diff --git a/core/modules/system/src/Tests/Form/ModulesListFormWebTest.php b/core/modules/system/src/Tests/Form/ModulesListFormWebTest.php
index 489f6ff..c656bb4 100644
--- a/core/modules/system/src/Tests/Form/ModulesListFormWebTest.php
+++ b/core/modules/system/src/Tests/Form/ModulesListFormWebTest.php
@@ -19,7 +19,7 @@ class ModulesListFormWebTest extends WebTestBase {
/**
* {@inheritdoc}
*/
- public static $modules = array('system_test', 'help');
+ public static $modules = array('system_test', 'help', 'module_form_xss_test');
/**
* {@inheritdoc}
@@ -49,6 +49,9 @@ public function testModuleListForm() {
// Check that system_test's help link was rendered correctly.
$this->assertFieldByXPath("//a[contains(@href, '/admin/help/system_test') and @title='Help']");
+
+ // Checks for a XSS attack in a module description.
+ $this->assertEscaped('Support module for module form XSS testing. ');
}
}
diff --git a/core/modules/system/system.admin.inc b/core/modules/system/system.admin.inc
index 1141a35..7b7677a 100644
--- a/core/modules/system/system.admin.inc
+++ b/core/modules/system/system.admin.inc
@@ -229,8 +229,16 @@ function theme_system_modules_details($variables) {
// Add the module label and expand/collapse functionality.
$id = Html::getUniqueId('module-' . $key);
- $col2 = '';
- $row[] = array('class' => array('module'), 'data' => SafeMarkup::set($col2));
+ $col2 = [
+ '#type' => 'inline_template',
+ '#template' => '',
+ '#context' => [
+ 'id' => $id,
+ 'enable_id' => $module['enable']['#id'],
+ 'module_name' => $module['name'],
+ ],
+ ];
+ $row[] = ['class' => ['module'], 'data' => $col2];
// Add the description, along with any modules it requires.
$description = '';
@@ -257,14 +265,18 @@ function theme_system_modules_details($variables) {
$description .= $links;
$description .= '';
}
+ $title = [
+ '#type' => 'inline_template',
+ '#template' => ' {{ module_description }}',
+ '#context' => ['module_description' => $module['description']],
+ ];
$details = array(
'#type' => 'details',
- '#title' => SafeMarkup::set(' ' . drupal_render($module['description']) . ''),
+ '#title' => $title,
'#attributes' => array('id' => $module['enable']['#id'] . '-description'),
'#description' => $description,
);
- $col4 = drupal_render($details);
- $row[] = array('class' => array('description', 'expand'), 'data' => $col4);
+ $row[] = ['class' => ['description', 'expand'], 'data' => $details];
$rows[] = $module['#attributes'] + array('data' => $row);
}
diff --git a/core/modules/system/tests/modules/module_form_xss_test/module_form_xss_test.info.yml b/core/modules/system/tests/modules/module_form_xss_test/module_form_xss_test.info.yml
new file mode 100644
index 0000000..1ac3bfb
--- /dev/null
+++ b/core/modules/system/tests/modules/module_form_xss_test/module_form_xss_test.info.yml
@@ -0,0 +1,6 @@
+name: 'Module form XSS test'
+type: module
+description: 'Support module for module form XSS testing. '
+package: Testing
+version: VERSION
+core: 8.x