template_preprocess_file_widget_multiple() calls SafeMarkup::set() which is meant to be for internal use only.
- Remove the call by refactoring the code.
If refactoring is not possible, thoroughly document where the string is coming from and why it is safe, and why SafeMarkup::set() is required.
- tests not needed. See #39 "button elements are interface-translated which is an admin permission so we do not need special XSS tests"
- (done) (Refactor using show() ) Evaluate whether the string can be refactored to one of the formats outlined in this change record: https://www.drupal.org/node/2311123
- (done) Identify whether there is existing automated test coverage for the sanitization of the string. If there is, list the test in the issue summary. If there isn't, add an automated test for it.
If the string cannot be refactored, the SafeMarkup::set() usage needs to be thoroughly audited and documented.
- Manual testing/ markup before & after screenshots.
Manual testing steps (for XSS and double escaping)
Do these steps both with HEAD and with the patch applied:
- Clean install of Drupal 8.
- Add an unlimited-value file field on the article node type.
- Create a new article node, and upload several files into the new file field using the multiple file widget.
- After uploading the files but before saving the node, compare the output of the node add form, in HEAD and with the patch applied. Confirm that the markup is identical and there is no double-escaping.
If there is any user or calling code input in the string, submit
and ensure that it is sanitized.
User interface changes
PASSED: [[SimpleTest]]: [PHP 5.5 MySQL] 100,827 pass(es). View
FAILED: [[SimpleTest]]: [PHP 5.5 MySQL] 100,685 pass(es), 44 fail(s), and 3 exception(s). View
PASSED: [[SimpleTest]]: [PHP 5.5 MySQL] 98,793 pass(es). View