Commit 0f9ebb2a authored by catch's avatar catch

Issue #2512106 by cilefen, droplet, alexpott: Inline templates are XSS filtered incorrectly

parent 484b071d
......@@ -7,6 +7,7 @@
namespace Drupal\Core\Template;
use Drupal\Component\Utility\SafeMarkup;
use Drupal\Core\PhpStorage\PhpStorageFactory;
/**
......@@ -201,7 +202,9 @@ public function getTemplateClass($name, $index = NULL) {
public function renderInline($template_string, array $context = array()) {
// Prefix all inline templates with a special comment.
$template_string = '{# inline_template_start #}' . $template_string;
return $this->loadTemplate($template_string, NULL)->render($context);
// @todo replace with object implementating SafeStringInterface in
// https://www.drupal.org/node/2506581.
return SafeMarkup::set($this->loadTemplate($template_string, NULL)->render($context));
}
}
......@@ -57,6 +57,10 @@ function testUninstallPage() {
$this->drupalGet('admin/modules/uninstall');
$this->assertTitle(t('Uninstall') . ' | Drupal');
// Be sure labels are rendered properly.
// @see regression https://www.drupal.org/node/2512106
$this->assertRaw('<label for="edit-uninstall-node" class="module-name table-filter-text-source">Node</label>');
$this->assertText(\Drupal::translation()->translate('The following reason prevents Node from being uninstalled:'));
$this->assertText(\Drupal::translation()->translate('There is content for the entity type: Content'));
// Delete the node to allow node to be uninstalled.
......
......@@ -41,10 +41,10 @@ public function testInlineTemplate() {
$unsafe_string = '<script>alert(\'Danger! High voltage!\');</script>';
$element['test'] = array(
'#type' => 'inline_template',
'#template' => 'test-with-context {{ unsafe_content }}',
'#template' => 'test-with-context <label>{{ unsafe_content }}</label>',
'#context' => array('unsafe_content' => $unsafe_string),
);
$this->assertEqual($renderer->renderRoot($element), 'test-with-context ' . SafeMarkup::checkPlain($unsafe_string));
$this->assertEqual($renderer->renderRoot($element), 'test-with-context <label>' . SafeMarkup::checkPlain($unsafe_string) . '</label>');
// Enable twig_auto_reload and twig_debug.
$settings = Settings::getAll();
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment