diff --git a/core/lib/Drupal/Component/Utility/SafeMarkup.php b/core/lib/Drupal/Component/Utility/SafeMarkup.php
index 15d5223..d69daa5 100644
--- a/core/lib/Drupal/Component/Utility/SafeMarkup.php
+++ b/core/lib/Drupal/Component/Utility/SafeMarkup.php
@@ -282,4 +282,37 @@ public static function placeholder($text) {
return $string;
}
+ /**
+ * Replace all occurrences of the search string with the replacement string.
+ *
+ * Functions identically to str_replace, but marks the returned output as safe
+ * if all the inputs and the subject have also been marked as safe.
+ */
+ public static function replace($search, $replace, $subject) {
+ $output = str_replace($search, $replace, $subject);
+
+ if (!is_array($replace)) {
+ if (!SafeMarkup::isSafe($replace)) {
+ return $output;
+ }
+ }
+ else {
+ foreach ($replace as $replacement) {
+ if (!SafeMarkup::isSafe($replacement)) {
+ return $output;
+ }
+ }
+ }
+
+ // If we have reached this point, then all replacements were safe, and
+ // therefore if the subject was also safe, then the entire output is also
+ // safe, and should be marked as such.
+ if (SafeMarkup::isSafe($subject)) {
+ return SafeMarkup::set($output);
+ }
+ else {
+ return $output;
+ }
+ }
+
}
diff --git a/core/lib/Drupal/Core/Render/Element/HtmlTag.php b/core/lib/Drupal/Core/Render/Element/HtmlTag.php
index 553767f..6acd7ff 100644
--- a/core/lib/Drupal/Core/Render/Element/HtmlTag.php
+++ b/core/lib/Drupal/Core/Render/Element/HtmlTag.php
@@ -94,7 +94,7 @@ public static function preRenderHtmlTag($element) {
$markup = SafeMarkup::set($markup);
}
if (!empty($element['#noscript'])) {
- $element['#markup'] = '';
+ $element['#markup'] = SafeMarkup::format('', array('!markup' => $markup));
}
else {
$element['#markup'] = $markup;
diff --git a/core/lib/Drupal/Core/Render/Renderer.php b/core/lib/Drupal/Core/Render/Renderer.php
index b969a51..c253ae6 100644
--- a/core/lib/Drupal/Core/Render/Renderer.php
+++ b/core/lib/Drupal/Core/Render/Renderer.php
@@ -245,9 +245,8 @@ protected function doRender(&$elements, $is_root_call = FALSE) {
$elements['#children'] = '';
}
- // @todo Simplify after https://drupal.org/node/2273925
if (isset($elements['#markup'])) {
- $elements['#markup'] = SafeMarkup::set($elements['#markup']);
+ $elements['#markup'] = SafeMarkup::checkAdminXss($elements['#markup']);
}
// Assume that if #theme is set it represents an implemented hook.
@@ -545,7 +544,10 @@ public function generateCachePlaceholder($callback, array &$context) {
'token' => Crypt::randomBytesBase64(55),
];
- return '';
+ return SafeMarkup::format('', array(
+ '@callback' => $callback,
+ '@token' => $context['token'],
+ ));
}
}
diff --git a/core/modules/contextual/src/Element/ContextualLinksPlaceholder.php b/core/modules/contextual/src/Element/ContextualLinksPlaceholder.php
index d10078b..e148a1b 100644
--- a/core/modules/contextual/src/Element/ContextualLinksPlaceholder.php
+++ b/core/modules/contextual/src/Element/ContextualLinksPlaceholder.php
@@ -9,6 +9,7 @@
use Drupal\Core\Template\Attribute;
use Drupal\Core\Render\Element\RenderElement;
+use Drupal\Component\Utility\SafeMarkup;
/**
* Provides a contextual_links_placeholder element.
@@ -47,7 +48,11 @@ public function getInfo() {
* @see _contextual_links_to_id()
*/
public static function preRenderPlaceholder(array $element) {
- $element['#markup'] = ' $element['#id'])) . '>';
+ // Because the only arguments to this markup will be instance of
+ // \Drupal\Core\Template\AttributeString, which is passed through
+ // \Drupal\Component\Utility\SafeMarkup::checkPlain() before being output
+ // this markup is safe, and is marked as such.
+ $element['#markup'] = SafeMarkup::set(' $element['#id'])) . '>');
return $element;
}
diff --git a/core/modules/filter/src/Element/ProcessedText.php b/core/modules/filter/src/Element/ProcessedText.php
index d007b5f..4851a22 100644
--- a/core/modules/filter/src/Element/ProcessedText.php
+++ b/core/modules/filter/src/Element/ProcessedText.php
@@ -8,6 +8,7 @@
namespace Drupal\filter\Element;
use Drupal\Component\Utility\NestedArray;
+use Drupal\Component\Utility\SafeMarkup;
use Drupal\Core\Cache\Cache;
use Drupal\Core\Render\BubbleableMetadata;
use Drupal\Core\Render\Element\RenderElement;
@@ -118,9 +119,11 @@ public static function preRenderText($element) {
}
}
- // Filtering done, store in #markup, set the updated bubbleable rendering
- // metadata, and set the text format's cache tag.
- $element['#markup'] = $text;
+ // Filtering and sanitizing has been done in
+ // \Drupal\filter\Plugin\FilterInterface. Store its content in #markup,
+ // set the updated bubbleable rendering metadata, and set the text format's
+ // cache tag.
+ $element['#markup'] = SafeMarkup::set($text);
$metadata->applyTo($element);
$element['#cache']['tags'] = Cache::mergeTags($element['#cache']['tags'], $format->getCacheTags());
diff --git a/core/modules/rest/src/Plugin/views/style/Serializer.php b/core/modules/rest/src/Plugin/views/style/Serializer.php
index 09e94e6..089b68b 100644
--- a/core/modules/rest/src/Plugin/views/style/Serializer.php
+++ b/core/modules/rest/src/Plugin/views/style/Serializer.php
@@ -7,7 +7,9 @@
namespace Drupal\rest\Plugin\views\style;
+use Drupal\Component\Utility\SafeMarkup;
use Drupal\Core\Form\FormStateInterface;
+use Drupal\rest\Plugin\views\row\DataFieldRow;
use Drupal\views\ViewExecutable;
use Drupal\views\Plugin\views\display\DisplayPluginBase;
use Drupal\views\Plugin\views\style\StylePluginBase;
@@ -130,7 +132,16 @@ public function render() {
$content_type = $this->options['formats'] ? reset($this->options['formats']) : 'json';
}
- return $this->serializer->serialize($rows, $content_type);
+ $output = $this->serializer->serialize($rows, $content_type);
+ if ($this->view->rowPlugin instanceof DataFieldRow) {
+ // Individual fields in the DataFieldRow plugin are sanitized in
+ // \Drupal\views\Plugin\views\field\FieldPluginBase::advancedRender() and
+ // we can safely assume that the Serializer does not introduce XSS when
+ // transforming the array into the particular format, hence we can safely
+ // mark the whole serialized string as safe.
+ SafeMarkup::set($output);
+ }
+ return $output;
}
/**
diff --git a/core/modules/rest/src/Tests/Views/StyleSerializerTest.php b/core/modules/rest/src/Tests/Views/StyleSerializerTest.php
index 12eb653..3d9b0db 100644
--- a/core/modules/rest/src/Tests/Views/StyleSerializerTest.php
+++ b/core/modules/rest/src/Tests/Views/StyleSerializerTest.php
@@ -12,6 +12,7 @@
use Drupal\views\Tests\Plugin\PluginTestBase;
use Drupal\views\Tests\ViewTestData;
use Symfony\Component\HttpFoundation\Request;
+use Drupal\Core\Cache\Cache;
/**
* Tests the serializer style plugin.
@@ -315,6 +316,19 @@ public function testFieldapiField() {
$result = $this->drupalGetJSON('test/serialize/node-field');
$this->assertEqual($result[0]['nid'], $node->id());
$this->assertEqual($result[0]['body'], $node->body->processed);
- }
+ // Make sure that serialized fields are not exposed to XSS.
+ $node = $this->drupalCreateNode();
+ $node->body = array(
+ 'value' => '' . $this->randomMachineName(32),
+ 'format' => filter_default_format(),
+ );
+ $node->save();
+ // @todo Find a proper solution & fix https://www.drupal.org/node/2477157
+ // Invalidate the cache since the RestExport returns the cached data.
+ \Drupal::cache('render')->deleteAll();
+ $result = $this->drupalGetJSON('test/serialize/node-field');
+ $this->assertEqual($result[1]['nid'], $node->id());
+ $this->assertTrue(strpos($this->getRawContent(), "randomString();
- $footer_string = $this->randomString();
- $empty_string = $this->randomString();
+ $header_string = $this->randomMachineName();
+ $footer_string = $this->randomMachineName();
+ $empty_string = $this->randomMachineName();
$view->header['test_example']->options['string'] = $header_string;
$view->header['test_example']->options['empty'] = TRUE;
diff --git a/core/modules/views/views.module b/core/modules/views/views.module
index 9e9529e..6cde80b 100644
--- a/core/modules/views/views.module
+++ b/core/modules/views/views.module
@@ -679,7 +679,7 @@ function views_pre_render_views_form_views_form($element) {
}
// Apply substitutions to the rendered output.
- $element['output'] = array('#markup' => str_replace($search, $replace, drupal_render($element['output'])));
+ $element['output'] = array('#markup' => SafeMarkup::replace($search, $replace, drupal_render($element['output'])));
// Sort, render and add remaining form fields.
$children = Element::children($element, TRUE);
diff --git a/core/modules/views_ui/views_ui.theme.inc b/core/modules/views_ui/views_ui.theme.inc
index f2f2b67..4aafde4 100644
--- a/core/modules/views_ui/views_ui.theme.inc
+++ b/core/modules/views_ui/views_ui.theme.inc
@@ -147,21 +147,35 @@ function theme_views_ui_build_group_filter_form($variables) {
foreach (Element::children($form['group_items']) as $group_id) {
$form['group_items'][$group_id]['value']['#title'] = '';
+ $default = array(
+ $form['default_group'][$group_id],
+ $form['default_group_multiple'][$group_id],
+ );
+ $link = [
+ '#type' => 'link',
+ '#url' => Url::fromRoute('', [], [
+ 'attributes' => [
+ 'id' => 'views-remove-link-' . $group_id,
+ 'class' => [
+ 'views-hidden',
+ 'views-button-remove',
+ 'views-groups-remove-link',
+ 'views-remove-link',
+ ],
+ 'alt' => t('Remove this item'),
+ 'title' => t('Remove this item'),
+ ],
+ ]),
+ '#title' => SafeMarkup::format('@text', ['@text' => t('Remove')]),
+ ];
+ $remove = [$form['group_items'][$group_id]['remove'], $link];
$data = array(
- 'default' => array(
- 'data' => array(
- '#markup' => drupal_render($form['default_group'][$group_id]) . drupal_render($form['default_group_multiple'][$group_id]),
- ),
- ),
+ 'default' => ['data' => $default],
'weight' => drupal_render($form['group_items'][$group_id]['weight']),
'title' => drupal_render($form['group_items'][$group_id]['title']),
'operator' => drupal_render($form['group_items'][$group_id]['operator']),
'value' => drupal_render($form['group_items'][$group_id]['value']),
- 'remove' => array(
- 'data' => array(
- '#markup' => drupal_render($form['group_items'][$group_id]['remove']) . \Drupal::l(SafeMarkup::format('@text', array('@text' => t('Remove'))), Url::fromRoute('', [], array('attributes' => array('id' => 'views-remove-link-' . $group_id, 'class' => array('views-hidden', 'views-button-remove', 'views-groups-remove-link', 'views-remove-link'), 'alt' => t('Remove this item'), 'title' => t('Remove this item'))))),
- ),
- ),
+ 'remove' => ['data' => $remove],
);
$rows[] = array('data' => $data, 'id' => 'views-row-' . $group_id, 'class' => array('draggable'));
}
diff --git a/core/tests/Drupal/Tests/Component/Utility/SafeMarkupTest.php b/core/tests/Drupal/Tests/Component/Utility/SafeMarkupTest.php
index 1e7d355..acba34a 100644
--- a/core/tests/Drupal/Tests/Component/Utility/SafeMarkupTest.php
+++ b/core/tests/Drupal/Tests/Component/Utility/SafeMarkupTest.php
@@ -188,4 +188,73 @@ function testPlaceholder() {
$this->assertEquals('Some text', SafeMarkup::placeholder('Some text'));
}
+ /**
+ * Tests SafeMarkup::replace().
+ *
+ * @dataProvider providerReplace
+ * @covers ::replace
+ */
+ public function testReplaces($search, $replace, $subject, $expected, $is_safe) {
+ $result = SafeMarkup::replace($search, $replace, $subject);
+ $this->assertEquals($expected, $result);
+ $this->assertEquals($is_safe, SafeMarkup::isSafe($result));
+ }
+
+ /**
+ * Data provider for testReplace().
+ *
+ * @see testReplace()
+ */
+ public function providerReplace() {
+ $tests = [];
+
+ // Subject unsafe.
+ $tests[] = [
+ '',
+ SafeMarkup::set('foo'),
+ 'bazqux',
+ 'foobazqux',
+ FALSE,
+ ];
+
+ // All safe.
+ $tests[] = [
+ '',
+ SafeMarkup::set('foo'),
+ SafeMarkup::set('barbaz'),
+ 'foobarbaz',
+ TRUE,
+ ];
+
+ // Safe subject, but should result in unsafe string because replacement is
+ // unsafe.
+ $tests[] = [
+ '',
+ 'fubar',
+ SafeMarkup::set('barbaz'),
+ 'fubarbarbaz',
+ FALSE,
+ ];
+
+ // Array with all safe.
+ $tests[] = [
+ ['', '', ''],
+ [SafeMarkup::set('foo'), SafeMarkup::set('bar'), SafeMarkup::set('baz')],
+ SafeMarkup::set(''),
+ 'foobarbaz',
+ TRUE,
+ ];
+
+ // Array with unsafe replacement.
+ $tests[] = [
+ ['', '', '',],
+ [SafeMarkup::set('bar'), SafeMarkup::set('baz'), 'qux'],
+ SafeMarkup::set(''),
+ 'barbazqux',
+ FALSE,
+ ];
+
+ return $tests;
+ }
+
}
diff --git a/core/tests/Drupal/Tests/Core/Render/RendererPostRenderCacheTest.php b/core/tests/Drupal/Tests/Core/Render/RendererPostRenderCacheTest.php
index 50ccc2e..d96e4fd 100644
--- a/core/tests/Drupal/Tests/Core/Render/RendererPostRenderCacheTest.php
+++ b/core/tests/Drupal/Tests/Core/Render/RendererPostRenderCacheTest.php
@@ -432,7 +432,7 @@ public function testPlaceholder() {
'#prefix' => '',
'#suffix' => '',
];
- $expected_output = '' . $context['bar'] . '
';
+ $expected_output = '' . $context['bar'] . '
';
// #cache disabled.
$element = $test_element;
@@ -530,7 +530,7 @@ public function testChildElementPlaceholder() {
'#suffix' => ''
],
];
- $expected_output = '' . $context['bar'] . '
' . "\n";
+ $expected_output = '' . $context['bar'] . '
' . "\n";
// #cache disabled.
$element = $test_element;
diff --git a/core/tests/Drupal/Tests/Core/Render/RendererTest.php b/core/tests/Drupal/Tests/Core/Render/RendererTest.php
index e8368b2..addfa4b 100644
--- a/core/tests/Drupal/Tests/Core/Render/RendererTest.php
+++ b/core/tests/Drupal/Tests/Core/Render/RendererTest.php
@@ -81,6 +81,10 @@ public function providerTestRenderBasic() {
$data[] = [[
'child' => ['#markup' => 'bar'],
], 'bar'];
+ // XSS filtering test.
+ $data[] = [[
+ 'child' => ['#markup' => "This is test"],
+ ], "This is alert('XSS') test"];
// #children set but empty, and renderable children.
$data[] = [[
'#children' => '',
diff --git a/core/tests/Drupal/Tests/Core/Render/RendererTestBase.php b/core/tests/Drupal/Tests/Core/Render/RendererTestBase.php
index 903adce..fb0aeb9 100644
--- a/core/tests/Drupal/Tests/Core/Render/RendererTestBase.php
+++ b/core/tests/Drupal/Tests/Core/Render/RendererTestBase.php
@@ -255,7 +255,7 @@ public static function callback(array $element, array $context) {
public static function placeholder(array $element, array $context) {
$placeholder = \Drupal::service('renderer')->generateCachePlaceholder(__NAMESPACE__ . '\\PostRenderCache::placeholder', $context);
$replace_element = array(
- '#markup' => '' . $context['bar'] . '',
+ '#markup' => '' . $context['bar'] . '',
'#attached' => array(
'drupalSettings' => [
'common_test' => $context,