From 8ce1c80cc72c23d818d6540dfbf8b3501eb6ebb3 Mon Sep 17 00:00:00 2001 From: Dries Buytaert Date: Mon, 28 Jun 2010 20:27:34 +0000 Subject: - Patch #829484 by Berdir, Dave Reid, dereine: uncaught PDO Exception - XSS. --- modules/simpletest/tests/system_test.module | 6 ++++++ modules/system/system.test | 4 ++++ 2 files changed, 10 insertions(+) (limited to 'modules') diff --git a/modules/simpletest/tests/system_test.module b/modules/simpletest/tests/system_test.module index b902fd6ca..1209015fb 100644 --- a/modules/simpletest/tests/system_test.module +++ b/modules/simpletest/tests/system_test.module @@ -303,5 +303,11 @@ function _system_test_second_shutdown_function($arg1, $arg2) { // Output something, page has already been printed and the session stored // so we can't use drupal_set_message. print t('Second shutdown function, arg1 : @arg1, arg2: @arg2', array('@arg1' => $arg1, '@arg2' => $arg2)); + + // Throw an exception with an HTML tag. Since this is called in a shutdown + // function, it will not bubble up to the default exception handler but will + // be catched in _drupal_shutdown_function() and be displayed through + // _drupal_render_exception_safe(). + throw new Exception('Drupal is awesome.'); } diff --git a/modules/system/system.test b/modules/system/system.test index b2da62566..c97c50914 100644 --- a/modules/system/system.test +++ b/modules/system/system.test @@ -1818,6 +1818,10 @@ class ShutdownFunctionsTest extends DrupalWebTestCase { $this->drupalGet('system-test/shutdown-functions/' . $arg1 . '/' . $arg2); $this->assertText(t('First shutdown function, arg1 : @arg1, arg2: @arg2', array('@arg1' => $arg1, '@arg2' => $arg2))); $this->assertText(t('Second shutdown function, arg1 : @arg1, arg2: @arg2', array('@arg1' => $arg1, '@arg2' => $arg2))); + + // Make sure exceptions displayed through _drupal_render_exception_safe() + // are correctly escaped. + $this->assertText('Drupal is <blink>awesome</blink>.'); } } -- cgit v1.2.3