Problem/Motivation

#2307505-31: Port twig_debug output to Drupal 7 brought up that the twig_debug output is not sanitized.

Proposed resolution

Add calls to \Drupal\Component\Utility\String::checkPlain() or similar.

Remaining tasks

Sign-off and commit

User interface changes

n/a

API changes

n/a

Files: 
CommentFileSizeAuthor
#5 twig-debug-filter-2369781.pass_.patch5.16 KBlarowlan
PASSED: [[SimpleTest]]: [PHP 5.4 MySQL] 81,950 pass(es). View
#5 twig-debug-filter-2369781.fail_.patch2.11 KBlarowlan
FAILED: [[SimpleTest]]: [PHP 5.4 MySQL] 81,925 pass(es), 2 fail(s), and 0 exception(s). View

Comments

xjm’s picture

Priority: Normal » Critical
Issue tags: +security

Critical because unsanitized output is bad.

Is there a way we could have the output autoescaped by Twig, rather than adding checkPlain() calls?

cilefen’s picture

dawehner’s picture

Issue tags: +Needs tests

Ensure that we don't accidentally forget about it.

larowlan’s picture

Assigned: Unassigned » larowlan
Issue tags: +CriticalADay

patch coming

larowlan’s picture

Assigned: larowlan » Unassigned
FileSize
2.11 KB
FAILED: [[SimpleTest]]: [PHP 5.4 MySQL] 81,925 pass(es), 2 fail(s), and 0 exception(s). View
5.16 KB
PASSED: [[SimpleTest]]: [PHP 5.4 MySQL] 81,950 pass(es). View
larowlan’s picture

Status: Active » Needs review
Issue tags: -Needs tests

The last submitted patch, 5: twig-debug-filter-2369781.fail_.patch, failed testing.

Cottser’s picture

Issue summary: View changes
Status: Needs review » Reviewed & tested by the community

Thank you @larowlan! I don't see anything missing here, test coverage looks good and all the variable bits of output are now escaped.

webchick’s picture

Status: Reviewed & tested by the community » Fixed

Good catch!

Committed and pushed to 8.0.x. Thanks!

  • webchick committed 602a144 on 8.0.x
    Issue #2369781 by larowlan: Ensure twig_debug output has needed...

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.