core/modules/quickedit/src/MetadataGenerator.php | 2 +-
core/modules/quickedit/src/MetadataGeneratorInterface.php | 7 ++++---
core/modules/quickedit/src/Tests/QuickEditLoadingTest.php | 11 ++++++++++-
3 files changed, 15 insertions(+), 5 deletions(-)
diff --git a/core/modules/quickedit/src/MetadataGenerator.php b/core/modules/quickedit/src/MetadataGenerator.php
index df676d0..1a17398 100644
--- a/core/modules/quickedit/src/MetadataGenerator.php
+++ b/core/modules/quickedit/src/MetadataGenerator.php
@@ -61,7 +61,7 @@ public function __construct(EditEntityFieldAccessCheckInterface $access_checker,
*/
public function generateEntityMetadata(EntityInterface $entity) {
return array(
- 'label' => $entity->label(),
+ 'label' => SafeMarkup::checkPlain($entity->label()),
);
}
diff --git a/core/modules/quickedit/src/MetadataGeneratorInterface.php b/core/modules/quickedit/src/MetadataGeneratorInterface.php
index 40d8bcf..cc94979 100644
--- a/core/modules/quickedit/src/MetadataGeneratorInterface.php
+++ b/core/modules/quickedit/src/MetadataGeneratorInterface.php
@@ -22,7 +22,8 @@
* The entity, in the language in which one of its fields is being edited.
* @return array
* An array containing metadata with the following keys:
- * - label: the user-visible label for the entity in the given language.
+ * - label: the user-visible label for the entity in the given language
+ * (HTML-safe).
*/
public function generateEntityMetadata(EntityInterface $entity);
@@ -35,10 +36,10 @@ public function generateEntityMetadata(EntityInterface $entity);
* The view mode the field should be rerendered in.
* @return array
* An array containing metadata with the following keys:
- * - label: the user-visible label for the field.
+ * - label: the user-visible label for the field (HTML-safe).
* - access: whether the current user may edit the field or not.
* - editor: which editor should be used for the field.
- * - aria: the ARIA label.
+ * - aria: the ARIA label (HTML-safe).
* - custom: (optional) any additional metadata that the editor provides.
*/
public function generateFieldMetadata(FieldItemListInterface $items, $view_mode);
diff --git a/core/modules/quickedit/src/Tests/QuickEditLoadingTest.php b/core/modules/quickedit/src/Tests/QuickEditLoadingTest.php
index 22cdb45..11a3676 100644
--- a/core/modules/quickedit/src/Tests/QuickEditLoadingTest.php
+++ b/core/modules/quickedit/src/Tests/QuickEditLoadingTest.php
@@ -74,6 +74,7 @@ protected function setUp() {
// Create one node of the above node type using the above text format.
$this->drupalCreateNode(array(
'type' => 'article',
+ 'title' => '',
'body' => array(
0 => array(
'value' => 'How are you?
',
@@ -81,6 +82,7 @@ protected function setUp() {
)
),
'revision_log' => $this->randomString(),
+ 'promote' => TRUE,
));
// Create 2 users, the only difference being the ability to use in-place
@@ -325,10 +327,17 @@ public function testTitleBaseField() {
// Retrieving the metadata should result in a 200 JSON response.
$htmlPageDrupalSettings = $this->drupalSettings;
- $post = array('fields[0]' => 'node/1/title/en/full');
+ $post = array(
+ 'entities[0]' => 'node/1',
+ 'fields[0]' => 'node/1/title/en/full',
+ );
$response = $this->drupalPostWithFormat('quickedit/metadata', 'json', $post);
$this->assertResponse(200);
$expected = array(
+ // The label should be safely encoded.
+ 'node/1' => array(
+ 'label' => '<script>alert("EVIL!")</script>',
+ ),
'node/1/title/en/full' => array(
'label' => 'Title',
'access' => TRUE,