file_save_upload calls SafeMarkup::set() which is meant to be for internal use only.
- Remove the call by refactoring the code.
If refactoring is not possible, thoroughly document where the string is coming from and why it is safe, and why SafeMarkup::set() is required.
Evaluate whether the string can be refactored to one of the formats outlined in this change record: https://www.drupal.org/node/2311123 Identify whether there is existing automated test coverage for the sanitization of the string. If there is, list the test in the issue summary. If there isn't, add an automated test for it. If the string cannot be refactored, the SafeMarkup::set() usage needs to be thoroughly audited and documented. Usability review needed regarding output of single
<li>rather than the use of the if/else pattern to not render list items when only one item is present.
Manual testing steps (for XSS and double escaping)
Do these steps both with HEAD and with the patch applied:
- Clean install of Drupal 8.
- under structure, content types, article, manage fields, image, set maximum file size to 100, set minimum resolution to 20000 x 20000
- at node/add/article upload a image file that violates both criteria 2M and 1440 × 960
- see error with two items in the list
- change one of the image field requirements to be more reasonable, make maximum file size 2000000
- reload the node/add/article
- upload an image (similar example image is fine and should just violate the min resolution now)
- see one error in the list
- Compare the output above in HEAD and with the patch applied. Confirm that there is no double-escaping.
- (N/A) If there is any user or calling code input in the string, submit
and ensure that it is sanitized.
User interface changes
before with only one message
after with only one message
before with more than one message
after with more than one message
---------- with java script -------
PASSED: [[SimpleTest]]: [PHP 5.4 MySQL] 96,778 pass(es). View