Commit 4300214f authored by alexpott's avatar alexpott

Issue #2264041 by pwolanin, dawehner, cilefen, chx: Fixed Add a test to ensure...

Issue #2264041 by pwolanin, dawehner, cilefen, chx: Fixed Add a test to ensure title callbacks are not vulnerable to XSS.
parent 853741a8
......@@ -362,6 +362,11 @@ function testBreadCrumbs() {
$trail += array('admin/reports' => t('Reports'));
$this->assertBreadcrumb('admin/reports/dblog', $trail, t('Recent log messages'));
$this->assertNoResponse(403);
// Ensure that the breadcrumb is safe against XSS.
$this->drupalGet('menu-test/breadcrumb1/breadcrumb2/breadcrumb3');
$this->assertRaw('<script>alert(12);</script>');
$this->assertRaw(String::checkPlain('<script>alert(123);</script>'));
}
}
......@@ -367,3 +367,27 @@ menu_test.custom:
_content: '\Drupal\menu_test\Controller\MenuTestController::menuTestCallback'
requirements:
_access: 'TRUE'
menu_test.breadcrumb1:
path: '/menu-test/breadcrumb1'
defaults:
_content: '\Drupal\menu_test\Controller\MenuTestController::menuTestCallback'
_title: '<script>alert(12);</script>'
requirements:
_access: 'TRUE'
menu_test.breadcrumb2:
path: '/menu-test/breadcrumb1/breadcrumb2'
defaults:
_content: '\Drupal\menu_test\Controller\MenuTestController::menuTestCallback'
_title_callback: '\Drupal\menu_test\Controller\MenuTestController::breadcrumbTitleCallback'
requirements:
_access: 'TRUE'
menu_test.breadcrumb3:
path: '/menu-test/breadcrumb1/breadcrumb2/breadcrumb3'
defaults:
_content: '\Drupal\menu_test\Controller\MenuTestController::menuTestCallback'
_title: 'Normal title'
requirements:
_access: 'TRUE'
......@@ -43,4 +43,13 @@ public function themePage($inherited) {
return menu_test_theme_page_callback($inherited);
}
/**
* A title callback for XSS breadcrumb check.
*
* @return string
*/
public function breadcrumbTitleCallback() {
return '<script>alert(123);</script>';
}
}
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment