Issue #2501701 by akalata, pwolanin, lauriii, GreenSkunk, cdulude, joelpittet, Cottser: Remove SafeMarkup::set in template_preprocess_color_scheme_form()

2015-07-06 12:07:27 +01:00 · 2015-07-06 12:07:27 +01:00 · 9165b68c28
parent 85de42c975
commit 9165b68c28
4 changed files with 73 additions and 1 deletions
--- a/core/modules/color/color.module
+++ b/core/modules/color/color.module
@ -284,7 +284,7 @@ function template_preprocess_color_scheme_form(&$variables) {

  // Attempt to load preview HTML if the theme provides it.
  $preview_html_path = \Drupal::root() . '/' . (isset($info['preview_html']) ? drupal_get_path('theme', $theme) . '/' . $info['preview_html'] : drupal_get_path('module', 'color') . '/preview.html');
-  $variables['html_preview'] = SafeMarkup::set(file_get_contents($preview_html_path));
+  $variables['html_preview']['#markup'] = file_get_contents($preview_html_path);
 }

 /**
--- a/core/modules/color/src/Tests/ColorSafePreviewTest.php
+++ b/core/modules/color/src/Tests/ColorSafePreviewTest.php
@ -0,0 +1,63 @@
+<?php
+
+/**
+ * @file
+ * Contains \Drupal\color\Tests\ColorSafePreviewTest.
+ */
+
+namespace Drupal\color\Tests;
+
+use Drupal\Core\Url;
+use Drupal\simpletest\WebTestBase;
+
+/**
+ * Tests sanitizing color preview loaded from theme.
+ *
+ * @group Theme
+ */
+class ColorSafePreviewTest extends WebTestBase {
+
+  /**
+   * Modules to enable.
+   *
+   * @var string[]
+   */
+  public static $modules = ['color', 'color_test'];
+
+  /**
+   * A user with administrative permissions.
+   *
+   * @var \Drupal\user\UserInterface
+   */
+  protected $bigUser;
+
+  /**
+   * {@inheritdoc}
+   */
+  protected function setUp() {
+    parent::setUp();
+
+    // Create user.
+    $this->bigUser = $this->drupalCreateUser(['administer themes']);
+  }
+
+  /**
+   * Ensures color preview.html is sanitized.
+   */
+  function testColorPreview() {
+    // Install the color test theme.
+    \Drupal::service('theme_handler')->install(['color_test_theme']);
+    $this->drupalLogin($this->bigUser);
+
+    // Markup is being printed from a HTML file located in:
+    // core/modules/color/tests/modules/color_test/themes/color_test_theme/color/preview.html
+    $url = Url::fromRoute('system.theme_settings_theme', ['theme' => 'color_test_theme']);
+    $this->drupalGet($url);
+    $this->assertText('TEST COLOR PREVIEW');
+
+    $this->assertNoRaw('<script>alert("security filter test");</script>');
+    $this->assertRaw('<h2>TEST COLOR PREVIEW</h2>');
+  }
+
+
+}
--- a/core/modules/color/tests/modules/color_test/themes/color_test_theme/color/color.inc
+++ b/core/modules/color/tests/modules/color_test/themes/color_test_theme/color/color.inc
@ -29,4 +29,5 @@ $info = array(
  'css' => array(
    'css/colors.css',
  ),
+  'preview_html' => 'color/preview.html',
 );
--- a/core/modules/color/tests/modules/color_test/themes/color_test_theme/color/preview.html
+++ b/core/modules/color/tests/modules/color_test/themes/color_test_theme/color/preview.html
@ -0,0 +1,8 @@
+<div class="color-preview">
+  <div id="text">
+    <h2>TEST COLOR PREVIEW</h2>
+    <p>Sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud <a href="#">exercitation ullamco</a> laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.</p>
+  </div>
+  <div id="img"></div>
+</div>
+<script>alert("security filter test");</script>