Drupal
/
drupal
mirror of https://git.drupalcode.org/project/drupal.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Issue #2780285 by alexpott, th_tushar, mpdonadio: XSS in date format configuration

merge-requests/55/head
Lee Rowlands 2019-08-09 07:23:18 +10:00
parent b4192ba2eb
commit c4a7d0c605
No known key found for this signature in database
GPG Key ID: 2B829A3DF9204DC4
3 changed files with 65 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
core/modules/system/js/system.date.es6.js
View File

@ -43,7 +43,7 @@
(key, value) => (dateFormats[key] ? dateFormats[key] : value), (key, value) => (dateFormats[key] ? dateFormats[key] : value),
); );
$preview.html(dateString); $preview.text(dateString);
$target.toggleClass('js-hide', !dateString.length); $target.toggleClass('js-hide', !dateString.length);
} }

2
core/modules/system/js/system.date.js
View File

@ -25,7 +25,7 @@
return dateFormats[key] ? dateFormats[key] : value; return dateFormats[key] ? dateFormats[key] : value;
}); });
$preview.html(dateString); $preview.text(dateString);
$target.toggleClass('js-hide', !dateString.length); $target.toggleClass('js-hide', !dateString.length);
} }

63
core/modules/system/tests/src/FunctionalJavascript/System/DateFormatTest.php Normal file
View File

@ -0,0 +1,63 @@
<?php
namespace Drupal\Tests\system\FunctionalJavascript\System;
use Drupal\Core\Datetime\Entity\DateFormat;
use Drupal\FunctionalJavascriptTests\WebDriverTestBase;
/**
* Tests that date formats UI with JavaScript enabled.
*
* @group system
*/
class DateFormatTest extends WebDriverTestBase {
/**
* {@inheritdoc}
*/
protected static $modules = ['block'];
/**
* {@inheritdoc}
*/
protected function setUp() {
parent::setUp();
// Create admin user and log in admin user.
$this->drupalLogin($this->drupalCreateUser(['administer site configuration']));
$this->drupalPlaceBlock('local_actions_block');
}
/**
* Tests XSS via date format configuration.
*/
public function testDateFormatXss() {
$page = $this->getSession()->getPage();
$assert = $this->assertSession();
$date_format = DateFormat::create([
'id' => 'xss_short',
'label' => 'XSS format',
'pattern' => '\<\s\c\r\i\p\t\>\a\l\e\r\t\(\"\X\S\S\")\;\<\/\s\c\r\i\p\t\>',
]);
$date_format->save();
$this->drupalGet('admin/config/regional/date-time');
$assert->assertEscaped('<script>alert("XSS");</script>', 'The date format was properly escaped');
$this->drupalGet('admin/config/regional/date-time/formats/manage/xss_short');
$assert->assertEscaped('<script>alert("XSS");</script>', 'The date format was properly escaped');
// Add a new date format with HTML in it.
$this->drupalGet('admin/config/regional/date-time/formats/add');
$date_format = '& \<\e\m\>Y\<\/\e\m\>';
$page->fillField('date_format_pattern', $date_format);
$assert->waitForText('Displayed as');
$assert->assertEscaped('<em>' . date("Y") . '</em>');
$page->fillField('label', 'date_html_pattern');
// Wait for the machine name ID to be completed.
$assert->waitForLink('Edit');
$page->pressButton('Add format');
$assert->pageTextContains('Custom date format added.');
$assert->assertEscaped('<em>' . date("Y") . '</em>');
}
}