From da31660e31ed88f935f577f922728a1341c9a7f5 Mon Sep 17 00:00:00 2001
From: webchick <webchick@24967.no-reply.drupal.org>
Date: Wed, 23 Jan 2013 19:52:16 -0800
Subject: [PATCH] Issue #1892640 by grisendo, larowlan: Fixed XSS in date
 formats admin page .

---
 core/includes/common.inc                           |  2 +-
 .../Drupal/system/Tests/System/DateTimeTest.php    | 14 ++++++++++++++
 2 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/core/includes/common.inc b/core/includes/common.inc
index e22307a2c8b7..f3d8f2c64e2c 100644
--- a/core/includes/common.inc
+++ b/core/includes/common.inc
@@ -1898,7 +1898,7 @@ function format_date($timestamp, $type = 'medium', $format = '', $timezone = NUL
     'langcode' => $langcode,
     'format_string_type' => $key,
   );
-  return $date->format($format, $settings);
+  return filter_xss_admin($date->format($format, $settings));
 }
 
 /**
diff --git a/core/modules/system/lib/Drupal/system/Tests/System/DateTimeTest.php b/core/modules/system/lib/Drupal/system/Tests/System/DateTimeTest.php
index 7a0f5c0ecddb..dd462d5c438b 100644
--- a/core/modules/system/lib/Drupal/system/Tests/System/DateTimeTest.php
+++ b/core/modules/system/lib/Drupal/system/Tests/System/DateTimeTest.php
@@ -141,4 +141,18 @@ function testDateFormatStorage() {
     $format = config('locale.config.en.system.date')->get('formats.test_short_en.pattern.php');
     $this->assertEqual('dmYHis', $format, 'Localized date format resides in localized config.');
   }
+
+  /**
+   * Test that date formats are sanitized.
+   */
+  function testDateFormatXSS() {
+    $date_format_info = array(
+      'name' => 'XSS format',
+      'pattern' => array('php' => '\<\s\c\r\i\p\t\>\a\l\e\r\t\(\'\X\S\S\'\)\;\<\/\s\c\r\i\p\t\>'),
+    );
+    system_date_format_save('xss_short', $date_format_info);
+
+    $this->drupalGet('admin/config/regional/date-time');
+    $this->assertNoRaw("<script>alert('XSS');</script>", 'The date format was properly sanitized');
+  }
 }
-- 
GitLab