format($format, $settings);
return filter_xss_admin($date->format($format, $settings));
}
/**
......
......@@ -141,4 +141,18 @@ function testDateFormatStorage() {
$format = config('locale.config.en.system.date')->get('formats.test_short_en.pattern.php');
$this->assertEqual('dmYHis', $format, 'Localized date format resides in localized config.');
}
/**
* Test that date formats are sanitized.
*/
function testDateFormatXSS() {
$date_format_info = array(
'name' => 'XSS format',
'pattern' => array('php' => '\<\s\c\r\i\p\t\>\a\l\e\r\t\(\'\X\S\S\'\)\;\<\/\s\c\r\i\p\t\>'),
);
system_date_format_save('xss_short', $date_format_info);
$this->drupalGet('admin/config/regional/date-time');
$this->assertNoRaw("<script>alert('XSS');</script>", 'The date format was properly sanitized');
}
}
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment