Commit f3ed9812 authored by alexpott's avatar alexpott
Browse files

Issue #2503963 by Wim Leers, dawehner, nlisgo, mlhess, xjm, effulgentsia, JvE:...

Issue #2503963 by Wim Leers, dawehner, nlisgo, mlhess, xjm, effulgentsia, JvE: XSS in Quick Edit: entity title is not safely encoded
parent d5669ee1
......@@ -176,7 +176,6 @@ public function testMetadata() {
'access' => TRUE,
'label' => 'Long text field',
'editor' => 'editor',
'aria' => 'Entity entity_test 1, field Long text field',
'custom' => array(
'format' => 'full_html',
'formatHasTransformations' => FALSE,
......
......@@ -59,7 +59,8 @@
* The corresponding HTML.
*/
Drupal.theme.quickeditEntityToolbarLabel = function (settings) {
return '<span class="field">' + settings.fieldLabel + '</span>' + settings.entityLabel;
// @todo Add XSS regression test coverage in https://www.drupal.org/node/2547437
return '<span class="field">' + Drupal.checkPlain(settings.fieldLabel) + '</span>' + Drupal.checkPlain(settings.entityLabel);
};
/**
......
......@@ -454,7 +454,8 @@
});
}
else {
label = entityLabel;
// @todo Add XSS regression test coverage in https://www.drupal.org/node/2547437
label = Drupal.checkPlain(entityLabel);
}
this.$el
......
......@@ -89,10 +89,9 @@ public function generateFieldMetadata(FieldItemListInterface $items, $view_mode)
$label = $items->getFieldDefinition()->getLabel();
$editor = $this->editorManager->createInstance($editor_id);
$metadata = array(
'label' => SafeMarkup::checkPlain($label),
'label' => $label,
'access' => TRUE,
'editor' => $editor_id,
'aria' => t('Entity @type @id, field @field', array('@type' => $entity->getEntityTypeId(), '@id' => $entity->id(), '@field' => $label)),
);
$custom_metadata = $editor->getMetadata($items);
if (count($custom_metadata)) {
......
......@@ -107,7 +107,6 @@ public function testSimpleEntityType() {
'access' => TRUE,
'label' => 'Plain text field',
'editor' => 'plain_text',
'aria' => 'Entity entity_test 1, field Plain text field',
);
$this->assertEqual($expected_1, $metadata_1, 'The correct metadata is generated for the first field.');
......@@ -118,7 +117,6 @@ public function testSimpleEntityType() {
'access' => TRUE,
'label' => 'Simple number field',
'editor' => 'form',
'aria' => 'Entity entity_test 1, field Simple number field',
);
$this->assertEqual($expected_2, $metadata_2, 'The correct metadata is generated for the second field.');
}
......@@ -177,7 +175,6 @@ public function testEditorWithCustomMetadata() {
'access' => TRUE,
'label' => 'Rich text field',
'editor' => 'wysiwyg',
'aria' => 'Entity entity_test 1, field Rich text field',
'custom' => array(
'format' => 'full_html'
),
......
......@@ -174,7 +174,6 @@ public function testUserWithPermission() {
'label' => 'Body',
'access' => TRUE,
'editor' => 'form',
'aria' => 'Entity node 1, field Body',
)
);
$this->assertIdentical(Json::decode($response), $expected, 'The metadata HTTP request answers with the correct JSON response.');
......@@ -333,7 +332,6 @@ public function testTitleBaseField() {
'label' => 'Title',
'access' => TRUE,
'editor' => 'plain_text',
'aria' => 'Entity node 1, field Title',
)
);
$this->assertIdentical(Json::decode($response), $expected, 'The metadata HTTP request answers with the correct JSON response.');
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment