Commit 7c6a7556 authored by Joshua Sedler's avatar Joshua Sedler 🤸🏼
Browse files

Resolve #3314724 "Use HTML input instead of wrapping the user input inside "script" tags"

parent f5689a99

tests/src/FunctionalJavascript/WebformCtFunctionalJavascriptTest.php

+7 −7
Original line number Diff line number Diff line
@@ -79,7 +79,7 @@ class WebformCtFunctionalJavascriptTest extends WebDriverTestBase { 


    // Set the webform settings with the alert:

    $this->webform->setSetting('confirmation_type', WebformInterface::CONFIRMATION_PAGE);

    $this->webform->setThirdPartySetting('webform_ct', 'confirmation_custom_javascript', "localStorage.setItem('testkey', 'testname');");

    $this->webform->setThirdPartySetting('webform_ct', 'confirmation_custom_javascript', "<script>localStorage.setItem('testkey', 'testname');</script>");

    $this->webform->save();

    // Go to confirmation page and see if the script got escaped:

    $this->drupalGet('/webform/' . $this->webform->getOriginalId() . '/test');
@@ -100,7 +100,7 @@ class WebformCtFunctionalJavascriptTest extends WebDriverTestBase { 
    $page = $this->getSession()->getPage();

    // Set the webform settings with the alert:

    $this->webform->setSetting('confirmation_type', WebformInterface::CONFIRMATION_INLINE);

    $this->webform->setThirdPartySetting('webform_ct', 'confirmation_custom_javascript', "alert('test');");

    $this->webform->setThirdPartySetting('webform_ct', 'confirmation_custom_javascript', "<script>alert('test');</script>");

    $this->webform->save();

    // Go to confirmation page and see if the script got escaped:

    $this->drupalGet('/webform/' . $this->webform->getOriginalId() . '/test');
@@ -121,7 +121,7 @@ class WebformCtFunctionalJavascriptTest extends WebDriverTestBase { 
    $page = $this->getSession()->getPage();

    // Set the webform settings with the alert:

    $this->webform->setSetting('confirmation_type', WebformInterface::CONFIRMATION_MESSAGE);

    $this->webform->setThirdPartySetting('webform_ct', 'confirmation_custom_javascript', "alert('test');");

    $this->webform->setThirdPartySetting('webform_ct', 'confirmation_custom_javascript', "<script>alert('test');</script>");

    $this->webform->save();

    // Go to confirmation page and see if the script got escaped:

    $this->drupalGet('/webform/' . $this->webform->getOriginalId() . '/test');
@@ -142,7 +142,7 @@ class WebformCtFunctionalJavascriptTest extends WebDriverTestBase { 
    $page = $this->getSession()->getPage();

    // Set the webform settings with the alert:

    $this->webform->setSetting('confirmation_type', WebformInterface::CONFIRMATION_MODAL);

    $this->webform->setThirdPartySetting('webform_ct', 'confirmation_custom_javascript', "alert('test');");

    $this->webform->setThirdPartySetting('webform_ct', 'confirmation_custom_javascript', "<script>alert('test');</script>");

    $this->webform->save();

    // Go to confirmation page and see if the script got escaped:

    $this->drupalGet('/webform/' . $this->webform->getOriginalId() . '/test');
@@ -163,7 +163,7 @@ class WebformCtFunctionalJavascriptTest extends WebDriverTestBase { 
    $page = $this->getSession()->getPage();

    // Set the webform settings with the alert:

    $this->webform->setSetting('confirmation_type', WebformInterface::CONFIRMATION_PAGE);

    $this->webform->setThirdPartySetting('webform_ct', 'confirmation_custom_javascript', "alert('test');");

    $this->webform->setThirdPartySetting('webform_ct', 'confirmation_custom_javascript', "<script>alert('test');</script>");

    $this->webform->save();

    // Go to confirmation page and see if the script got escaped:

    $this->drupalGet('/webform/' . $this->webform->getOriginalId() . '/test');
@@ -184,7 +184,7 @@ class WebformCtFunctionalJavascriptTest extends WebDriverTestBase { 
    $page = $this->getSession()->getPage();

    // Set the webform settings with the alert:

    $this->webform->setSetting('confirmation_type', WebformInterface::CONFIRMATION_URL);

    $this->webform->setThirdPartySetting('webform_ct', 'confirmation_custom_javascript', "alert('test');");

    $this->webform->setThirdPartySetting('webform_ct', 'confirmation_custom_javascript', "<script>alert('test');</script>");

    $this->webform->save();

    // Go to confirmation page and see if the script got escaped:

    $this->drupalGet('/webform/' . $this->webform->getOriginalId() . '/test');
@@ -205,7 +205,7 @@ class WebformCtFunctionalJavascriptTest extends WebDriverTestBase { 
    $page = $this->getSession()->getPage();

    // Set the webform settings with the alert:

    $this->webform->setSetting('confirmation_type', WebformInterface::CONFIRMATION_URL_MESSAGE);

    $this->webform->setThirdPartySetting('webform_ct', 'confirmation_custom_javascript', "alert('test');");

    $this->webform->setThirdPartySetting('webform_ct', 'confirmation_custom_javascript', "<script>alert('test');</script>");

    $this->webform->save();

    // Go to confirmation page and see if the script got escaped:

    $this->drupalGet('/webform/' . $this->webform->getOriginalId() . '/test');

webform_ct.install

0 → 100644
+19 −0
Original line number Diff line number Diff line 
<?php



/**

 * @file

 * Install, uninstall and update hooks for the webform_ct module.

 */



/**

 * Update hook to add the script tags accordingly.

 */

function webform_ct_update_8001() {

  $webforms = \Drupal::entityTypeManager()->getStorage('webform')->loadMultiple();

  foreach ($webforms as $webform) {

    $old_confirmation_custom_javascript = $webform->getThirdPartySetting('webform_ct', 'confirmation_custom_javascript');

    $new_confirmation_custom_javascript = '<script>' . $old_confirmation_custom_javascript . '</script>';

    $webform->setThirdPartySetting('webform_ct', 'confirmation_custom_javascript', $new_confirmation_custom_javascript);

    $webform->save();

  }

}

webform_ct.module

+4 −3
Original line number Diff line number Diff line
@@ -53,9 +53,10 @@ function webform_ct_form_webform_settings_confirmation_form_alter(&$form, FormSt 
    '#type' => 'webform_codemirror',

    '#mode' => 'javascript',

    '#title' => t('Javascript Code'),

    '#description' => t('Enter javascript, you would like to run on the confirmation page, typically used for conversion tracking. Note: Do NOT use a "script" element!'),

    '#description' => t('Enter javascript, you would like to run on the confirmation page, typically used for conversion tracking. Note: Do NOT forget the "&lt;script&gt;" tags!'),

    '#access' => $user_has_permission,

    '#default_value' => $confirmation_custom_javascript,

    '#placeholder' => "<script>alert('example');</script>",

  ];

  $form['#validate'][] = '_webform_ct_form_validate';

}
@@ -80,7 +81,7 @@ function _webform_ct_form_validate(&$form, FormStateInterface $form_state) { 
/**

 * Hooks into "webform-confirmation.html.twig" to inject javascript.

 *

 * Innject javascript into the message variable.

 * Inject javascript into the message variable.

 *

 * @param array $variables

 *   The form variables.
@@ -110,6 +111,6 @@ function webform_ct_preprocess_webform_confirmation(array &$variables) { 
    // Now we add the dangerous script to allowed tags:

    $variables['message']['#allowed_tags'][] = 'script';

    // And add our script:

    $variables['message']['#markup'] .= '<script>' . $confirmation_custom_javascript . '</script>';

    $variables['message']['#markup'] .= $confirmation_custom_javascript;

  }

}