diff --git a/core/includes/common.inc b/core/includes/common.inc index 9589aa1..3afb1b7 100644 --- a/core/includes/common.inc +++ b/core/includes/common.inc @@ -2883,8 +2883,9 @@ function drupal_render(&$elements, $is_recursive_call = FALSE) { // with how render cached output gets stored. This ensures that // #post_render_cache callbacks get the same data to work with, no matter if // #cache is disabled, #cache is enabled, there is a cache hit or miss. - $prefix = isset($elements['#prefix']) ? $elements['#prefix'] : ''; - $suffix = isset($elements['#suffix']) ? $elements['#suffix'] : ''; + $prefix = isset($elements['#prefix']) ? SafeMarkup::checkAdminXss($elements['#prefix']) : ''; + $suffix = isset($elements['#suffix']) ? SafeMarkup::checkAdminXss($elements['#suffix']) : ''; + $elements['#markup'] = $prefix . $elements['#children'] . $suffix; // We've rendered this element (and its subtree!), now update the stack. diff --git a/core/lib/Drupal/Component/Utility/SafeMarkup.php b/core/lib/Drupal/Component/Utility/SafeMarkup.php index dc0a6a1..7f8a756 100644 --- a/core/lib/Drupal/Component/Utility/SafeMarkup.php +++ b/core/lib/Drupal/Component/Utility/SafeMarkup.php @@ -7,6 +7,8 @@ namespace Drupal\Component\Utility; +use Drupal\Component\Utility\Xss; + /** * Manages known safe strings for rendering at the theme layer. * @@ -137,6 +139,22 @@ public static function escape($string) { } /** + * Applies a very permissive XSS/HTML filter for admin-only use. + * + * @param $string + * A string. + * + * @return string + * The escaped string. If $string was already set as safe with + * SafeString::set, it won't be escaped again. + * + * @see \Drupal\Component\Utility\Xss\filterAdmin + */ + public static function checkAdminXss($string) { + return static::isSafe($string) ? $string : Xss::filterAdmin($string); + } + + /** * Retrieves all strings currently marked as safe. * * This is useful for the batch and form APIs, where it is important to diff --git a/core/lib/Drupal/Core/Form/FormBuilder.php b/core/lib/Drupal/Core/Form/FormBuilder.php index dd2bcd8..6e13cb2 100644 --- a/core/lib/Drupal/Core/Form/FormBuilder.php +++ b/core/lib/Drupal/Core/Form/FormBuilder.php @@ -10,6 +10,7 @@ use Drupal\Component\Utility\Crypt; use Drupal\Component\Utility\Html; use Drupal\Component\Utility\NestedArray; +use Drupal\Component\Utility\SafeMarkup; use Drupal\Component\Utility\String; use Drupal\Component\Utility\UrlHelper; use Drupal\Core\Access\CsrfTokenGenerator; @@ -799,7 +800,6 @@ public function doBuildForm($form_id, &$element, FormStateInterface &$form_state $element[$key] = $this->doBuildForm($form_id, $element[$key], $form_state); $count++; } - // The #after_build flag allows any piece of a form to be altered // after normal input parsing has been completed. if (isset($element['#after_build']) && !isset($element['#after_build_done'])) { @@ -865,6 +865,33 @@ public function doBuildForm($form_id, &$element, FormStateInterface &$form_state $form_state->setValue($triggering_element['#name'], $triggering_element['#value']); } } + // Make sure each form element is checked for safe markup and + // they are properly escaped. + $element = $this->formSafeCheck($element); + return $element; + } + + /** + * Method to ensure every form element pass the safe check. + * + * @param array $element + * - The form element. + * + * @return array + * - The form element marked as safe. + */ + protected function formSafeCheck(array $element) { + // Filtering keys which are expected to contain HTML. + $markup_keys = array( + '#description', + '#field_prefix', + '#field_suffix', + ); + foreach ($markup_keys as $key) { + if (!empty($element[$key]) && is_scalar($element[$key])) { + $element[$key] = SafeMarkup::checkAdminXss($element[$key]); + } + } return $element; } diff --git a/core/lib/Drupal/Core/Render/Element/HtmlTag.php b/core/lib/Drupal/Core/Render/Element/HtmlTag.php index 851bbf9..5f81e93 100644 --- a/core/lib/Drupal/Core/Render/Element/HtmlTag.php +++ b/core/lib/Drupal/Core/Render/Element/HtmlTag.php @@ -139,7 +139,8 @@ public static function preRenderConditionalComments($element) { $expression = '!IE'; } else { - $expression = $browsers['IE']; + // Need to filter at least for admin usage. + $expression = SafeMarkup::checkAdminXss($browsers['IE']); } // Wrap the element's potentially existing #prefix and #suffix properties with @@ -151,15 +152,23 @@ public static function preRenderConditionalComments($element) { '#prefix' => '', '#suffix' => '', ); + + // Ensure what we are dealing with is safe. + // This would be done later anyway in drupal_render(). + $prefix = SafeMarkup::checkAdminXss($element['#prefix']); + $suffix = SafeMarkup::checkAdminXss($element['#suffix']); + + // Now calling SafeMarkup::set is safe, because we ensured the + // data coming in was at least admin escaped. if (!$browsers['!IE']) { // "downlevel-hidden". - $element['#prefix'] = "\n\n"; + $element['#prefix'] = SafeMarkup::set("\n\n"); } else { // "downlevel-revealed". - $element['#prefix'] = "\n\n" . $element['#prefix']; - $element['#suffix'] .= "\n"; + $element['#prefix'] = SafeMarkup::set("\n\n" . $prefix); + $element['#suffix'] = SafeMarkup::set($suffix . "\n"); } return $element; diff --git a/core/lib/Drupal/Core/Render/Element/MachineName.php b/core/lib/Drupal/Core/Render/Element/MachineName.php index f062a8c..0d68152 100644 --- a/core/lib/Drupal/Core/Render/Element/MachineName.php +++ b/core/lib/Drupal/Core/Render/Element/MachineName.php @@ -8,7 +8,6 @@ namespace Drupal\Core\Render\Element; use Drupal\Component\Utility\NestedArray; -use Drupal\Component\Utility\SafeMarkup; use Drupal\Core\Form\FormStateInterface; use Drupal\Core\Language\LanguageInterface; @@ -152,13 +151,13 @@ public static function processMachineName(&$element, FormStateInterface $form_st $element['#machine_name']['suffix'] = '#' . $suffix_id; if ($element['#machine_name']['standalone']) { - $element['#suffix'] = SafeMarkup::set($element['#suffix'] . ' '); + $element['#suffix'] = $element['#suffix'] . ' '; } else { // Append a field suffix to the source form element, which will contain // the live preview of the machine name. $source += array('#field_suffix' => ''); - $source['#field_suffix'] = SafeMarkup::set($source['#field_suffix'] . ' '); + $source['#field_suffix'] = $source['#field_suffix'] . ' '; $parents = array_merge($element['#machine_name']['source'], array('#field_suffix')); NestedArray::setValue($form_state->getCompleteForm(), $parents, $source['#field_suffix']); diff --git a/core/modules/ban/src/BanIpManagerInterface.php b/core/modules/ban/src/BanIpManagerInterface.php index 331554b..608ae4a 100755 --- a/core/modules/ban/src/BanIpManagerInterface.php +++ b/core/modules/ban/src/BanIpManagerInterface.php @@ -9,6 +9,8 @@ /** * Provides an interface defining a BanIp manager. + * + * Service name: ban.ip_manager */ interface BanIpManagerInterface { diff --git a/core/modules/editor/editor.admin.inc b/core/modules/editor/editor.admin.inc index 2c16f05..2939be0 100644 --- a/core/modules/editor/editor.admin.inc +++ b/core/modules/editor/editor.admin.inc @@ -5,7 +5,6 @@ * Administration functions for editor.module. */ -use Drupal\Component\Utility\SafeMarkup; use Drupal\editor\Entity\Editor; /** @@ -95,8 +94,8 @@ function editor_image_upload_settings_form(Editor $editor) { $form['max_dimensions'] = array( '#type' => 'item', '#title' => t('Maximum dimensions'), - '#field_prefix' => SafeMarkup::set('
', + '#suffix' => '', ); - $expected_output = '
'; // #cache disabled. $element = $test_element; @@ -852,7 +852,7 @@ function testDrupalRenderRenderCachePlaceholder() { $this->assertIdentical($token, $expected_token, 'The tokens are identical'); // Verify the token is in the cached element. $expected_element = array( - '#markup' => '' . $context['bar'] . '
', '#attached' => array(), '#post_render_cache' => array( 'common_test_post_render_cache_placeholder' => array( @@ -895,11 +895,11 @@ function testDrupalRenderChildElementRenderCachePlaceholder() { ], ], '#markup' => $placeholder, - '#prefix' => '
', + '#suffix' => '' ], ]; - $expected_output = '
' . "\n"; // #cache disabled. $element = $test_element; @@ -943,7 +943,7 @@ function testDrupalRenderChildElementRenderCachePlaceholder() { $this->assertIdentical($token, $expected_token, 'The tokens are identical for the child element'); // Verify the token is in the cached element. $expected_element = array( - '#markup' => '' . $context['bar'] . '
', '#attached' => array(), '#post_render_cache' => array( 'common_test_post_render_cache_placeholder' => array( @@ -969,7 +969,7 @@ function testDrupalRenderChildElementRenderCachePlaceholder() { $this->assertIdentical($token, $expected_token, 'The tokens are identical for the parent element'); // Verify the token is in the cached element. $expected_element = array( - '#markup' => '
' . "\n", '#attached' => array(), '#post_render_cache' => array( 'common_test_post_render_cache_placeholder' => array( @@ -999,7 +999,7 @@ function testDrupalRenderChildElementRenderCachePlaceholder() { $this->assertIdentical($token, $expected_token, 'The tokens are identical for the child element'); // Verify the token is in the cached element. $expected_element = array( - '#markup' => '
', '#attached' => array(), '#post_render_cache' => array( 'common_test_post_render_cache_placeholder' => array( diff --git a/core/modules/system/system.admin.inc b/core/modules/system/system.admin.inc index 0231667..ed49843 100644 --- a/core/modules/system/system.admin.inc +++ b/core/modules/system/system.admin.inc @@ -7,7 +7,6 @@ use Drupal\Component\Utility\SafeMarkup; use Drupal\Component\Utility\Xss; -use Drupal\Core\Cache\Cache; use Drupal\Core\Extension\Extension; use Drupal\Core\Render\Element; use Drupal\Core\Template\Attribute; @@ -259,7 +258,7 @@ function theme_system_modules_details($variables) { '#type' => 'details', '#title' => SafeMarkup::set(' ' . drupal_render($module['description']) . ''), '#attributes' => array('id' => $module['enable']['#id'] . '-description'), - '#description' => SafeMarkup::set($description), + '#description' => $description, ); $col4 = drupal_render($details); $row[] = array('class' => array('description', 'expand'), 'data' => $col4);