diff --git a/core/modules/dblog/src/Controller/DbLogController.php b/core/modules/dblog/src/Controller/DbLogController.php
index 572b9ae..00fb530 100644
--- a/core/modules/dblog/src/Controller/DbLogController.php
+++ b/core/modules/dblog/src/Controller/DbLogController.php
@@ -267,7 +267,7 @@ public function eventDetails($event_id) {
),
array(
array('data' => $this->t('Message'), 'header' => TRUE),
- $message,
+ array('data' => array('#markup' => $message)),
),
array(
array('data' => $this->t('Severity'), 'header' => TRUE),
@@ -337,7 +337,7 @@ protected function buildFilterQuery() {
* The record from the watchdog table. The object properties are: wid, uid,
* severity, type, timestamp, message, variables, link, name.
*
- * @return string|\Drupal\Core\StringTranslation\TranslatableMarkup|false
+ * @return string|false
* The formatted log message or FALSE if the message or variables properties
* are not set.
*/
@@ -346,12 +346,13 @@ public function formatMessage($row) {
if (isset($row->message) && isset($row->variables)) {
// Messages without variables or user specified text.
if ($row->variables === 'N;') {
- $message = Xss::filterAdmin($row->message);
+ $message = $row->message;
}
// Message to translate with injected variables.
else {
- $message = $this->t(Xss::filterAdmin($row->message), unserialize($row->variables));
+ $message = $this->t($row->message, unserialize($row->variables));
}
+ $message = Xss::filterAdmin($message);
}
else {
$message = FALSE;
diff --git a/core/modules/dblog/src/Tests/DbLogTest.php b/core/modules/dblog/src/Tests/DbLogTest.php
index 90cb6c2..15b44ed 100644
--- a/core/modules/dblog/src/Tests/DbLogTest.php
+++ b/core/modules/dblog/src/Tests/DbLogTest.php
@@ -117,6 +117,32 @@ public function testLogEventPage() {
}
/**
+ * Make sure log messages in log pages are properly escaped.
+ */
+ public function testLogEventPageMessageEscaped() {
+ $this->drupalLogin($this->adminUser);
+
+ $context = [
+ 'request_uri' => 'http://example.com?dblog=1',
+ 'referer' => 'http://example.org?dblog=2',
+ 'uid' => 0,
+ 'channel' => 'testing',
+ 'link' => 'foo/bar',
+ 'ip' => '0.0.1.0',
+ 'timestamp' => REQUEST_TIME,
+ ];
+
+ // Make sure HTML tags are filtered out in admin/reports/dblog/event/ too.
+ \Drupal::service('logger.dblog')->log(RfcLogLevel::NOTICE, " Lorem ipsum", $context);
+ $wid = db_query('SELECT MAX(wid) FROM {watchdog}')->fetchField();
+
+ $this->drupalGet('admin/reports/dblog/event/' . $wid);
+ $this->assertResponse(200);
+ $this->assertNoRaw("");
+ $this->assertRaw("alert('foo'); Lorem ipsum");
+ }
+
+ /**
* Verifies setting of the database log row limit.
*
* @param int $row_limit
@@ -809,13 +835,6 @@ public function testOverviewLinks() {
// Make sure HTML tags are filtered out.
$this->assertRaw('title="alert('foo');Lorem ipsum dolor sit amet, consectetur adipiscing & elit. Entry #0"><script>alert('foo');</script>Lorem ipsum dolor sit…');
$this->assertNoRaw("");
-
- // Make sure HTML tags are filtered out in admin/reports/dblog/event/ too.
- $this->generateLogEntries(1, ['message' => " Lorem ipsum"]);
- $wid = db_query('SELECT MAX(wid) FROM {watchdog}')->fetchField();
- $this->drupalGet('admin/reports/dblog/event/' . $wid);
- $this->assertNoRaw("");
- $this->assertRaw("alert('foo'); Lorem ipsum");
}
}