Commit f3ed9812 authored by alexpott's avatar alexpott
Browse files

Issue #2503963 by Wim Leers, dawehner, nlisgo, mlhess, xjm, effulgentsia, JvE:...

Issue #2503963 by Wim Leers, dawehner, nlisgo, mlhess, xjm, effulgentsia, JvE: XSS in Quick Edit: entity title is not safely encoded
parent d5669ee1
...@@ -176,7 +176,6 @@ public function testMetadata() { ...@@ -176,7 +176,6 @@ public function testMetadata() {
'access' => TRUE, 'access' => TRUE,
'label' => 'Long text field', 'label' => 'Long text field',
'editor' => 'editor', 'editor' => 'editor',
'aria' => 'Entity entity_test 1, field Long text field',
'custom' => array( 'custom' => array(
'format' => 'full_html', 'format' => 'full_html',
'formatHasTransformations' => FALSE, 'formatHasTransformations' => FALSE,
......
...@@ -59,7 +59,8 @@ ...@@ -59,7 +59,8 @@
* The corresponding HTML. * The corresponding HTML.
*/ */
Drupal.theme.quickeditEntityToolbarLabel = function (settings) { Drupal.theme.quickeditEntityToolbarLabel = function (settings) {
return '<span class="field">' + settings.fieldLabel + '</span>' + settings.entityLabel; // @todo Add XSS regression test coverage in https://www.drupal.org/node/2547437
return '<span class="field">' + Drupal.checkPlain(settings.fieldLabel) + '</span>' + Drupal.checkPlain(settings.entityLabel);
}; };
/** /**
......
...@@ -454,7 +454,8 @@ ...@@ -454,7 +454,8 @@
}); });
} }
else { else {
label = entityLabel; // @todo Add XSS regression test coverage in https://www.drupal.org/node/2547437
label = Drupal.checkPlain(entityLabel);
} }
this.$el this.$el
......
...@@ -89,10 +89,9 @@ public function generateFieldMetadata(FieldItemListInterface $items, $view_mode) ...@@ -89,10 +89,9 @@ public function generateFieldMetadata(FieldItemListInterface $items, $view_mode)
$label = $items->getFieldDefinition()->getLabel(); $label = $items->getFieldDefinition()->getLabel();
$editor = $this->editorManager->createInstance($editor_id); $editor = $this->editorManager->createInstance($editor_id);
$metadata = array( $metadata = array(
'label' => SafeMarkup::checkPlain($label), 'label' => $label,
'access' => TRUE, 'access' => TRUE,
'editor' => $editor_id, 'editor' => $editor_id,
'aria' => t('Entity @type @id, field @field', array('@type' => $entity->getEntityTypeId(), '@id' => $entity->id(), '@field' => $label)),
); );
$custom_metadata = $editor->getMetadata($items); $custom_metadata = $editor->getMetadata($items);
if (count($custom_metadata)) { if (count($custom_metadata)) {
......
...@@ -107,7 +107,6 @@ public function testSimpleEntityType() { ...@@ -107,7 +107,6 @@ public function testSimpleEntityType() {
'access' => TRUE, 'access' => TRUE,
'label' => 'Plain text field', 'label' => 'Plain text field',
'editor' => 'plain_text', 'editor' => 'plain_text',
'aria' => 'Entity entity_test 1, field Plain text field',
); );
$this->assertEqual($expected_1, $metadata_1, 'The correct metadata is generated for the first field.'); $this->assertEqual($expected_1, $metadata_1, 'The correct metadata is generated for the first field.');
...@@ -118,7 +117,6 @@ public function testSimpleEntityType() { ...@@ -118,7 +117,6 @@ public function testSimpleEntityType() {
'access' => TRUE, 'access' => TRUE,
'label' => 'Simple number field', 'label' => 'Simple number field',
'editor' => 'form', 'editor' => 'form',
'aria' => 'Entity entity_test 1, field Simple number field',
); );
$this->assertEqual($expected_2, $metadata_2, 'The correct metadata is generated for the second field.'); $this->assertEqual($expected_2, $metadata_2, 'The correct metadata is generated for the second field.');
} }
...@@ -177,7 +175,6 @@ public function testEditorWithCustomMetadata() { ...@@ -177,7 +175,6 @@ public function testEditorWithCustomMetadata() {
'access' => TRUE, 'access' => TRUE,
'label' => 'Rich text field', 'label' => 'Rich text field',
'editor' => 'wysiwyg', 'editor' => 'wysiwyg',
'aria' => 'Entity entity_test 1, field Rich text field',
'custom' => array( 'custom' => array(
'format' => 'full_html' 'format' => 'full_html'
), ),
......
...@@ -174,7 +174,6 @@ public function testUserWithPermission() { ...@@ -174,7 +174,6 @@ public function testUserWithPermission() {
'label' => 'Body', 'label' => 'Body',
'access' => TRUE, 'access' => TRUE,
'editor' => 'form', 'editor' => 'form',
'aria' => 'Entity node 1, field Body',
) )
); );
$this->assertIdentical(Json::decode($response), $expected, 'The metadata HTTP request answers with the correct JSON response.'); $this->assertIdentical(Json::decode($response), $expected, 'The metadata HTTP request answers with the correct JSON response.');
...@@ -333,7 +332,6 @@ public function testTitleBaseField() { ...@@ -333,7 +332,6 @@ public function testTitleBaseField() {
'label' => 'Title', 'label' => 'Title',
'access' => TRUE, 'access' => TRUE,
'editor' => 'plain_text', 'editor' => 'plain_text',
'aria' => 'Entity node 1, field Title',
) )
); );
$this->assertIdentical(Json::decode($response), $expected, 'The metadata HTTP request answers with the correct JSON response.'); $this->assertIdentical(Json::decode($response), $expected, 'The metadata HTTP request answers with the correct JSON response.');
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment