Commit 1826fe3a authored by catch's avatar catch
Browse files

Issue #3440399 by prudloff, akalata, larowlan, longwave, smustgrave, mrszymon,... 

Issue #3440399 by prudloff, akalata, larowlan, longwave, smustgrave, mrszymon, greggles, berdir: Malicious fingerprinting of visitors via role name on content translation screen

(cherry picked from commit db7346b6)
parent 7c2afb2f

core/modules/config_translation/src/FormElement/FormElementBase.php

+2 −1
Original line number Diff line number Diff line
@@ -2,6 +2,7 @@ 


namespace Drupal\config_translation\FormElement;



use Drupal\Component\Utility\Html;

use Drupal\Core\Config\Config;

use Drupal\Core\Language\LanguageInterface;

use Drupal\Core\StringTranslation\StringTranslationTrait;
@@ -87,7 +88,7 @@ public function getTranslationBuild(LanguageInterface $source_language, Language 
   */

  protected function getSourceElement(LanguageInterface $source_language, $source_config) {

    if ($source_config) {

      $value = '<span lang="' . $source_language->getId() . '">' . nl2br($source_config) . '</span>';

      $value = '<span lang="' . $source_language->getId() . '">' . nl2br(Html::escape($source_config)) . '</span>';

    }

    else {

      $value = $this->t('(Empty)');

core/modules/config_translation/tests/src/Functional/ConfigTranslationUiModulesTest.php

+1 −1
Original line number Diff line number Diff line
@@ -276,7 +276,7 @@ public function testBooleanFieldConfigTranslation(): void { 


    // Checks the text of details summary element that surrounds the translation

    // options.

    $this->assertSession()->responseContains(Html::escape(strip_tags($on_label)) . ' Boolean settings');

    $this->assertSession()->responseContains(Html::escape($on_label) . ' Boolean settings');



    // Checks that the correct on and off labels appear on the form.

    $this->assertSession()->assertEscaped($on_label);

core/modules/config_translation/tests/src/Functional/ConfigTranslationUiTest.php

+20 −0
Original line number Diff line number Diff line
@@ -332,4 +332,24 @@ public function testSequenceTranslation(): void { 
    $this->assertEquals($expected, $actual);

  }



  /**

   * Tests escaping of source configuration label.

   */

  public function testLabelEscaping(): void {

    $this->drupalLogin($this->adminUser);



    // Testing via translating a role configuration.

    $role_id = $this->randomMachineName(16);

    $malicious_role_name = '">\'><img src="http://127.0.0.1/evil">';

    $this->drupalCreateRole([], $role_id, $malicious_role_name);



    // Visit the form that adds the translation of this label.

    $translate_link = 'admin/people/roles/manage/' . $role_id . '/translate/fr/add';

    $this->drupalGet($translate_link);



    // Ensure that the displayed label is escaped.

    $this->assertSession()->responseNotContains('<img src="http://127.0.0.1/evil">');

    $this->assertSession()->responseContains('<span lang="en">&quot;&gt;&#039;&gt;&lt;img src=&quot;http://127.0.0.1/evil&quot;&gt;</span>');

  }



}