Add tests for SA-CORE-2021-002 [#3592099]

Background information

security.drupal.org private issue: https://security.drupal.org/node/166776
(included for reference. Please do not report access denied as an error.)

Problem/Motivation

It would be useful to have tests for this to avoid regressions.

Steps to reproduce

Proposed resolution

Add new scenarios to XssTest.

Remaining tasks

User interface changes

Introduced terminology

API changes

Data model changes

Release notes snippet

Issue fork drupal-3592099

Show commands

Start within a Git clone of the project using the version control instructions.

Add & fetch this issue fork’s repository

Or, if you do not have SSH keys set up on git.drupalcode.org:

Add & fetch this issue fork’s repository

3592099-add-tests-for changes, plain diff MR !15880
Check out this branch for the first time

Check out existing branch, if you already have it locally

About issue forks

Comments

Comment #1

26 May 2026 at 19:06

prudloff created an issue. See original summary.

Comment #2

26 May 2026 at 19:22

prudloff opened merge request !15880

Comment #3

prudloff commented 26 May 2026 at 19:31

Status:

Active

» Needs review

I reused a patch from the private issue so people who worked on it should be credited.

Comment #4

smustgrave commented 26 May 2026 at 22:14

Status:

Needs review

» Reviewed & tested by the community

Applied the MR
Reverted the change in commit https://git.drupalcode.org/project/drupal/-/commit/55422ceacc40e5cfac746...

Got


Failed asserting that two strings are identical.
Expected :'<a>I'm magic, click me!</a>'
Actual   :'<a -dummy=': href=javascript:alert(&quot;oh\x20no&quot;)//'>I'm magic, click me!</a>'
<Click to see difference>

/var/www/html/core/tests/Drupal/Tests/Component/Utility/XssTest.php:500


Failed asserting that two strings are identical.
Expected :'<a class="good">I'm magic, click me!</a>'
Actual   :'<a class="good" -dummy=': href=javascript:alert(&quot;oh\x20no&quot;)//'>I'm magic, click me!</a>'
<Click to see difference>

/var/www/html/core/tests/Drupal/Tests/Component/Utility/XssTest.php:500


Failed asserting that two strings are identical.
Expected :'<a class="good">I'm magic, click me!</a>'
Actual   :'<a -dummy=': href=javascript:alert(&quot;oh\x20no&quot;)//' class="good">I'm magic, click me!</a>'
<Click to see difference>

/var/www/html/core/tests/Drupal/Tests/Component/Utility/XssTest.php:500


Failed asserting that two strings are identical.
Expected :'<a>I'm magic, click me!</a>'
Actual   :'<a zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz-x=": href=javascript:alert(&quot;oh\x20no&quot;)//">I'm magic, click me!</a>'
<Click to see difference>

/var/www/html/core/tests/Drupal/Tests/Component/Utility/XssTest.php:499


Failed asserting that two strings are identical.
Expected :'<a class="good">I'm magic, click me!</a>'
Actual   :'<a class="good" zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz-x=": href=javascript:alert(&quot;oh\x20no&quot;)//">I'm magic, click me!</a>'
<Click to see difference>

/var/www/html/core/tests/Drupal/Tests/Component/Utility/XssTest.php:499


Failed asserting that two strings are identical.
Expected :'<a class="good">I'm magic, click me!</a>'
Actual   :'<a zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz-x=": href=javascript:alert(&quot;oh\x20no&quot;)//" class="good">I'm magic, click me!</a>'
<Click to see difference>

/var/www/html/core/tests/Drupal/Tests/Component/Utility/XssTest.php:499


Failed asserting that two strings are identical.
Expected :'<a>I'm magic, click me!</a>'
Actual   :'<a zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz-x=": href=javascript:alert(&quot;oh\x20no&quot;)//">I'm magic, click me!</a>'
<Click to see difference>

/var/www/html/core/tests/Drupal/Tests/Component/Utility/XssTest.php:499


Failed asserting that two strings are identical.
Expected :'<a class="good">I'm magic, click me!</a>'
Actual   :'<a class="good" zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz-x=": href=javascript:alert(&quot;oh\x20no&quot;)//">I'm magic, click me!</a>'
<Click to see difference>

/var/www/html/core/tests/Drupal/Tests/Component/Utility/XssTest.php:499


Failed asserting that two strings are identical.
Expected :'<a class="good">I'm magic, click me!</a>'
Actual   :'<a zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz-x=": href=javascript:alert(&quot;oh\x20no&quot;)//" class="good">I'm magic, click me!</a>'
<Click to see difference>

/var/www/html/core/tests/Drupal/Tests/Component/Utility/XssTest.php:499


Failed asserting that two strings are identical.
Expected :'<a>I'm magic, click me!</a>'
Actual   :'<a zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz-x=": href=javascript:alert(&quot;oh\x20no&quot;)//">I'm magic, click me!</a>'
<Click to see difference>

/var/www/html/core/tests/Drupal/Tests/Component/Utility/XssTest.php:499


Failed asserting that two strings are identical.
Expected :'<a class="good">I'm magic, click me!</a>'
Actual   :'<a class="good" zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz-x=": href=javascript:alert(&quot;oh\x20no&quot;)//">I'm magic, click me!</a>'
<Click to see difference>

/var/www/html/core/tests/Drupal/Tests/Component/Utility/XssTest.php:499


Failed asserting that two strings are identical.
Expected :'<a class="good">I'm magic, click me!</a>'
Actual   :'<a zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz-x=": href=javascript:alert(&quot;oh\x20no&quot;)//" class="good">I'm magic, click me!</a>'
<Click to see difference>

/var/www/html/core/tests/Drupal/Tests/Component/Utility/XssTest.php:499

Believe this is showing the test coverage.

Comment #5

alexpott

he/they

English

🇪🇺🌍

commented 3 June 2026 at 09:11

Version:	main	» 11.4.x-dev
Status:	Reviewed & tested by the community	» Fixed

Committed b76ac23 and pushed to main. Thanks!
Committed f415032 and pushed to 11.x. Thanks!
Committed 9b401a6 and pushed to 11.4.x. Thanks!

Backported to 11.4.x as a test-only fix.

Comment #6

3 June 2026 at 09:11

Now that this issue is closed, review the contribution record.

As a contributor, attribute any organization that helped you, or if you volunteered your own time.

Maintainers, credit people who helped resolve this issue.

Comment #7

3 June 2026 at 09:11

alexpott committed 9b401a64 on 11.4.x

task: #3592099 Add tests for SA-CORE-2021-002

By: prudloff
By:...

Comment #8

3 June 2026 at 09:11

alexpott committed f4150321 on 11.x

task: #3592099 Add tests for SA-CORE-2021-002

By: prudloff
By:...

Comment #9

3 June 2026 at 09:11

alexpott committed b76ac239 on main

task: #3592099 Add tests for SA-CORE-2021-002

By: prudloff
By:...

Comment #10

17 June 2026 at 09:15

Status:

Fixed

» Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.

Add tests for SA-CORE-2021-002

Background information

Problem/Motivation

Steps to reproduce

Proposed resolution

Remaining tasks

User interface changes

Introduced terminology

API changes

Data model changes

Release notes snippet

Issue fork drupal-3592099

Comments

Comment #1

Comment #2

Comment #3

Comment #4

Comment #5

Comment #6

Comment #7

Comment #8

Comment #9

Comment #10

News items

Our community

Documentation

Drupal code base

Governance of community