diff options
| -rw-r--r-- | modules/filter/filter.pages.inc | 2 | ||||
| -rw-r--r-- | modules/filter/filter.test | 9 |
2 files changed, 10 insertions, 1 deletions
diff --git a/modules/filter/filter.pages.inc b/modules/filter/filter.pages.inc index 50f81177f..e602bcef0 100644 --- a/modules/filter/filter.pages.inc +++ b/modules/filter/filter.pages.inc @@ -68,7 +68,7 @@ function theme_filter_tips($variables) { foreach ($tips as $name => $tiplist) { if ($multiple) { $output .= '<div class="filter-type filter-' . drupal_html_class($name) . '">'; - $output .= '<h3>' . $name . '</h3>'; + $output .= '<h3>' . check_plain($name) . '</h3>'; } if (count($tiplist) > 0) { diff --git a/modules/filter/filter.test b/modules/filter/filter.test index cc0295b59..fe9cfc366 100644 --- a/modules/filter/filter.test +++ b/modules/filter/filter.test @@ -70,6 +70,15 @@ class FilterCRUDTestCase extends DrupalWebTestCase { $this->assertFalse($db_format->status, 'Database: Disabled text format is marked as disabled.'); $formats = filter_formats(); $this->assertTrue(!isset($formats[$format->format]), 'filter_formats: Disabled text format no longer exists.'); + + // Add a new format to check for Xss in format name. + $format = new stdClass(); + $format->format = 'xss_format'; + $format->name = '<script>alert(123)</script>'; + filter_format_save($format); + user_role_change_permissions(DRUPAL_ANONYMOUS_RID, array(filter_permission_name($format) => 1)); + $this->drupalGet('filter/tips'); + $this->assertNoRaw($format->name, 'Text format name contains no xss.'); } /** |