Commit 6cd78a13 authored by alexpott's avatar alexpott

Issue #2399261 by chx, effulgentsia, stefan.r, crowdcg, pwolanin, alexpott,...

Issue #2399261 by chx, effulgentsia, stefan.r, crowdcg, pwolanin, alexpott, joelpittet, xjm, mdrummond, genjohnson: Remove SafeMarkup::set and Recheck and Mark Safe the Output of Unicode::truncate() in DbLog
parent 38430537
......@@ -508,7 +508,7 @@ public static function substr($text, $start, $length = NULL) {
* @param bool $add_ellipsis
* If TRUE, add '...' to the end of the truncated string (defaults to
* FALSE). The string length will still fall within $max_length.
* @param bool $min_wordsafe_length
* @param int $min_wordsafe_length
* If $wordsafe is TRUE, the minimum acceptable length for truncation (before
* adding an ellipsis, if $add_ellipsis is TRUE). Has no effect if $wordsafe
* is FALSE. This can be used to prevent having a very short resulting string
......
......@@ -184,10 +184,9 @@ public function overview() {
foreach ($result as $dblog) {
$message = $this->formatMessage($dblog);
if ($message && isset($dblog->wid)) {
// Truncate link_text to 56 chars of message.
// @todo Reevaluate the SafeMarkup::set() in
// https://www.drupal.org/node/2399261.
$log_text = SafeMarkup::set(Unicode::truncate(Xss::filter($message, array()), 56, TRUE, TRUE));
// Truncate link_text to 56 chars of message. The l() call will escape
// any unsafe HTML entities in the final text.
$log_text = Unicode::truncate(Html::decodeEntities(strip_tags($message)), 56, TRUE, TRUE);
$message = $this->l($log_text, new Url('dblog.event', array('event_id' => $dblog->wid), array(
'attributes' => array(
// Provide a title for the link for useful hover hints.
......
......@@ -7,8 +7,8 @@
namespace Drupal\dblog\Tests;
use Drupal\Component\Utility\Html;
use Drupal\Component\Utility\Unicode;
use Drupal\Component\Utility\Xss;
use Drupal\Core\Logger\RfcLogLevel;
use Drupal\Core\Url;
use Drupal\dblog\Controller\DbLogController;
......@@ -339,10 +339,10 @@ private function doUser() {
$this->assertLogMessage(t('Session closed for %name.', array('%name' => $name)), 'DBLog event was recorded: [logout user]');
// Delete user.
$message = t('Deleted user: %name %email.', array('%name' => $name, '%email' => '<' . $user->getEmail() . '>'));
$message_text = Unicode::truncate(Xss::filter($message, array()), 56, TRUE, TRUE);
$message_text = Unicode::truncate(Html::decodeEntities(strip_tags($message)), 56, TRUE, TRUE);
// Verify that the full message displays on the details page.
$link = FALSE;
if ($links = $this->xpath('//a[text()="' . html_entity_decode($message_text) . '"]')) {
if ($links = $this->xpath('//a[text()="' . $message_text . '"]')) {
// Found link with the message text.
$links = array_shift($links);
foreach ($links->attributes() as $attr => $value) {
......@@ -695,11 +695,8 @@ protected function asText(\SimpleXMLElement $element) {
* The message to pass to simpletest.
*/
protected function assertLogMessage($log_message, $message) {
$message_text = Unicode::truncate(Xss::filter($log_message, array()), 56, TRUE, TRUE);
// After \Drupal\Component\Utility\Xss::filter(), HTML entities should be
// converted to their character equivalents because assertLink() uses this
// string in xpath() to query the Document Object Model (DOM).
$this->assertLink(html_entity_decode($message_text), 0, $message);
$message_text = Unicode::truncate(Html::decodeEntities(strip_tags($log_message)), 56, TRUE, TRUE);
$this->assertLink($message_text, 0, $message);
}
/**
......@@ -730,4 +727,17 @@ public function testTemporaryUser() {
$this->drupalGet('admin/reports/dblog/event/' . $wid);
$this->assertText('Dblog test log message');
}
/**
* Make sure HTML tags are filtered out in the log overview links.
*/
public function testOverviewLinks() {
$this->drupalLogin($this->adminUser);
$this->generateLogEntries(1, ['message' => "&lt;script&gt;alert('foo');&lt;/script&gt;<strong>Lorem</strong> ipsum dolor sit amet, consectetur adipiscing elit."]);
$this->drupalGet('admin/reports/dblog');
$this->assertResponse(200);
// Make sure HTML tags are filtered out.
$this->assertRaw('title="&amp;lt;script&amp;gt;alert(&#039;foo&#039;);&amp;lt;/script&amp;gt;Lorem ipsum dolor sit amet, consectetur adipiscing elit. Entry #0">&lt;script&gt;alert(&#039;foo&#039;);&lt;/script&gt;Lorem ipsum dolor sit…</a>');
}
}
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment