diff options
author | Dries Buytaert <dries@buytaert.net> | 2010-06-28 20:27:34 +0000 |
---|---|---|
committer | Dries Buytaert <dries@buytaert.net> | 2010-06-28 20:27:34 +0000 |
commit | 8ce1c80cc72c23d818d6540dfbf8b3501eb6ebb3 (patch) | |
tree | 976b95710566f3475e916443d95eedbbf4a1b8e3 | |
parent | 267ebfb7b61bd6a440e50649ebf6e3c1d36c9f84 (diff) | |
download | brdo-8ce1c80cc72c23d818d6540dfbf8b3501eb6ebb3.tar.gz brdo-8ce1c80cc72c23d818d6540dfbf8b3501eb6ebb3.tar.bz2 |
- Patch #829484 by Berdir, Dave Reid, dereine: uncaught PDO Exception - XSS.
-rw-r--r-- | includes/errors.inc | 2 | ||||
-rw-r--r-- | modules/simpletest/tests/system_test.module | 6 | ||||
-rw-r--r-- | modules/system/system.test | 4 |
3 files changed, 11 insertions, 1 deletions
diff --git a/includes/errors.inc b/includes/errors.inc index 96bf8fdb2..990f60cfd 100644 --- a/includes/errors.inc +++ b/includes/errors.inc @@ -135,7 +135,7 @@ function _drupal_decode_exception($exception) { * An error message. */ function _drupal_render_exception_safe($exception) { - return strtr('%type: %message in %function (line %line of %file).', _drupal_decode_exception($exception)); + return check_plain(strtr('%type: %message in %function (line %line of %file).', _drupal_decode_exception($exception))); } /** diff --git a/modules/simpletest/tests/system_test.module b/modules/simpletest/tests/system_test.module index b902fd6ca..1209015fb 100644 --- a/modules/simpletest/tests/system_test.module +++ b/modules/simpletest/tests/system_test.module @@ -303,5 +303,11 @@ function _system_test_second_shutdown_function($arg1, $arg2) { // Output something, page has already been printed and the session stored // so we can't use drupal_set_message. print t('Second shutdown function, arg1 : @arg1, arg2: @arg2', array('@arg1' => $arg1, '@arg2' => $arg2)); + + // Throw an exception with an HTML tag. Since this is called in a shutdown + // function, it will not bubble up to the default exception handler but will + // be catched in _drupal_shutdown_function() and be displayed through + // _drupal_render_exception_safe(). + throw new Exception('Drupal is <blink>awesome</blink>.'); } diff --git a/modules/system/system.test b/modules/system/system.test index b2da62566..c97c50914 100644 --- a/modules/system/system.test +++ b/modules/system/system.test @@ -1818,6 +1818,10 @@ class ShutdownFunctionsTest extends DrupalWebTestCase { $this->drupalGet('system-test/shutdown-functions/' . $arg1 . '/' . $arg2); $this->assertText(t('First shutdown function, arg1 : @arg1, arg2: @arg2', array('@arg1' => $arg1, '@arg2' => $arg2))); $this->assertText(t('Second shutdown function, arg1 : @arg1, arg2: @arg2', array('@arg1' => $arg1, '@arg2' => $arg2))); + + // Make sure exceptions displayed through _drupal_render_exception_safe() + // are correctly escaped. + $this->assertText('Drupal is <blink>awesome</blink>.'); } } |