Commit 6efeaf75 authored by alexpott's avatar alexpott

Issue #1948418 by webflo, martin107, galooph, cilefen, gaurav.goyal,...

Issue #1948418 by webflo, martin107, galooph, cilefen, gaurav.goyal, amitgoyal, dawehner, dstol: Fixed Address SA-CONTRIB-2013-035 for views in D8.
parent 4d5ef6d1
......@@ -27,6 +27,9 @@ views_display:
provider:
type: string
label: 'Provider'
dependencies:
type: config_dependencies
label: 'Dependencies'
exposed_form:
type: mapping
label: 'Exposed form'
......@@ -40,6 +43,9 @@ views_display:
provider:
type: string
label: 'Provider'
dependencies:
type: config_dependencies
label: 'Dependencies'
access:
type: mapping
label: 'Access'
......@@ -52,6 +58,9 @@ views_display:
provider:
type: string
label: 'Provider'
dependencies:
type: config_dependencies
label: 'Dependencies'
cache:
type: views.cache.[type]
empty:
......@@ -99,6 +108,9 @@ views_display:
provider:
type: string
label: 'Provider'
dependencies:
type: config_dependencies
label: 'Dependencies'
row:
type: mapping
label: 'Row'
......@@ -111,6 +123,9 @@ views_display:
provider:
type: string
label: 'Provider'
dependencies:
type: config_dependencies
label: 'Dependencies'
query:
type: mapping
label: 'Query'
......@@ -123,6 +138,9 @@ views_display:
provider:
type: string
label: 'Provider'
dependencies:
type: config_dependencies
label: 'Dependencies'
defaults:
type: mapping
label: 'Defaults'
......@@ -883,3 +901,6 @@ views_cache:
provider:
type: string
label: 'Provider'
dependencies:
type: config_dependencies
label: 'Dependencies'
<?php
/**
* @file
* Contains \Drupal\views_ui\Tests\XssTest.
*/
namespace Drupal\views_ui\Tests;
/**
* @group views_ui
*/
class XssTest extends UITestBase {
/**
* Modules to enable.
*
* @var array
*/
public static $modules = array('node', 'user', 'views_ui', 'views_ui_test');
public function testViewsUi() {
$this->drupalGet('admin/structure/views');
$this->assertRaw('&lt;script&gt;alert(&quot;foo&quot;);&lt;/script&gt;, &lt;marquee&gt;test&lt;/marquee&gt;', 'The view tag is properly escaped.');
$this->drupalGet('admin/structure/views/view/sa_contrib_2013_035');
$this->assertRaw('&amp;lt;marquee&amp;gt;test&amp;lt;/marquee&amp;gt;', 'Field admin label is properly escaped.');
$this->drupalGet('admin/structure/views/nojs/handler/sa_contrib_2013_035/page_1/header/area');
$this->assertRaw('[title] == &amp;lt;marquee&amp;gt;test&amp;lt;/marquee&amp;gt;', 'Token label is properly escaped.');
$this->assertRaw('[title_1] == &amp;lt;script&amp;gt;alert(&amp;quot;XSS&amp;quot;)&amp;lt;/script&amp;gt;', 'Token label is properly escaped.');
}
}
uuid: 93005672-5b8a-4a7a-9342-6651552bb753
langcode: en
status: true
dependencies:
module:
- node
id: sa_contrib_2013_035
label: SA_CONTRIB_2013_035
module: views
description: ''
tag: '<script>alert("foo");</script>, <marquee>test</marquee>'
base_table: node
base_field: nid
core: 8.x
display:
default:
display_plugin: default
id: default
display_title: Master
position: 0
provider: views
display_options:
access:
type: perm
options:
perm: 'access content'
provider: user
dependencies: { }
cache:
type: none
options: { }
provider: views
dependencies: { }
query:
type: views_query
options:
disable_sql_rewrite: false
distinct: false
replica: false
query_comment: false
query_tags: { }
provider: views
dependencies: { }
exposed_form:
type: basic
options:
submit_button: Apply
reset_button: false
reset_button_label: Reset
exposed_sorts_label: 'Sort by'
expose_sort_order: true
sort_asc_label: Asc
sort_desc_label: Desc
provider: views
dependencies: { }
pager:
type: none
options:
offset: 0
provider: views
style:
type: default
options:
grouping: { }
row_class: ''
default_row_class: true
uses_fields: false
provider: views
dependencies: { }
row:
type: fields
options:
inline: { }
separator: ''
hide_empty: false
default_field_elements: true
provider: views
dependencies: { }
fields:
title:
id: title
table: node_field_data
field: title
relationship: none
group_type: group
admin_label: '<marquee>test</marquee>'
dependencies:
module:
- node
- node
- node
label: ''
exclude: false
alter:
alter_text: false
text: ''
make_link: false
path: ''
absolute: false
external: false
replace_spaces: false
path_case: none
trim_whitespace: false
alt: ''
rel: ''
link_class: ''
prefix: ''
suffix: ''
target: ''
nl2br: false
max_length: ''
word_boundary: false
ellipsis: false
more_link: false
more_link_text: ''
more_link_path: ''
strip_tags: false
trim: false
preserve_tags: ''
html: false
element_type: ''
element_class: ''
element_label_type: ''
element_label_class: ''
element_label_colon: false
element_wrapper_type: ''
element_wrapper_class: ''
element_default_classes: true
empty: ''
hide_empty: false
empty_zero: false
hide_alter_empty: true
link_to_node: true
plugin_id: node
provider: node
title_1:
id: title_1
table: node_field_data
field: title
relationship: none
group_type: group
admin_label: '<script>alert("XSS")</script>'
dependencies:
module:
- node
label: ''
exclude: false
alter:
alter_text: false
text: ''
make_link: false
path: ''
absolute: false
external: false
replace_spaces: false
path_case: none
trim_whitespace: false
alt: ''
rel: ''
link_class: ''
prefix: ''
suffix: ''
target: ''
nl2br: false
max_length: ''
word_boundary: true
ellipsis: true
more_link: false
more_link_text: ''
more_link_path: ''
strip_tags: false
trim: false
preserve_tags: ''
html: false
element_type: ''
element_class: ''
element_label_type: ''
element_label_class: ''
element_label_colon: false
element_wrapper_type: ''
element_wrapper_class: ''
element_default_classes: true
empty: ''
hide_empty: false
empty_zero: false
hide_alter_empty: true
link_to_node: true
plugin_id: node
provider: node
filters: { }
sorts: { }
header:
area:
id: area
table: views
field: area
plugin_id: text
provider: views
footer: { }
empty: { }
relationships: { }
arguments: { }
field_langcode: '***LANGUAGE_language_content***'
field_langcode_add_to_query: null
title: '<marquee>VIEWS TITLE</marquee>'
page_1:
display_plugin: page
id: page_1
display_title: Page
position: 2
provider: views
display_options:
field_langcode: '***LANGUAGE_language_content***'
field_langcode_add_to_query: null
path: foobar
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment