Drupal
/
drupal
mirror of https://git.drupalcode.org/project/drupal.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Issue #2346209 by keopx, Zekvyrin, subhojit777, cburschka, pguillard, dimaro, realityloop, m4olivei, joelpittet, rteijeiro, idebr: /filter/tips improperly escaped

8.0.x
Alex Pott 2015-04-21 20:38:44 +01:00
parent 6b91f5242e
commit 0af67776dc
3 changed files with 27 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
core/modules/filter/filter.module
View File

@ -469,6 +469,7 @@ function template_preprocess_filter_tips(&$variables) {
foreach ($variables['tips'] as $name => $tiplist) {
foreach ($tiplist as $tip_key => $tip) {
$tiplist[$tip_key]['attributes'] = new Attribute();
$tiplist[$tip_key]['tip'] = Xss::filterAdmin($tiplist[$tip_key]['tip']);
}
$variables['tips'][$name] = array(

8
core/modules/filter/src/Plugin/Filter/FilterHtml.php
View File

@ -144,8 +144,8 @@ class FilterHtml extends FilterBase {
if (!empty($tips[$tag])) {
$rows[] = array(
array('data' => $tips[$tag][0], 'class' => array('description')),
array('data' => '<code>' . SafeMarkup::checkPlain($tips[$tag][1]) . '</code>', 'class' => array('type')),
array('data' => $tips[$tag][1], 'class' => array('get'))
array('data' => SafeMarkup::format('<code>@var</code>', array('@var' => $tips[$tag][1])), 'class' => array('type')),
array('data' => SafeMarkup::format($tips[$tag][1]), 'class' => array('get'))
);
}
else {
@ -175,8 +175,8 @@ class FilterHtml extends FilterBase {
foreach ($entities as $entity) {
$rows[] = array(
array('data' => $entity[0], 'class' => array('description')),
array('data' => '<code>' . SafeMarkup::checkPlain($entity[1]) . '</code>', 'class' => array('type')),
array('data' => $entity[1], 'class' => array('get'))
array('data' => SafeMarkup::format('<code>@var</code>', array('@var' => $entity[1])), 'class' => array('type')),
array('data' => SafeMarkup::format($entity[1]), 'class' => array('get'))
);
}
$table = array(

22
core/modules/filter/src/Tests/FilterAdminTest.php
View File

@ -361,4 +361,26 @@ class FilterAdminTest extends WebTestBase {
$this->assertNoRaw(t('The text format %format has been updated.', array('%format' => 'Basic HTML')));
}
/**
* Tests whether filter tips page is not HTML escaped.
*/
function testFilterTipHtmlEscape() {
$this->drupalLogin($this->adminUser);
global $base_url;
// It is not possible to test the whole filter tip page.
// Therefore we test only some parts.
$link = '<a href="' . $base_url . '">' . SafeMarkup::checkPlain(\Drupal::config('system.site')->get('name')) . '</a>';
$ampersand = '&amp;';
$link_as_code = '<code>' . $link . '</code>';
$ampersand_as_code = '<code>' . $ampersand . '</code>';
$this->drupalGet('filter/tips');
$this->assertRaw('<td class="type">' . $link_as_code . '</td>');
$this->assertRaw('<td class="get">' . $link . '</td>');
$this->assertRaw('<td class="type">' . $ampersand_as_code . '</td>');
$this->assertRaw('<td class="get">' . $ampersand . '</td>');
}
}