diff --git a/core/lib/Drupal/Component/Utility/SafeMarkup.php b/core/lib/Drupal/Component/Utility/SafeMarkup.php index 172a323..69d12fe 100644 --- a/core/lib/Drupal/Component/Utility/SafeMarkup.php +++ b/core/lib/Drupal/Component/Utility/SafeMarkup.php @@ -282,4 +282,51 @@ public static function placeholder($text) { return $string; } + /** + * Replaces all occurrences of the search string with the replacement string. + * + * Functions identically to str_replace(), but marks the returned output as + * safe if all the inputs and the subject have also been marked as safe. + * + * @param string|array $search + * The value being searched for. An array may be used to designate multiple + * values to search for. + * @param string|array $replace + * The replacement value that replaces found search values. An array may be + * used to designate multiple replacements. + * @param string $subject + * The string or array being searched and replaced on. + * + * @return string + * The passed subject with replaced values. + */ + public static function replace($search, $replace, $subject) { + $output = str_replace($search, $replace, $subject); + + // If any replacement is unsafe, then the output is also unsafe, so just + // return the output. + if (!is_array($replace)) { + if (!SafeMarkup::isSafe($replace)) { + return $output; + } + } + else { + foreach ($replace as $replacement) { + if (!SafeMarkup::isSafe($replacement)) { + return $output; + } + } + } + + // If the subject is unsafe, then the output is as well, so return it. + if (!SafeMarkup::isSafe($subject)) { + return $output; + } + else { + // If we have reached this point, then all replacements were safe. If the + // subject was also safe, then mark the entire output as safe. + return SafeMarkup::set($output); + } + } + } diff --git a/core/lib/Drupal/Core/Render/Element/HtmlTag.php b/core/lib/Drupal/Core/Render/Element/HtmlTag.php index 553767f..9b2ab57 100644 --- a/core/lib/Drupal/Core/Render/Element/HtmlTag.php +++ b/core/lib/Drupal/Core/Render/Element/HtmlTag.php @@ -46,7 +46,12 @@ public function getInfo() { * Pre-render callback: Renders a generic HTML tag with attributes into #markup. * * Note: It is the caller's responsibility to sanitize any input parameters. - * This callback does not perform sanitization. + * This callback does not perform sanitization. Despite the result of this + * pre-render callback being a #markup element, it is not passed through + * \Drupal\Component\Utility\Xss::filterAdmin(). This is because it is marked + * safe here, which causes + * \Drupal\Component\Utility\SafeMarkup::checkAdminXss() to regard it as safe + * and bypass the call to \Drupal\Component\Utility\Xss::filterAdmin(). * * @param array $element * An associative array containing: @@ -94,7 +99,7 @@ public static function preRenderHtmlTag($element) { $markup = SafeMarkup::set($markup); } if (!empty($element['#noscript'])) { - $element['#markup'] = ''; + $element['#markup'] = SafeMarkup::format('', ['@markup' => $markup]); } else { $element['#markup'] = $markup; diff --git a/core/lib/Drupal/Core/Render/Renderer.php b/core/lib/Drupal/Core/Render/Renderer.php index 8bf3db6..dd7c956 100644 --- a/core/lib/Drupal/Core/Render/Renderer.php +++ b/core/lib/Drupal/Core/Render/Renderer.php @@ -350,9 +350,8 @@ protected function doRender(&$elements, $is_root_call = FALSE) { $elements['#children'] = ''; } - // @todo Simplify after https://www.drupal.org/node/2273925. if (isset($elements['#markup'])) { - $elements['#markup'] = SafeMarkup::set($elements['#markup']); + $elements['#markup'] = SafeMarkup::checkAdminXss($elements['#markup']); } // Assume that if #theme is set it represents an implemented hook. diff --git a/core/modules/contextual/src/Element/ContextualLinksPlaceholder.php b/core/modules/contextual/src/Element/ContextualLinksPlaceholder.php index d10078b..6e0b7f4 100644 --- a/core/modules/contextual/src/Element/ContextualLinksPlaceholder.php +++ b/core/modules/contextual/src/Element/ContextualLinksPlaceholder.php @@ -9,6 +9,7 @@ use Drupal\Core\Template\Attribute; use Drupal\Core\Render\Element\RenderElement; +use Drupal\Component\Utility\SafeMarkup; /** * Provides a contextual_links_placeholder element. @@ -47,7 +48,10 @@ public function getInfo() { * @see _contextual_links_to_id() */ public static function preRenderPlaceholder(array $element) { - $element['#markup'] = '
' . $this->randomMachineName() . '
'; + $footer_string = '' . $this->randomMachineName() . '
'; + $empty_string = '' . $this->randomMachineName() . '
'; $view->header['test_example']->options['string'] = $header_string; $view->header['test_example']->options['empty'] = TRUE; @@ -104,12 +106,13 @@ public function testRenderArea() { $view->empty['test_example']->options['string'] = $empty_string; - // Check whether the strings exists in the output. + // Check whether the strings exist in the output and are sanitized. $output = $view->preview(); $output = drupal_render($output); - $this->assertTrue(strpos($output, $header_string) !== FALSE); - $this->assertTrue(strpos($output, $footer_string) !== FALSE); - $this->assertTrue(strpos($output, $empty_string) !== FALSE); + $this->assertTrue(strpos($output, Xss::filterAdmin($header_string)) !== FALSE, 'Views header exists in the output and is sanitized'); + $this->assertTrue(strpos($output, Xss::filterAdmin($footer_string)) !== FALSE, 'Views footer exists in the output and is sanitized'); + $this->assertTrue(strpos($output, Xss::filterAdmin($empty_string)) !== FALSE, 'Views empty exists in the output and is sanitized'); + $this->assertTrue(strpos($output, ' test"], + ], "This is alert('XSS') test"]; // #children set but empty, and renderable children. $data[] = [[ '#children' => '',