Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.Add tests to cover XSS strings being passed into both config and entity override meta tag values.
| Comment | File | Size | Author |
|---|---|---|---|
| #22 | metatag-n2796701-22.interdiff.txt | 3.12 KB | DamienMcKenna |
| #22 | metatag-n2796701-22.patch | 6.14 KB | DamienMcKenna |
| |||
| #8 | metatag-n2796701-8.patch | 3.72 KB | DamienMcKenna |
| |||
| #4 | metatag-n2796701-4.patch | 4.98 KB | DamienMcKenna |
| |||
Comments
Comment #2
jlandfried CreditAttribution: jlandfried at Last Call Media commentedHello! I wanted to take a stab at this since I don't have a ton of experience writing tests, so any and all feedback is welcome.
In order to verify that the tests do indeed fail if xss was is not being filtered I temporarily set \Drupal\Component\Utility\Html::escape() and Drupal\Component\Render\PlainTextOutput::renderFromHtml() to both have a method body of
return (string) $text;Thanks! Hopefully this at least a decent start and is not too far off base.
Comment #3
jlandfried CreditAttribution: jlandfried at Last Call Media commentedComment #4
DamienMcKennaThanks for putting this together. I tweaked the image meta tag handling a little bit, and the output slightly.
Comment #6
DamienMcKennaCommitted.
Comment #7
DamienMcKennaNeeds to be ported to the D7 branch.
Comment #8
DamienMcKennaSome tests for the page title.
Comment #9
DamienMcKennaOf course it'd help if I set it to test against the correct branch X-)
Comment #12
DamienMcKennaThe tests work against the 8.x-1.x branch :) Committed.
Comment #13
DamienMcKennaBack to needing to be ported.
Comment #14
DamienMcKennaComment #15
mariodan CreditAttribution: mariodan at Last Call Media commentedHere is an attempt at making this xss test ported to the D7 branch. To verify the tests would fail if input was not sanitized, I disabled check_plain temporarily.
Please let me know if I should make any changes.
Thank you!
Comment #16
mariodan CreditAttribution: mariodan at Last Call Media commentedComment #18
mariodan CreditAttribution: mariodan at Last Call Media commentedHere is that xss test ported to the D7 branch again. It think it was failing before because I created the patch wrong and a new file was not being created when the patch was applied in the test.
Comment #19
mariodan CreditAttribution: mariodan at Last Call Media commentedComment #20
DamienMcKennaBumping this to beta12.
Comment #21
DamienMcKennaDuh, it was already committed to beta11.
Comment #22
DamienMcKennaMinor tweaks.
Comment #24
DamienMcKennaCommitted. Thanks for the backport, @DrupalDano!