diff --git a/core/modules/user/lib/Drupal/user/Tests/UserAutocompleteTest.php b/core/modules/user/lib/Drupal/user/Tests/UserAutocompleteTest.php index 3777fb67885..380990e1cb1 100644 --- a/core/modules/user/lib/Drupal/user/Tests/UserAutocompleteTest.php +++ b/core/modules/user/lib/Drupal/user/Tests/UserAutocompleteTest.php @@ -47,15 +47,13 @@ class UserAutocompleteTest extends WebTestBase { // Using first letter of the user's name, make sure the user's full name is in the results. $this->assertRaw($this->unprivileged_user->name, 'User name found in autocompletion results.'); - // Test that anonymous username is in the result. - $anonymous_name = $this->randomString(); + $anonymous_name = $this->randomString() . ''; config('user.settings')->set('anonymous', $anonymous_name)->save(); - $this->drupalGet('user/autocomplete', array('query' => array('q' => drupal_substr($anonymous_name, 0, 4), 'anonymous' => '1'))); - // Encode the anonymous name in the same way as JsonResponse does. - // @see \Symfony\Component\HttpFoundation\JsonResponse::setData() - $anonymous_name_safe = json_encode($anonymous_name, JSON_HEX_TAG | JSON_HEX_APOS | JSON_HEX_AMP | JSON_HEX_QUOT); - $this->assertRaw($anonymous_name_safe, 'The anonymous name found in autocompletion results.'); - $this->drupalGet('user/autocomplete', array('query' => array('q' => drupal_substr($anonymous_name, 0, 4)))); - $this->assertNoRaw($anonymous_name_safe, 'The anonymous name not found in autocompletion results without enabling anonymous username.'); + // Test that anonymous username is in the result when requested and escaped + // with check_plain(). + $users = $this->drupalGetAjax('user/autocomplete/anonymous', array('query' => array('q' => drupal_substr($anonymous_name, 0, 4)))); + $this->assertTrue(in_array(check_plain($anonymous_name), $users), 'The anonymous name found in autocompletion results.'); + $users = $this->drupalGetAjax('user/autocomplete', array('query' => array('q' => drupal_substr($anonymous_name, 0, 4)))); + $this->assertFalse(isset($users[$anonymous_name]), 'The anonymous name not found in autocompletion results without enabling anonymous username.'); } } diff --git a/core/modules/user/user.module b/core/modules/user/user.module index 7eb634aa959..55314bbee14 100644 --- a/core/modules/user/user.module +++ b/core/modules/user/user.module @@ -917,6 +917,15 @@ function user_menu() { 'file' => 'user.pages.inc', ); + $items['user/autocomplete/anonymous'] = array( + 'title' => 'User autocomplete including anonymous', + 'page callback' => 'user_autocomplete', + 'page arguments' => array(TRUE), + 'access callback' => 'user_access', + 'access arguments' => array('access user profiles'), + 'type' => MENU_CALLBACK, + 'file' => 'user.pages.inc', + ); // Registration and login pages. $items['user'] = array( 'title' => 'User account', diff --git a/core/modules/user/user.pages.inc b/core/modules/user/user.pages.inc index 1820f3aa7e1..5a872ab2f65 100644 --- a/core/modules/user/user.pages.inc +++ b/core/modules/user/user.pages.inc @@ -15,26 +15,24 @@ use Symfony\Component\HttpKernel\HttpKernelInterface; * Menu callback for user autocompletion. * * Like other autocomplete functions, this function inspects the 'q' query - * parameter for the string to use to search for suggestions. If the name used - * to indicate anonymous users (e.g. "Anonymous") is to be included as a - * possible suggestion, the 'anonymous' query parameter should be set - * additionally. For example, http://example.com/user/autocomplete?q=An might - * return "Andrew" and "Anne", while - * http://example.com/user/autocomplete?q=An&anonymous=1 will additionally - * return "Anonymous". + * parameter for the string to use to search for suggestions. + * + * @param bool $include_anonymous + * (optional) TRUE if the the name used to indicate anonymous users (e.g. + * "Anonymous") should be autocompleted. Defaults to FALSE. * * @return \Symfony\Component\HttpFoundation\JsonResponse * A JSON response containing the autocomplete suggestions for existing users. */ -function user_autocomplete() { +function user_autocomplete($include_anonymous = FALSE) { $matches = array(); $query = drupal_container()->get('request')->query; if ($string = $query->get('q')) { - if ($query->get('anonymous')) { + if ($include_anonymous) { $anonymous_name = config('user.settings')->get('anonymous'); // Allow autocompletion for the anonymous user. if (stripos($anonymous_name, $string) !== FALSE) { - $matches[$anonymous_name] = $anonymous_name; + $matches[$anonymous_name] = check_plain($anonymous_name); } } $result = db_select('users')->fields('users', array('name'))->condition('name', db_like($string) . '%', 'LIKE')->range(0, 10)->execute();