Add to commit credit: bohemier
NodeSearch::prepareResults() calls SafeMarkup::set() which is meant to be for internal use only.
- Remove the call by refactoring the code. See #37
If refactoring is not possible, thoroughly document where the string is coming from and why it is safe, and why SafeMarkup::set() is required.
Evaluate whether the string can be refactored to one of the formats outlined in this change record: https://www.drupal.org/node/2311123
- (done in #41) Identify whether there is existing automated test coverage for the sanitization of the string. If there is, list the test in the issue summary. If there isn't, add an automated test for it.
If the string cannot be refactored, the SafeMarkup::set() usage needs to be thoroughly audited and documented.
Manual testing steps (for XSS and double escaping)
Do these steps both with HEAD and with the patch applied:
- Clean install of Drupal 8.
- Under "Manage" in the administration menu, select "Content", then "Add content" of type "Article". In the body field select "Full HTML", click on source and add the following:
Textbefore <script>alert('XSS Body');</script> textafter
- Under the newly created Article node/1, add comment title :
Titlebefore <script>alert('XSS Comment');</script> titleafterand in the comment body chose "Full HTML" and click on source and add
Textbefore <script>alert('XSS Comment');</script> textafter
- Under "Configure" in the administration menu, select search pages and re-index site.
- select "Cron", then select "Run cron" so the search indexer runs (search module is enabled in standard install profile)
- From your site homepage search for "goodbye". You will see the node body is not escaped as it is supposed to
- From your site homepage search for "titleafter" . You will see escaped title in the comment title because title field uses plain text.
Compare the output above in HEAD and with the patch applied. Confirm that there is no double-escaping.
User interface changes
PASSED: [[SimpleTest]]: [PHP 5.5 MySQL] 103,211 pass(es). View
PASSED: [[SimpleTest]]: [PHP 5.5 MySQL] 102,596 pass(es). View
PASSED: [[SimpleTest]]: [PHP 5.5 MySQL] 102,595 pass(es). View