diff -u b/core/modules/dblog/src/Controller/DbLogController.php b/core/modules/dblog/src/Controller/DbLogController.php
--- b/core/modules/dblog/src/Controller/DbLogController.php
+++ b/core/modules/dblog/src/Controller/DbLogController.php
@@ -267,7 +267,7 @@
),
array(
array('data' => $this->t('Message'), 'header' => TRUE),
- $message,
+ array('data' => array('#markup' => $message)),
),
array(
array('data' => $this->t('Severity'), 'header' => TRUE),
@@ -337,7 +337,7 @@
* The record from the watchdog table. The object properties are: wid, uid,
* severity, type, timestamp, message, variables, link, name.
*
- * @return string|\Drupal\Core\StringTranslation\TranslatableMarkup|false
+ * @return string|false
* The formatted log message or FALSE if the message or variables properties
* are not set.
*/
only in patch2:
unchanged:
--- a/core/modules/dblog/src/Tests/DbLogTest.php
+++ b/core/modules/dblog/src/Tests/DbLogTest.php
@@ -809,11 +809,19 @@ public function testOverviewLinks() {
// Make sure HTML tags are filtered out.
$this->assertRaw('title="alert('foo');Lorem ipsum dolor sit amet, consectetur adipiscing & elit. Entry #0"><script>alert('foo');</script>Lorem ipsum dolor sit…');
$this->assertNoRaw("");
+ }
+
+ /**
+ * Make sure the log messages in detailed pages are properly escaped.
+ */
+ public function testLogEventPageMessageEscaped() {
+ $this->drupalLogin($this->adminUser);
// Make sure HTML tags are filtered out in admin/reports/dblog/event/ too.
$this->generateLogEntries(1, ['message' => " Lorem ipsum"]);
$wid = db_query('SELECT MAX(wid) FROM {watchdog}')->fetchField();
$this->drupalGet('admin/reports/dblog/event/' . $wid);
+ $this->assertResponse(200);
$this->assertNoRaw("");
$this->assertRaw("alert('foo'); Lorem ipsum");
}