diff options
author | David Rothstein <drothstein@gmail.com> | 2014-11-04 01:59:32 -0500 |
---|---|---|
committer | David Rothstein <drothstein@gmail.com> | 2014-11-04 01:59:32 -0500 |
commit | d6c502926e1286e22771c58e01db386ba80d6480 (patch) | |
tree | a93296647dd631a518ddb8fd4ca09d7cc5ba3b52 /modules | |
parent | c8a26f2d06a54b80a491d658c437846251d0d5e6 (diff) | |
download | brdo-d6c502926e1286e22771c58e01db386ba80d6480.tar.gz brdo-d6c502926e1286e22771c58e01db386ba80d6480.tar.bz2 |
Issue #779374 by helmo, joshi.rohit100, meba, sun | coltrane: Fixed XSS via text format names.
Diffstat (limited to 'modules')
-rw-r--r-- | modules/filter/filter.pages.inc | 2 | ||||
-rw-r--r-- | modules/filter/filter.test | 9 |
2 files changed, 10 insertions, 1 deletions
diff --git a/modules/filter/filter.pages.inc b/modules/filter/filter.pages.inc index 50f81177f..e602bcef0 100644 --- a/modules/filter/filter.pages.inc +++ b/modules/filter/filter.pages.inc @@ -68,7 +68,7 @@ function theme_filter_tips($variables) { foreach ($tips as $name => $tiplist) { if ($multiple) { $output .= '<div class="filter-type filter-' . drupal_html_class($name) . '">'; - $output .= '<h3>' . $name . '</h3>'; + $output .= '<h3>' . check_plain($name) . '</h3>'; } if (count($tiplist) > 0) { diff --git a/modules/filter/filter.test b/modules/filter/filter.test index cc0295b59..fe9cfc366 100644 --- a/modules/filter/filter.test +++ b/modules/filter/filter.test @@ -70,6 +70,15 @@ class FilterCRUDTestCase extends DrupalWebTestCase { $this->assertFalse($db_format->status, 'Database: Disabled text format is marked as disabled.'); $formats = filter_formats(); $this->assertTrue(!isset($formats[$format->format]), 'filter_formats: Disabled text format no longer exists.'); + + // Add a new format to check for Xss in format name. + $format = new stdClass(); + $format->format = 'xss_format'; + $format->name = '<script>alert(123)</script>'; + filter_format_save($format); + user_role_change_permissions(DRUPAL_ANONYMOUS_RID, array(filter_permission_name($format) => 1)); + $this->drupalGet('filter/tips'); + $this->assertNoRaw($format->name, 'Text format name contains no xss.'); } /** |