diff --git a/core/modules/node/src/Plugin/Search/NodeSearch.php b/core/modules/node/src/Plugin/Search/NodeSearch.php index 87a3851..53932d9 100644 --- a/core/modules/node/src/Plugin/Search/NodeSearch.php +++ b/core/modules/node/src/Plugin/Search/NodeSearch.php @@ -333,10 +333,9 @@ protected function prepareResults(StatementInterface $found) { $build['#pre_render'][] = array($this, 'removeSubmittedInfo'); // Fetch comment count for snippet. - $rendered = SafeMarkup::set( - $this->renderer->renderPlain($build) . ' ' . - SafeMarkup::escape($this->moduleHandler->invoke('comment', 'node_update_index', array($node, $item->langcode))) - ); + $built = $this->renderer->renderPlain($build); + $comments = $this->moduleHandler->invoke('comment', 'node_update_index', array($node, $item->langcode)); + $rendered = SafeMarkup::format('@built @comments', ['@built' => $built, '@comments' => $comments]); $extra = $this->moduleHandler->invokeAll('node_search_result', array($node, $item->langcode)); diff --git a/core/modules/search/src/Tests/SearchCommentTest.php b/core/modules/search/src/Tests/SearchCommentTest.php index b9916e2..fc96911 100644 --- a/core/modules/search/src/Tests/SearchCommentTest.php +++ b/core/modules/search/src/Tests/SearchCommentTest.php @@ -126,6 +126,12 @@ function testSearchResultsComment() { $edit_comment['comment_body[0][format]'] = $full_html_format_id; $this->drupalPostForm('comment/reply/node/' . $node->id() .'/comment', $edit_comment, t('Save')); + // Post a comment with an evil script as its subject. + $edit_comment2 = array(); + $edit_comment2['subject[0][value]'] = ""; + $edit_comment2['comment_body[0][value]'] = '

goodbye

'; + $this->drupalPostForm('comment/reply/node/' . $node->id() . '/comment', $edit_comment2, t('Save')); + // Invoke search index update. $this->drupalLogout(); $this->cronRun(); @@ -152,6 +158,14 @@ function testSearchResultsComment() { $this->assertNoRaw(t('n/a'), 'HTML in comment body is not hidden.'); $this->assertNoEscaped($edit_comment['comment_body[0][value]'], 'HTML in comment body is not escaped.'); + // Search for the evil comment subject. + $edit = array( + 'keys' => "hello", + ); + // Verify the evil comment subject is escaped in search results. + $this->drupalPostForm('search/node', $edit, t('Search')); + $this->assertRaw('alert('hello');'); + // Hide comments. $this->drupalLogin($this->adminUser); $node->set('comment', CommentItemInterface::HIDDEN);