Closed (fixed)
Project:
Drupal core
Version:
8.0.x-dev
Component:
base system
Priority:
Major
Category:
Task
Assigned:
Unassigned
Issue tags:
Reporter:
Created:
15 Sep 2015 at 06:40 UTC
Updated:
30 Sep 2015 at 12:44 UTC
Jump to comment: Most recent, Most recent file
Comments
Comment #2
alexpottComment #3
dawehnerThe escaping of the title is alright.
While testing I realized that the escaping of the description doesn't work, well changing the .info file already means being able to change some other files certainly could do much more.
Comment #4
xjm@dawehner, how did you test it?
@alexpott said of this one:
but I didn't investigate that.
Comment #5
dawehnerWell, I hacked
<script>alert(123);</script>into bartik for the name of the theme ... and yeah the description is neither escaped nor XSS filtered (which it should be probably), but its a problem of this particular issue.Comment #6
xjmRight, I remember discussing a related issue (whereby module developers could put XSS in their
.info.yml) earlier this summer. But agreed that using@placeholderfor the theme name here is reasonable, especially if it's consistent with HEAD (and not double-escaped) based on your manual testing. And that the rest of the escaping (or not) for this extension metadata is out of scope here.For automated test coverage, I don't makes any sense to add tests for the single (and not double) escaping of special characters in a theme name, since it's not user input and arguably not even valid in the first place for it to contain special characters. So committed and pushed to 8.0.x. Thanks!
Comment #8
xjmComment #9
alexpott