Issue #779374 by helmo, joshi.rohit100, meba, sun | coltrane: Fixed XSS via text format names.

2 files changed, 10 insertions, 1 deletions

diff --git a/modules/filter/filter.pages.inc b/modules/filter/filter.pages.inc
index 50f81177f..e602bcef0 100644
--- a/modules/filter/filter.pages.inc
+++ b/modules/filter/filter.pages.inc
@@ -68,7 +68,7 @@ function theme_filter_tips($variables) {
     foreach ($tips as $name => $tiplist) {
       if ($multiple) {
         $output .= '<div class="filter-type filter-' . drupal_html_class($name) . '">';
-        $output .= '<h3>' . $name . '</h3>';
+        $output .= '<h3>' . check_plain($name) . '</h3>';
       }
 
       if (count($tiplist) > 0) {
diff --git a/modules/filter/filter.test b/modules/filter/filter.test
index cc0295b59..fe9cfc366 100644
--- a/modules/filter/filter.test
+++ b/modules/filter/filter.test
@@ -70,6 +70,15 @@ class FilterCRUDTestCase extends DrupalWebTestCase {
     $this->assertFalse($db_format->status, 'Database: Disabled text format is marked as disabled.');
     $formats = filter_formats();
     $this->assertTrue(!isset($formats[$format->format]), 'filter_formats: Disabled text format no longer exists.');
+
+    // Add a new format to check for Xss in format name.
+    $format = new stdClass();
+    $format->format = 'xss_format';
+    $format->name = '<script>alert(123)</script>';
+    filter_format_save($format);
+    user_role_change_permissions(DRUPAL_ANONYMOUS_RID, array(filter_permission_name($format) => 1));
+    $this->drupalGet('filter/tips');
+    $this->assertNoRaw($format->name, 'Text format name contains no xss.');
   }
 
   /**