Commit 9165b68c authored by xjm's avatar xjm

Issue #2501701 by akalata, pwolanin, lauriii, GreenSkunk, cdulude, joelpittet,...

Issue #2501701 by akalata, pwolanin, lauriii, GreenSkunk, cdulude, joelpittet, Cottser: Remove SafeMarkup::set in template_preprocess_color_scheme_form()
parent 85de42c9
......@@ -284,7 +284,7 @@ function template_preprocess_color_scheme_form(&$variables) {
// Attempt to load preview HTML if the theme provides it.
$preview_html_path = \Drupal::root() . '/' . (isset($info['preview_html']) ? drupal_get_path('theme', $theme) . '/' . $info['preview_html'] : drupal_get_path('module', 'color') . '/preview.html');
$variables['html_preview'] = SafeMarkup::set(file_get_contents($preview_html_path));
$variables['html_preview']['#markup'] = file_get_contents($preview_html_path);
}
/**
......
<?php
/**
* @file
* Contains \Drupal\color\Tests\ColorSafePreviewTest.
*/
namespace Drupal\color\Tests;
use Drupal\Core\Url;
use Drupal\simpletest\WebTestBase;
/**
* Tests sanitizing color preview loaded from theme.
*
* @group Theme
*/
class ColorSafePreviewTest extends WebTestBase {
/**
* Modules to enable.
*
* @var string[]
*/
public static $modules = ['color', 'color_test'];
/**
* A user with administrative permissions.
*
* @var \Drupal\user\UserInterface
*/
protected $bigUser;
/**
* {@inheritdoc}
*/
protected function setUp() {
parent::setUp();
// Create user.
$this->bigUser = $this->drupalCreateUser(['administer themes']);
}
/**
* Ensures color preview.html is sanitized.
*/
function testColorPreview() {
// Install the color test theme.
\Drupal::service('theme_handler')->install(['color_test_theme']);
$this->drupalLogin($this->bigUser);
// Markup is being printed from a HTML file located in:
// core/modules/color/tests/modules/color_test/themes/color_test_theme/color/preview.html
$url = Url::fromRoute('system.theme_settings_theme', ['theme' => 'color_test_theme']);
$this->drupalGet($url);
$this->assertText('TEST COLOR PREVIEW');
$this->assertNoRaw('<script>alert("security filter test");</script>');
$this->assertRaw('<h2>TEST COLOR PREVIEW</h2>');
}
}
......@@ -29,4 +29,5 @@
'css' => array(
'css/colors.css',
),
'preview_html' => 'color/preview.html',
);
<div class="color-preview">
<div id="text">
<h2>TEST COLOR PREVIEW</h2>
<p>Sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud <a href="#">exercitation ullamco</a> laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.</p>
</div>
<div id="img"></div>
</div>
<script>alert("security filter test");</script>
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment