diff --git a/core/lib/Drupal/Component/Utility/Unicode.php b/core/lib/Drupal/Component/Utility/Unicode.php
index 7691e00abedf23e3f9060cf9f31d61a43efff077..4938b0ddcbdc29dd836b50f169795cf17a94d9ef 100644
--- a/core/lib/Drupal/Component/Utility/Unicode.php
+++ b/core/lib/Drupal/Component/Utility/Unicode.php
@@ -508,7 +508,7 @@ public static function substr($text, $start, $length = NULL) {
* @param bool $add_ellipsis
* If TRUE, add '...' to the end of the truncated string (defaults to
* FALSE). The string length will still fall within $max_length.
- * @param bool $min_wordsafe_length
+ * @param int $min_wordsafe_length
* If $wordsafe is TRUE, the minimum acceptable length for truncation (before
* adding an ellipsis, if $add_ellipsis is TRUE). Has no effect if $wordsafe
* is FALSE. This can be used to prevent having a very short resulting string
diff --git a/core/modules/dblog/src/Controller/DbLogController.php b/core/modules/dblog/src/Controller/DbLogController.php
index 3982da6774d5387b92e80a70463fe62528207a2e..0d1e4f2669c97c130028cb2502589d638666d006 100644
--- a/core/modules/dblog/src/Controller/DbLogController.php
+++ b/core/modules/dblog/src/Controller/DbLogController.php
@@ -184,10 +184,9 @@ public function overview() {
foreach ($result as $dblog) {
$message = $this->formatMessage($dblog);
if ($message && isset($dblog->wid)) {
- // Truncate link_text to 56 chars of message.
- // @todo Reevaluate the SafeMarkup::set() in
- // https://www.drupal.org/node/2399261.
- $log_text = SafeMarkup::set(Unicode::truncate(Xss::filter($message, array()), 56, TRUE, TRUE));
+ // Truncate link_text to 56 chars of message. The l() call will escape
+ // any unsafe HTML entities in the final text.
+ $log_text = Unicode::truncate(Html::decodeEntities(strip_tags($message)), 56, TRUE, TRUE);
$message = $this->l($log_text, new Url('dblog.event', array('event_id' => $dblog->wid), array(
'attributes' => array(
// Provide a title for the link for useful hover hints.
diff --git a/core/modules/dblog/src/Tests/DbLogTest.php b/core/modules/dblog/src/Tests/DbLogTest.php
index 820b8e03eeafdd4f4abbfc5cc61e06af4a335807..f96a3201db3d5c269fc09c711149be99d03a4e63 100644
--- a/core/modules/dblog/src/Tests/DbLogTest.php
+++ b/core/modules/dblog/src/Tests/DbLogTest.php
@@ -7,8 +7,8 @@
namespace Drupal\dblog\Tests;
+use Drupal\Component\Utility\Html;
use Drupal\Component\Utility\Unicode;
-use Drupal\Component\Utility\Xss;
use Drupal\Core\Logger\RfcLogLevel;
use Drupal\Core\Url;
use Drupal\dblog\Controller\DbLogController;
@@ -339,10 +339,10 @@ private function doUser() {
$this->assertLogMessage(t('Session closed for %name.', array('%name' => $name)), 'DBLog event was recorded: [logout user]');
// Delete user.
$message = t('Deleted user: %name %email.', array('%name' => $name, '%email' => '<' . $user->getEmail() . '>'));
- $message_text = Unicode::truncate(Xss::filter($message, array()), 56, TRUE, TRUE);
+ $message_text = Unicode::truncate(Html::decodeEntities(strip_tags($message)), 56, TRUE, TRUE);
// Verify that the full message displays on the details page.
$link = FALSE;
- if ($links = $this->xpath('//a[text()="' . html_entity_decode($message_text) . '"]')) {
+ if ($links = $this->xpath('//a[text()="' . $message_text . '"]')) {
// Found link with the message text.
$links = array_shift($links);
foreach ($links->attributes() as $attr => $value) {
@@ -695,11 +695,8 @@ protected function asText(\SimpleXMLElement $element) {
* The message to pass to simpletest.
*/
protected function assertLogMessage($log_message, $message) {
- $message_text = Unicode::truncate(Xss::filter($log_message, array()), 56, TRUE, TRUE);
- // After \Drupal\Component\Utility\Xss::filter(), HTML entities should be
- // converted to their character equivalents because assertLink() uses this
- // string in xpath() to query the Document Object Model (DOM).
- $this->assertLink(html_entity_decode($message_text), 0, $message);
+ $message_text = Unicode::truncate(Html::decodeEntities(strip_tags($log_message)), 56, TRUE, TRUE);
+ $this->assertLink($message_text, 0, $message);
}
/**
@@ -730,4 +727,17 @@ public function testTemporaryUser() {
$this->drupalGet('admin/reports/dblog/event/' . $wid);
$this->assertText('Dblog test log message');
}
+
+ /**
+ * Make sure HTML tags are filtered out in the log overview links.
+ */
+ public function testOverviewLinks() {
+ $this->drupalLogin($this->adminUser);
+ $this->generateLogEntries(1, ['message' => "<script>alert('foo');</script><strong>Lorem</strong> ipsum dolor sit amet, consectetur adipiscing elit."]);
+ $this->drupalGet('admin/reports/dblog');
+ $this->assertResponse(200);
+ // Make sure HTML tags are filtered out.
+ $this->assertRaw('title="&lt;script&gt;alert('foo');&lt;/script&gt;Lorem ipsum dolor sit amet, consectetur adipiscing elit. Entry #0"><script>alert('foo');</script>Lorem ipsum dolor sit…</a>');
+ }
+
}