Issue #3380624 by danflanagan8, lauriii, ioannis.cherouvim: Toolbar username...

Issue #3380624 by danflanagan8, lauriii, ioannis.cherouvim: Toolbar username lazy builder only XSS filters but doesn't escape user display name - stored remote request (cherry picked from commit 60f2a21d)

Issue #3380624 by danflanagan8, lauriii, ioannis.cherouvim: Toolbar username...
ca113255 · Dave Long · 03722059 · ca113255 · ca113255
Verified Commit ca113255 authored 1 year ago by Dave Long
--- a/core/modules/user/src/ToolbarLinkBuilder.php
+++ b/core/modules/user/src/ToolbarLinkBuilder.php
@@ -80,7 +80,7 @@ public function renderToolbarLinks() {
   */
  public function renderDisplayName() {
    return [
-      '#markup' => $this->account->getDisplayName(),
+      '#plain_text' => $this->account->getDisplayName(),
    ];
  }


--- a/core/modules/user/tests/src/Unit/ToolbarLinkBuilderTest.php
+++ b/core/modules/user/tests/src/Unit/ToolbarLinkBuilderTest.php
+<?php
+
+namespace Drupal\Tests\user\Unit;
+
+use Drupal\Core\Session\AccountProxyInterface;
+use Drupal\Tests\UnitTestCase;
+use Drupal\user\ToolbarLinkBuilder;
+
+/**
+ * Tests user's ToolbarLinkBuilder.
+ *
+ * @coversDefaultClass \Drupal\user\ToolbarLinkBuilder
+ * @group user
+ */
+class ToolbarLinkBuilderTest extends UnitTestCase {
+
+  /**
+   * Tests structure of display name render array.
+   *
+   * @covers ::renderDisplayName
+   */
+  public function testRenderDisplayName() {
+    $account = $this->prophesize(AccountProxyInterface::class);
+    $display_name = 'Something suspicious that should be #plain_text, not #markup';
+    $account->getDisplayName()->willReturn($display_name);
+    $toolbar_link_builder = new ToolbarLinkBuilder($account->reveal());
+    $expected = ['#plain_text' => $display_name];
+    $this->assertSame($expected, $toolbar_link_builder->renderDisplayName());
+  }
+
+}