Drupal
/
drupal
mirror of https://git.drupalcode.org/project/drupal.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Issue #2512106 by cilefen, droplet, alexpott: Inline templates are XSS filtered incorrectly

8.0.x
Nathaniel Catchpole 2015-07-20 13:04:14 +01:00
parent 484b071dd4
commit 0f9ebb2a3c
3 changed files with 10 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
core/lib/Drupal/Core/Template/TwigEnvironment.php
View File

@ -7,6 +7,7 @@
namespace Drupal\Core\Template;
use Drupal\Component\Utility\SafeMarkup;
use Drupal\Core\PhpStorage\PhpStorageFactory;
/**
@ -201,7 +202,9 @@ class TwigEnvironment extends \Twig_Environment {
public function renderInline($template_string, array $context = array()) {
// Prefix all inline templates with a special comment.
$template_string = '{# inline_template_start #}' . $template_string;
return $this->loadTemplate($template_string, NULL)->render($context);
// @todo replace with object implementating SafeStringInterface in
// https://www.drupal.org/node/2506581.
return SafeMarkup::set($this->loadTemplate($template_string, NULL)->render($context));
}
}

4
core/modules/system/src/Tests/Module/UninstallTest.php
View File

@ -57,6 +57,10 @@ class UninstallTest extends WebTestBase {
$this->drupalGet('admin/modules/uninstall');
$this->assertTitle(t('Uninstall') . ' | Drupal');
// Be sure labels are rendered properly.
// @see regression https://www.drupal.org/node/2512106
$this->assertRaw('<label for="edit-uninstall-node" class="module-name table-filter-text-source">Node</label>');
$this->assertText(\Drupal::translation()->translate('The following reason prevents Node from being uninstalled:'));
$this->assertText(\Drupal::translation()->translate('There is content for the entity type: Content'));
// Delete the node to allow node to be uninstalled.

4
core/modules/system/src/Tests/Theme/TwigEnvironmentTest.php
View File

@ -41,10 +41,10 @@ class TwigEnvironmentTest extends KernelTestBase {
$unsafe_string = '<script>alert(\'Danger! High voltage!\');</script>';
$element['test'] = array(
'#type' => 'inline_template',
'#template' => 'test-with-context {{ unsafe_content }}',
'#template' => 'test-with-context <label>{{ unsafe_content }}</label>',
'#context' => array('unsafe_content' => $unsafe_string),
);
$this->assertEqual($renderer->renderRoot($element), 'test-with-context ' . SafeMarkup::checkPlain($unsafe_string));
$this->assertEqual($renderer->renderRoot($element), 'test-with-context <label>' . SafeMarkup::checkPlain($unsafe_string) . '</label>');
// Enable twig_auto_reload and twig_debug.
$settings = Settings::getAll();