diff --git a/core/modules/node/src/Controller/NodeController.php b/core/modules/node/src/Controller/NodeController.php index 91ba219..bdab1d7 100644 --- a/core/modules/node/src/Controller/NodeController.php +++ b/core/modules/node/src/Controller/NodeController.php @@ -182,18 +182,47 @@ public function revisionOverview(NodeInterface $node) { '#theme' => 'username', '#account' => $revision_author, ); - $row[] = array('data' => $this->t('!date by !username', array('!date' => $node->link($this->dateFormatter->format($revision->revision_timestamp->value, 'short')), '!username' => drupal_render($username))) - . (($revision->revision_log->value != '') ? '

' . Xss::filter($revision->revision_log->value) . '

' : ''), - 'class' => array('revision-current')); - $row[] = array('data' => SafeMarkup::placeholder($this->t('current revision')), 'class' => array('revision-current')); + $row[] = array( + 'data' => array( + '#type' => 'inline_template', + '#template' => '{{ author }}{% if message %}

{{ message }}

{% endif %}', + '#context' => array( + 'author' => $this->t('!date by !username', + array( + '!date' => $node->link($this->dateFormatter->format($revision->revision_timestamp->value, 'short')), + '!username' => \Drupal::service('renderer')->render($username), + ) + ), + 'message' => Xss::filter($revision->revision_log->value), + ), + ), + 'class' => array('revision-current'), + ); + $row[] = array( + 'data' => SafeMarkup::placeholder($this->t('current revision')), + 'class' => array('revision-current'), + ); } else { $username = array( '#theme' => 'username', '#account' => $revision_author, ); - $row[] = $this->t('!date by !username', array('!date' => $this->l($this->dateFormatter->format($revision->revision_timestamp->value, 'short'), new Url('node.revision_show', array('node' => $node->id(), 'node_revision' => $vid))), '!username' => drupal_render($username))) - . (($revision->revision_log->value != '') ? '

' . Xss::filter($revision->revision_log->value) . '

' : ''); + $row[] = array( + 'data' => array( + '#type' => 'inline_template', + '#template' => '{{ author }}{% if message %}

{{ message }}

{% endif %}', + '#context' => array( + 'author' => $this->t('!date by !username', + array( + '!date' => $this->l($this->dateFormatter->format($revision->revision_timestamp->value, 'short'), new Url('node.revision_show', array('node' => $node->id(), 'node_revision' => $vid))), + '!username' => \Drupal::service('renderer')->render($username), + ) + ), + 'message' => Xss::filter($revision->revision_log->value), + ), + ), + ); if ($revert_permission) { $links['revert'] = array( diff --git a/core/modules/node/src/Tests/NodeRevisionsUiTest.php b/core/modules/node/src/Tests/NodeRevisionsUiTest.php index 6527984..3eb3ff5 100644 --- a/core/modules/node/src/Tests/NodeRevisionsUiTest.php +++ b/core/modules/node/src/Tests/NodeRevisionsUiTest.php @@ -7,7 +7,10 @@ namespace Drupal\node\Tests; +use Drupal\Component\Utility\SafeMarkup; +use Drupal\Core\Url; use Drupal\node\Entity\NodeType; +use Drupal\node\Entity\Node; /** * Tests the UI for controlling node revision behavior. @@ -17,26 +20,44 @@ class NodeRevisionsUiTest extends NodeTestBase { /** + * Web user. + */ + protected $webUser1; + + /** + * Web user. + */ + protected $webUser2; + + /** * {@inheritdoc} */ protected function setUp() { parent::setUp(); - // Create and log in user. - $web_user = $this->drupalCreateUser( + // Create users. + $this->webUser1 = $this->drupalCreateUser( array( 'administer nodes', 'edit any page content' ) ); - - $this->drupalLogin($web_user); + $this->webUser2 = $this->drupalCreateUser( + array( + 'administer nodes', + 'edit any page content', + 'view page revisions', + 'access user profiles', + ) + ); } /** * Checks that unchecking 'Create new revision' works when editing a node. */ function testNodeFormSaveWithoutRevision() { + $this->drupalLogin($this->webUser1); + $node_storage = $this->container->get('entity.manager')->getStorage('node'); // Set page revision setting 'create new revision'. This will mean new @@ -73,6 +94,53 @@ function testNodeFormSaveWithoutRevision() { $node_storage->resetCache(array($node->id())); $node_revision = $node_storage->load($node->id()); $this->assertNotEqual($node_revision->getRevisionId(), $node->getRevisionId(), "After an existing node is saved with 'Create new revision' checked, a new revision is created."); + } + + /** + * Checks HTML double escaping of revision logs. + */ + function testNodeRevisionDoubleEscapeFix() { + $this->drupalLogin($this->webUser2); + $nodes = array(); + + // Create the node. + $node = $this->drupalCreateNode(); + + $username = array( + '#theme' => 'username', + '#account' => $this->webUser2, + ); + $web_user = \Drupal::service('renderer')->render($username); + // Get original node. + $nodes[] = clone $node; + + // Create revision with a random title and body and update variables. + $node->title = $this->randomMachineName(); + $node->body = array( + 'value' => $this->randomMachineName(32), + 'format' => filter_default_format(), + ); + $node->setNewRevision(); + $node->revision_log->value = 'Revision message with markup.'; + $node->save(); + $node = Node::load($node->id()); // Make sure we get revision information. + $nodes[] = clone $node; + + $this->drupalGet('node/' . $node->id() . '/revisions'); + + + $old_revision_message = t('!date by !username', array( + '!date' => \Drupal::l(format_date($nodes[0]->revision_timestamp->value, 'short'), new Url('node.revision_show', array('node' => $nodes[0]->id(), 'node_revision' => $nodes[0]->getRevisionId()))), + '!username' => $web_user, + )) . (($nodes[0]->revision_log->value != '') ? '

' . $nodes[0]->revision_log->value . '

' : ''); + $this->assertRaw(SafeMarkup::set($old_revision_message)); + + $current_revision_message = t('!date by !username', array( + '!date' => $nodes[1]->link(format_date($nodes[1]->revision_timestamp->value, 'short')), + '!username' => $web_user, + )) . (($nodes[1]->revision_log->value != '') ? '

' . $nodes[1]->revision_log->value . '

' : ''); + $this->assertRaw(SafeMarkup::set($current_revision_message)); } + }