diff --git a/core/lib/Drupal/Core/Render/Element/Button.php b/core/lib/Drupal/Core/Render/Element/Button.php index 11a9093..5d1989b 100644 --- a/core/lib/Drupal/Core/Render/Element/Button.php +++ b/core/lib/Drupal/Core/Render/Element/Button.php @@ -36,6 +36,7 @@ public function getInfo() { array($class, 'processAjaxForm'), ), '#pre_render' => array( + array($class, 'preRenderFormElement'), array($class, 'preRenderButton'), ), '#theme_wrappers' => array('input__submit'), diff --git a/core/lib/Drupal/Core/Render/Element/Checkbox.php b/core/lib/Drupal/Core/Render/Element/Checkbox.php index 43b37ca..4be489b 100644 --- a/core/lib/Drupal/Core/Render/Element/Checkbox.php +++ b/core/lib/Drupal/Core/Render/Element/Checkbox.php @@ -33,6 +33,7 @@ public function getInfo() { array($class, 'processGroup'), ), '#pre_render' => array( + array($class, 'preRenderFormElement'), array($class, 'preRenderCheckbox'), array($class, 'preRenderGroup'), ), diff --git a/core/lib/Drupal/Core/Render/Element/Checkboxes.php b/core/lib/Drupal/Core/Render/Element/Checkboxes.php index aa3b64c..41315a0 100644 --- a/core/lib/Drupal/Core/Render/Element/Checkboxes.php +++ b/core/lib/Drupal/Core/Render/Element/Checkboxes.php @@ -36,6 +36,7 @@ public function getInfo() { array($class, 'processCheckboxes'), ), '#pre_render' => array( + array($class, 'preRenderFormElement'), array($class, 'preRenderCompositeFormElement'), ), '#theme_wrappers' => array('checkboxes'), diff --git a/core/lib/Drupal/Core/Render/Element/Color.php b/core/lib/Drupal/Core/Render/Element/Color.php index fa05799..341c21d 100644 --- a/core/lib/Drupal/Core/Render/Element/Color.php +++ b/core/lib/Drupal/Core/Render/Element/Color.php @@ -32,6 +32,7 @@ public function getInfo() { array($class, 'validateColor'), ), '#pre_render' => array( + array($class, 'preRenderFormElement'), array($class, 'preRenderColor'), ), '#theme' => 'input__color', diff --git a/core/lib/Drupal/Core/Render/Element/Date.php b/core/lib/Drupal/Core/Render/Element/Date.php index 8585cb3..d92145d 100644 --- a/core/lib/Drupal/Core/Render/Element/Date.php +++ b/core/lib/Drupal/Core/Render/Element/Date.php @@ -30,6 +30,7 @@ public function getInfo() { '#input' => TRUE, '#theme' => 'input__date', '#pre_render' => array( + array($class, 'preRenderFormElement'), array($class, 'preRenderDate'), ), '#theme_wrappers' => array('form_element'), diff --git a/core/lib/Drupal/Core/Render/Element/Email.php b/core/lib/Drupal/Core/Render/Element/Email.php index c17633f..22c7286 100644 --- a/core/lib/Drupal/Core/Render/Element/Email.php +++ b/core/lib/Drupal/Core/Render/Element/Email.php @@ -48,6 +48,7 @@ public function getInfo() { array($class, 'validateEmail'), ), '#pre_render' => array( + array($class, 'preRenderFormElement'), array($class, 'preRenderEmail'), ), '#theme' => 'input__email', diff --git a/core/lib/Drupal/Core/Render/Element/File.php b/core/lib/Drupal/Core/Render/Element/File.php index 848e401..09e9b75 100644 --- a/core/lib/Drupal/Core/Render/Element/File.php +++ b/core/lib/Drupal/Core/Render/Element/File.php @@ -30,6 +30,7 @@ public function getInfo() { ), '#size' => 60, '#pre_render' => array( + array($class, 'preRenderFormElement'), array($class, 'preRenderFile'), ), '#theme' => 'input__file', diff --git a/core/lib/Drupal/Core/Render/Element/FormElement.php b/core/lib/Drupal/Core/Render/Element/FormElement.php index 401c850..b22795f 100644 --- a/core/lib/Drupal/Core/Render/Element/FormElement.php +++ b/core/lib/Drupal/Core/Render/Element/FormElement.php @@ -7,6 +7,7 @@ namespace Drupal\Core\Render\Element; +use Drupal\Component\Utility\Xss; use Drupal\Core\Form\FormStateInterface; /** @@ -21,6 +22,44 @@ */ abstract class FormElement extends RenderElement implements FormElementInterface { + /** + * {@inheritdoc} + */ + public function getInfo() { + $class = get_class($this); + return array( + '#pre_render' => array( + array($class, 'preRenderFormElement'), + ), + ); + } + + /** + * Pre-render callback: XSS filter dangerous properties that may contain HTML. + * + * @param array $element + * + * @return array + * The passed-in element. + */ + public static function preRenderFormElement($element) { + // Filtering keys which are expected to contain HTML. + $markup_keys = array( + '#description', + '#field_prefix', + '#field_suffix', + ); + foreach ($markup_keys as $key) { + if (!empty($element[$key]) && !is_array($element[$key])) { + $element[$key] = Xss::filterAdmin($element[$key]); + } + else { + $element[$key] = NULL; + } + } + return $element; + } + /** * {@inheritdoc} */ diff --git a/core/lib/Drupal/Core/Render/Element/Hidden.php b/core/lib/Drupal/Core/Render/Element/Hidden.php index bb955af..1798924 100644 --- a/core/lib/Drupal/Core/Render/Element/Hidden.php +++ b/core/lib/Drupal/Core/Render/Element/Hidden.php @@ -29,6 +29,7 @@ public function getInfo() { array($class, 'processAjaxForm'), ), '#pre_render' => array( + array($class, 'preRenderFormElement'), array($class, 'preRenderHidden'), ), '#theme' => 'input__hidden', diff --git a/core/lib/Drupal/Core/Render/Element/Item.php b/core/lib/Drupal/Core/Render/Element/Item.php index 145b904..e6e201a 100644 --- a/core/lib/Drupal/Core/Render/Element/Item.php +++ b/core/lib/Drupal/Core/Render/Element/Item.php @@ -31,7 +31,7 @@ public function getInfo() { '#input' => TRUE, '#markup' => '', '#theme_wrappers' => array('form_element'), - ); + ) + parent::getInfo(); } } diff --git a/core/lib/Drupal/Core/Render/Element/LanguageSelect.php b/core/lib/Drupal/Core/Render/Element/LanguageSelect.php index 433e508..d675a19 100644 --- a/core/lib/Drupal/Core/Render/Element/LanguageSelect.php +++ b/core/lib/Drupal/Core/Render/Element/LanguageSelect.php @@ -23,7 +23,7 @@ public function getInfo() { return array( '#input' => TRUE, '#default_value' => LanguageInterface::LANGCODE_NOT_SPECIFIED, - ); + ) + parent::getInfo(); } } diff --git a/core/lib/Drupal/Core/Render/Element/Number.php b/core/lib/Drupal/Core/Render/Element/Number.php index 5e39541..645c23d 100644 --- a/core/lib/Drupal/Core/Render/Element/Number.php +++ b/core/lib/Drupal/Core/Render/Element/Number.php @@ -33,6 +33,7 @@ public function getInfo() { array($class, 'validateNumber'), ), '#pre_render' => array( + array($class, 'preRenderFormElement'), array($class, 'preRenderNumber'), ), '#theme' => 'input__number', diff --git a/core/lib/Drupal/Core/Render/Element/Password.php b/core/lib/Drupal/Core/Render/Element/Password.php index 48a20cf..b825861 100644 --- a/core/lib/Drupal/Core/Render/Element/Password.php +++ b/core/lib/Drupal/Core/Render/Element/Password.php @@ -30,6 +30,7 @@ public function getInfo() { array($class, 'processPattern'), ), '#pre_render' => array( + array($class, 'preRenderFormElement'), array($class, 'preRenderPassword'), ), '#theme' => 'input__password', diff --git a/core/lib/Drupal/Core/Render/Element/PasswordConfirm.php b/core/lib/Drupal/Core/Render/Element/PasswordConfirm.php index f3ea4e8..bf70223 100644 --- a/core/lib/Drupal/Core/Render/Element/PasswordConfirm.php +++ b/core/lib/Drupal/Core/Render/Element/PasswordConfirm.php @@ -30,7 +30,7 @@ public function getInfo() { array($class, 'processPasswordConfirm'), ), '#theme_wrappers' => array('form_element'), - ); + ) + parent::getInfo(); } /** diff --git a/core/lib/Drupal/Core/Render/Element/Radio.php b/core/lib/Drupal/Core/Render/Element/Radio.php index f106d07..6be4fcc 100644 --- a/core/lib/Drupal/Core/Render/Element/Radio.php +++ b/core/lib/Drupal/Core/Render/Element/Radio.php @@ -30,6 +30,7 @@ public function getInfo() { array($class, 'processAjaxForm'), ), '#pre_render' => array( + array($class, 'preRenderFormElement'), array($class, 'preRenderRadio'), ), '#theme' => 'input__radio', diff --git a/core/lib/Drupal/Core/Render/Element/Radios.php b/core/lib/Drupal/Core/Render/Element/Radios.php index b010628..7c9db4a 100644 --- a/core/lib/Drupal/Core/Render/Element/Radios.php +++ b/core/lib/Drupal/Core/Render/Element/Radios.php @@ -31,11 +31,11 @@ public function getInfo() { '#process' => array( array($class, 'processRadios'), ), - '#theme_wrappers' => array('radios'), '#pre_render' => array( - array($class, 'preRenderCompositeFormElement'), + array($class, 'preRenderFormElement'), ), - ); + '#theme_wrappers' => array('radios'), + ) + parent::getInfo(); } /** diff --git a/core/lib/Drupal/Core/Render/Element/Search.php b/core/lib/Drupal/Core/Render/Element/Search.php index dfa70ed..5e0d17a 100644 --- a/core/lib/Drupal/Core/Render/Element/Search.php +++ b/core/lib/Drupal/Core/Render/Element/Search.php @@ -35,6 +35,7 @@ public function getInfo() { array($class, 'processAjaxForm'), ), '#pre_render' => array( + array($class, 'preRenderFormElement'), array($class, 'preRenderSearch'), ), '#theme' => 'input__search', diff --git a/core/lib/Drupal/Core/Render/Element/Select.php b/core/lib/Drupal/Core/Render/Element/Select.php index f939641..8d10311 100644 --- a/core/lib/Drupal/Core/Render/Element/Select.php +++ b/core/lib/Drupal/Core/Render/Element/Select.php @@ -33,6 +33,7 @@ public function getInfo() { array($class, 'processAjaxForm'), ), '#pre_render' => array( + array($class, 'preRenderFormElement'), array($class, 'preRenderSelect'), ), '#theme' => 'select', diff --git a/core/lib/Drupal/Core/Render/Element/Table.php b/core/lib/Drupal/Core/Render/Element/Table.php index 191de68..3d0de59 100644 --- a/core/lib/Drupal/Core/Render/Element/Table.php +++ b/core/lib/Drupal/Core/Render/Element/Table.php @@ -53,6 +53,7 @@ public function getInfo() { '#tabledrag' => array(), // Render properties. '#pre_render' => array( + array($class, 'preRenderFormElement'), array($class, 'preRenderTable'), ), '#theme' => 'table', diff --git a/core/lib/Drupal/Core/Render/Element/Tel.php b/core/lib/Drupal/Core/Render/Element/Tel.php index 5cd4c5d..1d01b75 100644 --- a/core/lib/Drupal/Core/Render/Element/Tel.php +++ b/core/lib/Drupal/Core/Render/Element/Tel.php @@ -32,6 +32,7 @@ public function getInfo() { array($class, 'processPattern'), ), '#pre_render' => array( + array($class, 'preRenderFormElement'), array($class, 'preRenderTel'), ), '#theme' => 'input__tel', diff --git a/core/lib/Drupal/Core/Render/Element/Textarea.php b/core/lib/Drupal/Core/Render/Element/Textarea.php index bb5fad7..c1734bb 100644 --- a/core/lib/Drupal/Core/Render/Element/Textarea.php +++ b/core/lib/Drupal/Core/Render/Element/Textarea.php @@ -21,6 +21,7 @@ class Textarea extends FormElement { */ public function getInfo() { $class = get_class($this); + $info = parent::getInfo(); return array( '#input' => TRUE, '#cols' => 60, @@ -31,6 +32,7 @@ public function getInfo() { array($class, 'processGroup'), ), '#pre_render' => array( + array($class, 'preRenderFormElement'), array($class, 'preRenderGroup'), ), '#theme' => 'textarea', diff --git a/core/lib/Drupal/Core/Render/Element/Textfield.php b/core/lib/Drupal/Core/Render/Element/Textfield.php index 4396494..aded4fe 100644 --- a/core/lib/Drupal/Core/Render/Element/Textfield.php +++ b/core/lib/Drupal/Core/Render/Element/Textfield.php @@ -34,6 +34,7 @@ public function getInfo() { array($class, 'processGroup'), ), '#pre_render' => array( + array($class, 'preRenderFormElement'), array($class, 'preRenderTextfield'), array($class, 'preRenderGroup'), ), diff --git a/core/lib/Drupal/Core/Render/Element/Url.php b/core/lib/Drupal/Core/Render/Element/Url.php index e891128..09df806 100644 --- a/core/lib/Drupal/Core/Render/Element/Url.php +++ b/core/lib/Drupal/Core/Render/Element/Url.php @@ -37,6 +37,7 @@ public function getInfo() { array($class, 'validateUrl'), ), '#pre_render' => array( + array($class, 'preRenderFormElement'), array($class, 'preRenderUrl'), ), '#theme' => 'input__url', diff --git a/core/lib/Drupal/Core/Render/Element/Value.php b/core/lib/Drupal/Core/Render/Element/Value.php index 5da3e0c..fbbfe05 100644 --- a/core/lib/Drupal/Core/Render/Element/Value.php +++ b/core/lib/Drupal/Core/Render/Element/Value.php @@ -24,7 +24,7 @@ class Value extends FormElement { public function getInfo() { return array( '#input' => TRUE, - ); + ) + parent::getInfo(); } } diff --git a/core/lib/Drupal/Core/Render/Element/Weight.php b/core/lib/Drupal/Core/Render/Element/Weight.php index ffcda6b..32e1f22 100644 --- a/core/lib/Drupal/Core/Render/Element/Weight.php +++ b/core/lib/Drupal/Core/Render/Element/Weight.php @@ -32,7 +32,7 @@ public function getInfo() { array($class, 'processWeight'), array($class, 'processAjaxForm'), ), - ); + ) + parent::getInfo(); } /** diff --git a/core/modules/field_ui/src/Tests/FieldUiTestBase.php b/core/modules/field_ui/src/Tests/FieldUiTestBase.php index 6157893..421500c 100644 --- a/core/modules/field_ui/src/Tests/FieldUiTestBase.php +++ b/core/modules/field_ui/src/Tests/FieldUiTestBase.php @@ -78,6 +78,7 @@ function fieldUIAddNewField($bundle_path, $initial_edit, $field_edit = array(), // Second step : 'Field settings' form. $this->drupalPostForm(NULL, $field_edit, t('Save field settings')); + $this->assertNoRaw('&lt;', 'The page does not have double escaped HTML tags.'); $this->assertRaw(t('Updated field %label field settings.', array('%label' => $label)), 'Redirected to instance and widget settings page.'); // Third step : 'Instance settings' form. @@ -105,6 +106,7 @@ function fieldUIAddExistingField($bundle_path, $initial_edit, $instance_edit = a // First step : 'Re-use existing field' on the 'Manage fields' page. $this->drupalPostForm("$bundle_path/fields", $initial_edit, t('Save')); + $this->assertNoRaw('&lt;', 'The page does not have double escaped HTML tags.'); // Second step : 'Instance settings' form. $this->drupalPostForm(NULL, $instance_edit, t('Save settings')); diff --git a/core/modules/field_ui/src/Tests/ManageFieldsTest.php b/core/modules/field_ui/src/Tests/ManageFieldsTest.php index c137308..201f5f6 100644 --- a/core/modules/field_ui/src/Tests/ManageFieldsTest.php +++ b/core/modules/field_ui/src/Tests/ManageFieldsTest.php @@ -141,6 +141,7 @@ function updateField() { // Go to the field instance edit page. $this->drupalGet('admin/structure/types/manage/' . $this->type . '/fields/' . $instance_id); + $this->assertNoRaw('&lt;', 'The page does not have double escaped HTML tags.'); $edit = array( 'instance[settings][test_instance_setting]' => $string, ); @@ -221,6 +222,7 @@ protected function deleteFieldInstance() { // Delete the field instance. $instance_id = 'node.' . $this->type . '.' . $this->field_name; $this->drupalGet('admin/structure/types/manage/' . $this->type . '/fields/' . $instance_id); + $this->assertNoRaw('&lt;', 'The page does not have double escaped HTML tags.'); $this->drupalPostForm(NULL, array(), t('Delete field')); $this->assertResponse(200); } @@ -564,6 +566,9 @@ function testHelpDescriptions() { entity_get_form_display('node', 'article', 'default')->setComponent('field_image')->save(); + $this->drupalGet('admin/structure/types/manage/article/fields/node.article.field_image'); + $this->assertNoRaw('<div', 'Image fields do not have double escaped HTML tags.'); + $edit = array( 'instance[description]' => 'Test with an upload field.', ); diff --git a/core/modules/locale/src/Form/ImportForm.php b/core/modules/locale/src/Form/ImportForm.php index 426187f..75dda76 100644 --- a/core/modules/locale/src/Form/ImportForm.php +++ b/core/modules/locale/src/Form/ImportForm.php @@ -103,18 +103,22 @@ public function buildForm(array $form, FormStateInterface $form_state) { 'file_validate_extensions' => array('po'), 'file_validate_size' => array(file_upload_max_size()), ); + + $file_description = array( + '#theme' => 'file_upload_help', + '#description' => $this->t('A Gettext Portable Object file.'), + '#upload_validators' => $validators, + ); + $form['file'] = array( '#type' => 'file', '#title' => $this->t('Translation file'), - '#description' => array( - '#theme' => 'file_upload_help', - '#description' => $this->t('A Gettext Portable Object file.'), - '#upload_validators' => $validators, - ), + '#description' => drupal_render($file_description), '#size' => 50, '#upload_validators' => $validators, '#attributes' => array('class' => array('file-import-input')), ); + $form['langcode'] = array( '#type' => 'select', '#title' => $this->t('Language'), diff --git a/core/modules/options/src/Tests/OptionsFieldUITest.php b/core/modules/options/src/Tests/OptionsFieldUITest.php index ebbba4b..70bf9d4 100644 --- a/core/modules/options/src/Tests/OptionsFieldUITest.php +++ b/core/modules/options/src/Tests/OptionsFieldUITest.php @@ -278,6 +278,7 @@ protected function createOptionsField($type) { function assertAllowedValuesInput($input_string, $result, $message) { $edit = array('field[settings][allowed_values]' => $input_string); $this->drupalPostForm($this->admin_path, $edit, t('Save field settings')); + $this->assertNoRaw('&lt;', 'The page does not have double escaped HTML tags.'); if (is_string($result)) { $this->assertText($result, $message);