Commit ee74fc61 authored by webchick's avatar webchick

Issue #2446995 by tim.plunkett, Berdir: Block content titles are not escaped...

Issue #2446995 by tim.plunkett, Berdir: Block content titles are not escaped on new block form (Port SA-CONTRIB-2013-082)
parent 11fc96c2
......@@ -8,6 +8,7 @@
namespace Drupal\Core\Block;
use Drupal\block\BlockInterface;
use Drupal\Component\Utility\String;
use Drupal\Core\Access\AccessResult;
use Drupal\Core\Cache\CacheContexts;
use Drupal\Core\Form\FormStateInterface;
......@@ -171,7 +172,7 @@ public function buildConfigurationForm(array $form, FormStateInterface $form_sta
$form['admin_label'] = array(
'#type' => 'item',
'#title' => $this->t('Block description'),
'#markup' => $definition['admin_label'],
'#markup' => String::checkPlain($definition['admin_label']),
);
$form['label'] = array(
'#type' => 'textfield',
......
......@@ -7,6 +7,7 @@
namespace Drupal\block\Tests;
use Drupal\Component\Utility\String;
use Drupal\Core\Form\FormState;
use Drupal\simpletest\KernelTestBase;
use Drupal\block\BlockInterface;
......@@ -75,7 +76,7 @@ public function testBlockInterface() {
'admin_label' => array(
'#type' => 'item',
'#title' => t('Block description'),
'#markup' => $definition['admin_label'],
'#markup' => String::checkPlain($definition['admin_label']),
),
'label' => array(
'#type' => 'textfield',
......
<?php
/**
* @file
* Contains \Drupal\block\Tests\BlockXssTest.
*/
namespace Drupal\block\Tests;
use Drupal\block_content\Entity\BlockContent;
use Drupal\block_content\Entity\BlockContentType;
use Drupal\Core\Url;
use Drupal\simpletest\WebTestBase;
use Drupal\system\Entity\Menu;
use Drupal\views\Entity\View;
/**
* Tests that the block module properly escapes block descriptions.
*
* @group block
*/
class BlockXssTest extends WebTestBase {
/**
* Modules to install.
*
* @var array
*/
public static $modules = ['block', 'block_content', 'menu_ui', 'views'];
/**
* Tests various modules that provide blocks for XSS.
*/
public function testBlockXss() {
$this->drupalLogin($this->rootUser);
$this->doViewTest();
$this->doMenuTest();
$this->doBlockContentTest();
}
/**
* Tests XSS coming from View block labels.
*/
protected function doViewTest() {
$view = View::create([
'id' => $this->randomMachineName(),
'label' => '<script>alert("view");</script>',
]);
$view->addDisplay('block');
$view->save();
$this->drupalGet(Url::fromRoute('block.admin_display'));
$this->clickLink('<script>alert("view");</script>');
$this->assertRaw('&lt;script&gt;alert(&quot;view&quot;);&lt;/script&gt;');
$this->assertNoRaw('<script>alert("view");</script>');
}
/**
* Tests XSS coming from Menu block labels.
*/
protected function doMenuTest() {
Menu::create([
'id' => $this->randomMachineName(),
'label' => '<script>alert("menu");</script>',
])->save();
$this->drupalGet(Url::fromRoute('block.admin_display'));
$this->clickLink('<script>alert("menu");</script>');
$this->assertRaw('&lt;script&gt;alert(&quot;menu&quot;);&lt;/script&gt;');
$this->assertNoRaw('<script>alert("menu");</script>');
}
/**
* Tests XSS coming from Block Content block info.
*/
protected function doBlockContentTest() {
BlockContentType::create([
'id' => 'basic',
'label' => 'basic',
'revision' => TRUE,
])->save();
BlockContent::create([
'type' => 'basic',
'info' => '<script>alert("block_content");</script>',
])->save();
$this->drupalGet(Url::fromRoute('block.admin_display'));
$this->clickLink('<script>alert("block_content");</script>');
$this->assertRaw('&lt;script&gt;alert(&quot;block_content&quot;);&lt;/script&gt;');
$this->assertNoRaw('<script>alert("block_content");</script>');
}
}
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment