Loading core/modules/system/src/Form/ModulesListForm.php +4 −2 Original line number Diff line number Diff line Loading @@ -17,10 +17,12 @@ use Drupal\Core\KeyValueStore\KeyValueStoreExpirableInterface; use Drupal\Core\Link; use Drupal\Core\Render\Element; use Drupal\Core\Render\Markup; use Drupal\Core\Session\AccountInterface; use Drupal\user\PermissionHandlerInterface; use Drupal\Core\Url; use Symfony\Component\DependencyInjection\ContainerInterface; use Drupal\Component\Utility\Xss; /** * Provides module installation interface. Loading Loading @@ -207,7 +209,7 @@ public function buildForm(array $form, FormStateInterface $form_state) { foreach (Element::children($form['modules']) as $package) { $form['modules'][$package] += [ '#type' => 'details', '#title' => $this->t($package), '#title' => Markup::create(Xss::filterAdmin($this->t($package))), '#open' => TRUE, '#theme' => 'system_modules_details', '#attributes' => ['class' => ['package-listing']], Loading Loading @@ -272,7 +274,7 @@ protected function buildRow(array $modules, Extension $module, $distribution) { ]) )->toString(); } $row['description']['#markup'] = $this->t($module->info['description']); $row['description']['#markup'] = (string) $this->t($module->info['description']); $row['version']['#markup'] = $module->info['version']; // Generate link for module's help page. Assume that if a hook_help() Loading core/modules/system/system.admin.inc +3 −1 Original line number Diff line number Diff line Loading @@ -6,8 +6,10 @@ */ use Drupal\Component\Utility\Html; use Drupal\Component\Utility\Xss; use Drupal\Core\Link; use Drupal\Core\Render\Element; use Drupal\Core\Render\Markup; use Drupal\Core\Template\Attribute; use Drupal\Core\Url; Loading Loading @@ -296,7 +298,7 @@ function template_preprocess_system_themes_page(&$variables) { } // Localize the theme description. $current_theme['description'] = t($theme->info['description']); $current_theme['description'] = Markup::create(Xss::filterAdmin(t($theme->info['description']))); $current_theme['attributes'] = new Attribute(); $current_theme['name'] = $theme->info['name']; Loading core/modules/system/tests/modules/evil/evil.info.yml 0 → 100644 +5 −0 Original line number Diff line number Diff line name: <script>alert('Evil module name');</script> type: module description: <script>alert('Evil module desc');</script> package: Testing version: VERSION core/modules/system/tests/src/Functional/ModuleThemePageXssVulnerabilityTest.php 0 → 100644 +53 −0 Original line number Diff line number Diff line <?php declare(strict_types=1); namespace Drupal\Tests\system\Functional; use Drupal\Tests\BrowserTestBase; /** * Tests module and theme pages do not have XSS vulnerabilities. * * @group system */ class ModuleThemePageXssVulnerabilityTest extends BrowserTestBase { /** * {@inheritdoc} */ protected static $modules = ['system']; /** * {@inheritdoc} */ protected $defaultTheme = 'stark'; /** * {@inheritdoc} */ protected function setUp(): void { parent::setUp(); $admin = $this->drupalCreateUser([ 'administer modules', 'administer themes', ]); $this->drupalLogin($admin); } /** * Tests extension info cannot create XSS vulnerabilities. */ public function testExtensionInfoXss(): void { $this->drupalGet("admin/modules"); $this->assertSession()->pageTextContains("alert('Evil module name');"); $this->assertSession()->pageTextContains("alert('Evil module desc');"); $this->assertSession()->responseNotContains("<script>alert("); $this->drupalGet("admin/appearance"); $this->assertSession()->pageTextContains("alert('Evil theme name');"); $this->assertSession()->pageTextContains("alert('Evil theme desc');"); $this->assertSession()->responseNotContains("<script>alert("); } } core/modules/system/tests/themes/evil/evil.info.yml 0 → 100644 +5 −0 Original line number Diff line number Diff line name: <script>alert('Evil theme name');</script> type: theme description: <script>alert('Evil theme desc');</script> version: VERSION base theme: false Loading
core/modules/system/src/Form/ModulesListForm.php +4 −2 Original line number Diff line number Diff line Loading @@ -17,10 +17,12 @@ use Drupal\Core\KeyValueStore\KeyValueStoreExpirableInterface; use Drupal\Core\Link; use Drupal\Core\Render\Element; use Drupal\Core\Render\Markup; use Drupal\Core\Session\AccountInterface; use Drupal\user\PermissionHandlerInterface; use Drupal\Core\Url; use Symfony\Component\DependencyInjection\ContainerInterface; use Drupal\Component\Utility\Xss; /** * Provides module installation interface. Loading Loading @@ -207,7 +209,7 @@ public function buildForm(array $form, FormStateInterface $form_state) { foreach (Element::children($form['modules']) as $package) { $form['modules'][$package] += [ '#type' => 'details', '#title' => $this->t($package), '#title' => Markup::create(Xss::filterAdmin($this->t($package))), '#open' => TRUE, '#theme' => 'system_modules_details', '#attributes' => ['class' => ['package-listing']], Loading Loading @@ -272,7 +274,7 @@ protected function buildRow(array $modules, Extension $module, $distribution) { ]) )->toString(); } $row['description']['#markup'] = $this->t($module->info['description']); $row['description']['#markup'] = (string) $this->t($module->info['description']); $row['version']['#markup'] = $module->info['version']; // Generate link for module's help page. Assume that if a hook_help() Loading
core/modules/system/system.admin.inc +3 −1 Original line number Diff line number Diff line Loading @@ -6,8 +6,10 @@ */ use Drupal\Component\Utility\Html; use Drupal\Component\Utility\Xss; use Drupal\Core\Link; use Drupal\Core\Render\Element; use Drupal\Core\Render\Markup; use Drupal\Core\Template\Attribute; use Drupal\Core\Url; Loading Loading @@ -296,7 +298,7 @@ function template_preprocess_system_themes_page(&$variables) { } // Localize the theme description. $current_theme['description'] = t($theme->info['description']); $current_theme['description'] = Markup::create(Xss::filterAdmin(t($theme->info['description']))); $current_theme['attributes'] = new Attribute(); $current_theme['name'] = $theme->info['name']; Loading
core/modules/system/tests/modules/evil/evil.info.yml 0 → 100644 +5 −0 Original line number Diff line number Diff line name: <script>alert('Evil module name');</script> type: module description: <script>alert('Evil module desc');</script> package: Testing version: VERSION
core/modules/system/tests/src/Functional/ModuleThemePageXssVulnerabilityTest.php 0 → 100644 +53 −0 Original line number Diff line number Diff line <?php declare(strict_types=1); namespace Drupal\Tests\system\Functional; use Drupal\Tests\BrowserTestBase; /** * Tests module and theme pages do not have XSS vulnerabilities. * * @group system */ class ModuleThemePageXssVulnerabilityTest extends BrowserTestBase { /** * {@inheritdoc} */ protected static $modules = ['system']; /** * {@inheritdoc} */ protected $defaultTheme = 'stark'; /** * {@inheritdoc} */ protected function setUp(): void { parent::setUp(); $admin = $this->drupalCreateUser([ 'administer modules', 'administer themes', ]); $this->drupalLogin($admin); } /** * Tests extension info cannot create XSS vulnerabilities. */ public function testExtensionInfoXss(): void { $this->drupalGet("admin/modules"); $this->assertSession()->pageTextContains("alert('Evil module name');"); $this->assertSession()->pageTextContains("alert('Evil module desc');"); $this->assertSession()->responseNotContains("<script>alert("); $this->drupalGet("admin/appearance"); $this->assertSession()->pageTextContains("alert('Evil theme name');"); $this->assertSession()->pageTextContains("alert('Evil theme desc');"); $this->assertSession()->responseNotContains("<script>alert("); } }
core/modules/system/tests/themes/evil/evil.info.yml 0 → 100644 +5 −0 Original line number Diff line number Diff line name: <script>alert('Evil theme name');</script> type: theme description: <script>alert('Evil theme desc');</script> version: VERSION base theme: false
