Issue #2459339 by hgoto, dagmar, klausi, kporras07, David_Rothstein, Fabianx: Log messages should be XSS filtered on display

2016-09-29 17:34:38 +01:00 · 2016-09-29 17:34:38 +01:00 · 27e42bdd67
parent 782dab135b
commit 27e42bdd67
2 changed files with 36 additions and 1 deletions
--- a/modules/dblog/dblog.admin.inc
+++ b/modules/dblog/dblog.admin.inc
@ -294,11 +294,18 @@ function theme_dblog_message($variables) {
    else {
      $output = t($event->message, unserialize($event->variables));
    }
+    // If the output is expected to be a link, strip all the tags and
+    // special characters by using filter_xss() without any allowed tags.
+    // If not, use filter_xss_admin() to allow some tags.
    if ($variables['link'] && isset($event->wid)) {
-      // Truncate message to 56 chars.
+      // Truncate message to 56 chars after stripping all the tags.
      $output = truncate_utf8(filter_xss($output, array()), 56, TRUE, TRUE);
      $output = l($output, 'admin/reports/event/' . $event->wid, array('html' => TRUE));
    }
+    else {
+      // Prevent XSS in log detail pages.
+      $output = filter_xss_admin($output);
+    }
  }
  return $output;
 }
--- a/modules/dblog/dblog.test
+++ b/modules/dblog/dblog.test
@ -665,4 +665,32 @@ class DBLogTestCase extends DrupalWebTestCase {
    // Document Object Model (DOM).
    $this->assertLink(html_entity_decode($message_text), 0, $message);
  }
+
+  /**
+   * Make sure HTML tags are filtered out in the log detail page.
+   */
+  public function testLogMessageSanitized() {
+    $this->drupalLogin($this->big_user);
+
+    // Make sure dangerous HTML tags are filtered out in log detail page.
+    $log = array(
+      'uid' => 0,
+      'type' => 'custom',
+      'message' => "<script>alert('foo');</script> <strong>Lorem ipsum</strong>",
+      'variables' => NULL,
+      'severity' => WATCHDOG_NOTICE,
+      'link' => 'foo/bar',
+      'request_uri' => 'http://example.com?dblog=1',
+      'referer' => 'http://example.org?dblog=2',
+      'ip' => '0.0.1.0',
+      'timestamp' => REQUEST_TIME,
+    );
+    dblog_watchdog($log);
+
+    $wid = db_query('SELECT MAX(wid) FROM {watchdog}')->fetchField();
+    $this->drupalGet('admin/reports/event/' . $wid);
+    $this->assertResponse(200);
+    $this->assertNoRaw("<script>alert('foo');</script>");
+    $this->assertRaw("alert('foo'); <strong>Lorem ipsum</strong>");
+  }
 }