Commit 72450c6a authored by catch's avatar catch

Issue #2330503 by pfrenssen, dawehner: Fixed [sechole] Inline templates pass...

Issue #2330503 by pfrenssen, dawehner: Fixed [sechole] Inline templates pass through unsafe strings.
parent c1f444b1
......@@ -71,12 +71,11 @@ public function __construct(\Twig_LoaderInterface $loader = NULL, ModuleHandlerI
$options += array(
// @todo Ensure garbage collection of expired files.
'cache' => TRUE,
// @todo Remove this.
// @see http://drupal.org/node/1712444
'autoescape' => FALSE,
'debug' => FALSE,
'auto_reload' => NULL,
);
// Ensure autoescaping is always on.
$options['autoescape'] = TRUE;
parent::__construct($loader, $options);
}
......
......@@ -7,6 +7,7 @@
namespace Drupal\system\Tests\Theme;
use Drupal\Component\Utility\String;
use Drupal\simpletest\KernelTestBase;
/**
......@@ -34,12 +35,13 @@ public function testInlineTemplate() {
$this->assertEqual($environment->renderInline('test-with-context {{ lama }}', array('lama' => 'muuh')), 'test-with-context muuh');
$element = array();
$unsafe_string = '<script>alert(\'Danger! High voltage!\');</script>';
$element['test'] = array(
'#type' => 'inline_template',
'#template' => 'test-with-context {{ lama }}',
'#context' => array('lama' => 'muuh'),
'#template' => 'test-with-context {{ unsafe_content }}',
'#context' => array('unsafe_content' => $unsafe_string),
);
$this->assertEqual(drupal_render($element), 'test-with-context muuh');
$this->assertEqual(drupal_render($element), 'test-with-context ' . String::checkPlain($unsafe_string));
}
}
......
......@@ -7,6 +7,7 @@
namespace Drupal\system\Tests\Theme;
use Drupal\Component\Utility\String;
use Drupal\simpletest\WebTestBase;
/**
......@@ -36,4 +37,21 @@ public function testAutoescapeRaw() {
$this->assertRaw('<script>alert("This alert is real because I will put it through the raw filter!");</script>');
}
/**
* Tests autoescaping of unsafe content.
*
* This is one of the most important tests in Drupal itself in terms of
* security.
*/
public function testAutoescape() {
$script = '<script>alert("This alert is unreal!");</script>';
$build = [
'#theme' => 'twig_autoescape_test',
'#script' => $script,
];
$rendered = drupal_render($build);
$this->setRawContent($rendered);
$this->assertRaw(String::checkPlain($script));
}
}
......@@ -23,6 +23,10 @@ function twig_theme_test_theme($existing, $type, $theme, $path) {
'variables' => array('script' => ''),
'template' => 'twig-raw-test',
);
$items['twig_autoescape_test'] = array(
'variables' => array('script' => ''),
'template' => 'twig-autoescape-test',
);
$items['twig_theme_test_url_generator'] = array(
'variables' => array(),
'template' => 'twig_theme_test.url_generator',
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment