Problem/Motivation

Discovered whilst working on #2780285: XSS in date format configuration. In converting part of \Drupal\system\Tests\System\DateTimeTest to JavascriptTestBase I discovered that the following code has a problem:

$this->assertEscaped("<script>alert('XSS');</script>", 'The date format was properly escaped');

Eventually this code ends up doing:

>>> \Drupal\Component\Utility\Html::escape("<script>alert('XSS');</script>");
=> "&lt;script&gt;alert(&#039;XSS&#039;);&lt;/script&gt;"

The problem is that &#039; is converted to ' by the browser and is never present in the raw response.

Proposed resolution

Remaining tasks

User interface changes

None

API changes

None

Data model changes

None

CommentFileSizeAuthor
#24 2780475-2-24.patch10.42 KBalexpott
#24 23-24-interdiff.txt4.92 KBalexpott
#23 2780475-2-23.patch7.99 KBalexpott
#19 2780475-19.patch7.8 KBjofitz
#14 2780475-14.patch7.68 KBalexpott
#14 11-14-interdiff.txt1.47 KBalexpott
#11 2780475-11.patch7.45 KBalexpott
#11 9-11-interdiff.txt1.54 KBalexpott
#9 2780475-9.patch7.22 KBalexpott
#9 8-9-interdiff.txt4.98 KBalexpott
#8 7-8-interdiff.txt2.16 KBalexpott
#8 2780475-8.patch6.34 KBalexpott
#7 4-6-interdiff.txt2.54 KBalexpott
#7 2780475-6.patch6.29 KBalexpott
#4 2780475-4.patch4.46 KBalexpott
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

alexpott created an issue. See original summary.

alexpott’s picture

alexpott
he/they
Primary language English
Location 🇪🇺🌍
CreditAttribution: alexpott at Chapter Three commented
Issue summary: View changes
alexpott’s picture

alexpott
he/they
Primary language English
Location 🇪🇺🌍
CreditAttribution: alexpott at Chapter Three commented
Parent issue: #2780285: XSS in date format configuration »
Related issues: +#2780285: XSS in date format configuration
alexpott’s picture

alexpott
he/they
Primary language English
Location 🇪🇺🌍
CreditAttribution: alexpott at Chapter Three commented
FileSize
2780475-4.patch4.46 KB

Here's some tests that show the problem - I've also added a test to BrowserTestBaseTest to prove we don't have a problem there.

alexpott’s picture

alexpott
he/they
Primary language English
Location 🇪🇺🌍
CreditAttribution: alexpott at Chapter Three commented

In the javascript test the single and double quotes are not the characters returned by Html::escape()... Here's what we see...

<div class="escaped">Escaped: &lt;"'&amp;&gt;</div><div class="escaped">&lt;script&gt;alert('XSS');alert("XSS");&lt;/script&gt;</div><div class="unescaped"><script>alert('Marked safe');alert("Marked safe");</script></div>

Status: Needs review » Needs work

The last submitted patch, 4: 2780475-4.patch, failed testing.

alexpott’s picture

alexpott
he/they
Primary language English
Location 🇪🇺🌍
CreditAttribution: alexpott at Chapter Three commented
Status: Needs work » Needs review
FileSize
2780475-6.patch6.29 KB
4-6-interdiff.txt2.54 KB

Here's a patch that fixes it but discovers another problem with risky test identification for JavascriptTestBase tests.

alexpott’s picture

alexpott
he/they
Primary language English
Location 🇪🇺🌍
CreditAttribution: alexpott at Chapter Three commented
FileSize
2780475-8.patch6.34 KB
7-8-interdiff.txt2.16 KB

Ok so all tests that install a module have an assertion so the risky test thing is hard to trigger. Here's a simple solution to the problem here.

alexpott’s picture

alexpott
he/they
Primary language English
Location 🇪🇺🌍
CreditAttribution: alexpott at Chapter Three commented
FileSize
8-9-interdiff.txt4.98 KB
2780475-9.patch7.22 KB

Let's make the test more explicit and more separated so there's no chance of something unexpected occurring.

mpdonadio’s picture

mpdonadio
he/him
Primary language English
Location Philadelphia/PA/USA (UTC-5)
CreditAttribution: mpdonadio at DiD Agency commented

This looks pretty good, but I would want to look at this when I get home on my dev machine so I can see the test run in place.

+++ b/core/modules/simpletest/tests/src/Functional/BrowserTestBaseTest.php
@@ -74,4 +74,30 @@ public function testError() {
+    $assert->assertNoEscaped('<p class="escaped">');

+++ b/core/modules/simpletest/tests/src/FunctionalJavascript/BrowserWithJavascriptTest.php
@@ -62,4 +69,30 @@ public function testCreateScreenshot() {
+    $assert->assertNoEscaped('<p class="escaped">');

+++ b/core/modules/system/tests/modules/test_page_test/src/Controller/Test.php
@@ -88,4 +89,30 @@ public function error() {
+      '#prefix' => '<div class="escaped">',

Looks like the assertions need to check for a div instead of a p element?

alexpott’s picture

alexpott
he/they
Primary language English
Location 🇪🇺🌍
CreditAttribution: alexpott at Chapter Three commented
FileSize
9-11-interdiff.txt1.54 KB
2780475-11.patch7.45 KB

Nice spot @mpdonadio - negative assertions should always be backed up by a positive one.

dawehner’s picture

dawehner
Primary language German
CreditAttribution: dawehner as a volunteer and at Chapter Three commented 
+++ b/core/modules/simpletest/tests/src/Functional/BrowserTestBaseTest.php
@@ -74,4 +74,30 @@ public function testError() {
+    $this->drupalGet('test-escaped-characters');
+    $assert->assertNoEscaped('<p class="escaped">');
...
+
+    $this->drupalGet('test-escaped-script');
+    $assert->assertNoEscaped('<p class="escaped">');

+++ b/core/modules/simpletest/tests/src/FunctionalJavascript/BrowserWithJavascriptTest.php
@@ -62,4 +69,34 @@ public function testCreateScreenshot() {
+
+    $this->drupalGet('test-escaped-characters');
+    $assert->assertNoEscaped('<div class="escaped">');
+    $assert->responseContains('<div class="escaped">');
...
+    $this->drupalGet('test-unescaped-script');
+    $assert->assertNoEscaped('<div class="unescaped">');
+    $assert->responseContains('<div class="unescaped">');

Don't we have the same problem over in BTBT as well?

Version: 8.2.x-dev » 8.3.x-dev

Drupal 8.2.0-beta1 was released on August 3, 2016, which means new developments and disruptive changes should now be targeted against the 8.3.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

alexpott’s picture

alexpott
he/they
Primary language English
Location 🇪🇺🌍
CreditAttribution: alexpott at Chapter Three commented
FileSize
11-14-interdiff.txt1.47 KB
2780475-14.patch7.68 KB

@dawehner good point.

mpdonadio’s picture

mpdonadio
he/him
Primary language English
Location Philadelphia/PA/USA (UTC-5)
CreditAttribution: mpdonadio at DiD Agency commented

I think this looks nice. Few questions / comments.

  1. +++ b/core/modules/simpletest/tests/src/Functional/BrowserTestBaseTest.php
@@ -79,4 +79,34 @@ public function testError() {
+    $assert->assertEscaped('<');
+    $assert->assertEscaped('\'');
+    $assert->assertEscaped('"');
+    $assert->assertEscaped('>');
+    $assert->assertEscaped('&');
+

    +++ b/core/modules/simpletest/tests/src/FunctionalJavascript/BrowserWithJavascriptTest.php
@@ -62,4 +69,34 @@ public function testCreateScreenshot() {
+    $assert->assertEscaped('<');
+    $assert->assertEscaped('\'');
+    $assert->assertEscaped('"');
+    $assert->assertEscaped('>');
+    $assert->assertEscaped('&');

    Would $assert->assertEscaped('Escaped: <"\'&>'); be a safer test in case those characters are in the response escaped, for whatever reason?

  2. +++ b/core/tests/Drupal/FunctionalJavascriptTests/JSWebAssert.php
@@ -28,4 +28,49 @@ public function assertWaitOnAjaxRequest($timeout = 10000, $message = 'Unable to
+   * Drupal's Html::escape() uses the ENT_QUOTES flag with htmlspecialchars() to
+   * escape both single and double quotes. With JavascriptTestBase testing the
+   * browser is automatically converting &quot; and &#039; to double and single
+   * quotes respectively therefore we can not escape them them when testing for
+   * escaped HTML.
+   *

    I think we need a reference here. I cannot find anything about this behavior anywhere with Mink or PhantomJS.

Version: 8.3.x-dev » 8.4.x-dev

Drupal 8.3.0-alpha1 will be released the week of January 30, 2017, which means new developments and disruptive changes should now be targeted against the 8.4.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.4.x-dev » 8.5.x-dev

Drupal 8.4.0-alpha1 will be released the week of July 31, 2017, which means new developments and disruptive changes should now be targeted against the 8.5.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

mpdonadio’s picture

mpdonadio
he/him
Primary language English
Location Philadelphia/PA/USA (UTC-5)
CreditAttribution: mpdonadio at DiD Agency commented
Issue tags: +Needs reroll

#14 doesn't apply anymore.

jofitz’s picture

jofitz CreditAttribution: jofitz at ComputerMinds commented
Issue tags: -Needs reroll
FileSize
2780475-19.patch7.8 KB

Re-rolled.

Version: 8.5.x-dev » 8.6.x-dev

Drupal 8.5.0-alpha1 will be released the week of January 17, 2018, which means new developments and disruptive changes should now be targeted against the 8.6.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.6.x-dev » 8.7.x-dev

Drupal 8.6.0-alpha1 will be released the week of July 16, 2018, which means new developments and disruptive changes should now be targeted against the 8.7.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.7.x-dev » 8.8.x-dev

Drupal 8.7.0-alpha1 will be released the week of March 11, 2019, which means new developments and disruptive changes should now be targeted against the 8.8.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

alexpott’s picture

alexpott
he/they
Primary language English
Location 🇪🇺🌍
CreditAttribution: alexpott commented
FileSize
2780475-2-23.patch7.99 KB

Rerolled.

alexpott’s picture

alexpott
he/they
Primary language English
Location 🇪🇺🌍
CreditAttribution: alexpott commented
FileSize
23-24-interdiff.txt4.92 KB
2780475-2-24.patch10.42 KB

Thanks for the review @mpdonadio. I agree with #15.1 - changed that.

Re #15.2 I can't find a thing to point to but we have test coverage of what's happening so if they change it then we've got it covered. This is not on the Mink level. It's below that. It's in the how the webdriver implementation returns the content of the page. If you look at the value return by the div we're interesting in looks like this: <div class="escaped">Escaped: &lt;"'&amp;&gt;</div> - \Behat\Mink\Driver\Selenium2Driver::getContent(). There's no manipulation on the PHP level. I've looked in the webdriver spec and this is not mentioned either. There's nothing in the spec.

The last submitted patch, 23: 2780475-2-23.patch, failed testing. View results

mpdonadio’s picture

mpdonadio
he/him
Primary language English
Location Philadelphia/PA/USA (UTC-5)
CreditAttribution: mpdonadio at DiD Agency commented
Status: Needs review » Reviewed & tested by the community
Issue tags: -Needs tests

Looks ready for prime time.

  • catch committed a97548e on 8.8.x 
    Issue #2780475 by alexpott, Jo Fitzgerald, mpdonadio, dawehner:...
catch’s picture

catch
he/him
Primary language English
CreditAttribution: catch at Third and Grove commented
Status: Reviewed & tested by the community » Fixed 
+++ b/core/tests/Drupal/FunctionalJavascriptTests/JSWebAssert.php
@@ -387,6 +387,51 @@ function t(r, lx, ly) {
+   * quotes respectively therefore we can not escape them them when testing for

Nit: them them (fixed on commit).

Committed 1d0a07f and pushed to 8.8.x. Thanks!

catch’s picture

catch
he/him
Primary language English
CreditAttribution: catch at Third and Grove commented
Version: 8.8.x-dev » 8.7.x-dev

And cherry-picked to 8.7.x, thanks!

  • catch committed 8454292 on 8.7.x 
    Issue #2780475 by alexpott, Jo Fitzgerald, mpdonadio, dawehner:...

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.