Verified Commit ca113255 authored by Dave Long's avatar Dave Long
Browse files

Issue #3380624 by danflanagan8, lauriii, ioannis.cherouvim: Toolbar username... 

Issue #3380624 by danflanagan8, lauriii, ioannis.cherouvim: Toolbar username lazy builder only XSS filters but doesn't escape user display name - stored remote request

(cherry picked from commit 60f2a21d)
parent 03722059

core/modules/user/src/ToolbarLinkBuilder.php

+1 −1
Original line number Diff line number Diff line
@@ -80,7 +80,7 @@ public function renderToolbarLinks() { 
   */

  public function renderDisplayName() {

    return [

      '#markup' => $this->account->getDisplayName(),

      '#plain_text' => $this->account->getDisplayName(),

    ];

  }

core/modules/user/tests/src/Unit/ToolbarLinkBuilderTest.php

0 → 100644
+31 −0
Original line number Diff line number Diff line 
<?php



namespace Drupal\Tests\user\Unit;



use Drupal\Core\Session\AccountProxyInterface;

use Drupal\Tests\UnitTestCase;

use Drupal\user\ToolbarLinkBuilder;



/**

 * Tests user's ToolbarLinkBuilder.

 *

 * @coversDefaultClass \Drupal\user\ToolbarLinkBuilder

 * @group user

 */

class ToolbarLinkBuilderTest extends UnitTestCase {



  /**

   * Tests structure of display name render array.

   *

   * @covers ::renderDisplayName

   */

  public function testRenderDisplayName() {

    $account = $this->prophesize(AccountProxyInterface::class);

    $display_name = 'Something suspicious that should be #plain_text, not #markup';

    $account->getDisplayName()->willReturn($display_name);

    $toolbar_link_builder = new ToolbarLinkBuilder($account->reveal());

    $expected = ['#plain_text' => $display_name];

    $this->assertSame($expected, $toolbar_link_builder->renderDisplayName());

  }



}