Commit d6c50292 authored by David_Rothstein's avatar David_Rothstein

Issue #779374 by helmo, joshi.rohit100, meba, sun | coltrane: Fixed XSS via text format names.

parent c8a26f2d
......@@ -68,7 +68,7 @@ function theme_filter_tips($variables) {
foreach ($tips as $name => $tiplist) {
if ($multiple) {
$output .= '<div class="filter-type filter-' . drupal_html_class($name) . '">';
$output .= '<h3>' . $name . '</h3>';
$output .= '<h3>' . check_plain($name) . '</h3>';
}
if (count($tiplist) > 0) {
......
......@@ -70,6 +70,15 @@ class FilterCRUDTestCase extends DrupalWebTestCase {
$this->assertFalse($db_format->status, 'Database: Disabled text format is marked as disabled.');
$formats = filter_formats();
$this->assertTrue(!isset($formats[$format->format]), 'filter_formats: Disabled text format no longer exists.');
// Add a new format to check for Xss in format name.
$format = new stdClass();
$format->format = 'xss_format';
$format->name = '<script>alert(123)</script>';
filter_format_save($format);
user_role_change_permissions(DRUPAL_ANONYMOUS_RID, array(filter_permission_name($format) => 1));
$this->drupalGet('filter/tips');
$this->assertNoRaw($format->name, 'Text format name contains no xss.');
}
/**
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment