diff --git a/core/modules/views_ui/src/Tests/XssTest.php b/core/modules/views_ui/src/Tests/XssTest.php index 36c0069..da992b4 100644 --- a/core/modules/views_ui/src/Tests/XssTest.php +++ b/core/modules/views_ui/src/Tests/XssTest.php @@ -8,6 +8,8 @@ namespace Drupal\views_ui\Tests; /** + * Tests the Xss vulnerability. + * * @group views_ui */ class XssTest extends UITestBase { @@ -24,7 +26,8 @@ public function testViewsUi() { $this->assertRaw('<script>alert("foo");</script>, <marquee>test</marquee>', 'The view tag is properly escaped.'); $this->drupalGet('admin/structure/views/view/sa_contrib_2013_035'); - $this->assertRaw('&lt;marquee&gt;test&lt;/marquee&gt;', 'Field admin label is properly escaped.'); + $this->assertRaw('<marquee>test</marquee>', 'Field admin label is properly escaped.'); + $this->assertRaw('<script>alert("XSS");</script> (> -10 days)', 'Filter admin label is properly escaped.'); $this->drupalGet('admin/structure/views/nojs/handler/sa_contrib_2013_035/page_1/header/area'); $this->assertRaw('[title] == &lt;marquee&gt;test&lt;/marquee&gt;', 'Token label is properly escaped.'); diff --git a/core/modules/views_ui/src/ViewEditForm.php b/core/modules/views_ui/src/ViewEditForm.php index 2fc7fc4..677f43a 100644 --- a/core/modules/views_ui/src/ViewEditForm.php +++ b/core/modules/views_ui/src/ViewEditForm.php @@ -1072,13 +1072,13 @@ public function getFormBucket(ViewUI $view, $type, $display) { continue; } - $field_name = SafeMarkup::checkPlain($handler->adminLabel(TRUE)); + $field_name = Xss::filterAdmin($handler->adminLabel(TRUE)); if (!empty($field['relationship']) && !empty($relationships[$field['relationship']])) { $field_name = '(' . $relationships[$field['relationship']] . ') ' . $field_name; } $description = Xss::filterAdmin($handler->adminSummary()); - $link_text = $field_name . (empty($description) ? '' : " ($description)"); + $link_text = SafeMarkup::set($field_name . (empty($description) ? '' : " ($description)")); $link_attributes = array('class' => array('views-ajax-link')); if (!empty($field['exclude'])) { $link_attributes['class'][] = 'views-field-excluded'; diff --git a/core/modules/views_ui/tests/modules/views_ui_test/config/install/views.view.sa_contrib_2013_035.yml b/core/modules/views_ui/tests/modules/views_ui_test/config/install/views.view.sa_contrib_2013_035.yml index 580fdad..78ae083 100644 --- a/core/modules/views_ui/tests/modules/views_ui_test/config/install/views.view.sa_contrib_2013_035.yml +++ b/core/modules/views_ui/tests/modules/views_ui_test/config/install/views.view.sa_contrib_2013_035.yml @@ -165,7 +165,49 @@ display: plugin_id: field entity_type: node entity_field: title - filters: { } + filters: + changed: + id: changed + table: node_field_data + field: changed + relationship: none + group_type: group + admin_label: '' + operator: '>' + value: + min: '' + max: '' + value: '-10 days' + type: offset + group: 1 + exposed: false + expose: + operator_id: '' + label: '' + description: '' + use_operator: false + operator: '' + identifier: '' + required: false + remember: false + multiple: false + remember_roles: + authenticated: authenticated + is_grouped: false + group_info: + label: '' + description: '' + identifier: '' + optional: true + widget: select + multiple: false + remember: false + default_group: All + default_group_multiple: { } + group_items: { } + entity_type: node + entity_field: changed + plugin_id: date sorts: { } header: area: