Issue #2330503 by pfrenssen, dawehner: Fixed [sechole] Inline templates pass...

Issue #2330503 by pfrenssen, dawehner: Fixed [sechole] Inline templates pass through unsafe strings.

Issue #2330503 by pfrenssen, dawehner: Fixed [sechole] Inline templates pass...
72450c6a · catch · c1f444b1 · 72450c6a · 72450c6a · 72450c6a
Commit 72450c6a authored 10 years ago by catch
--- a/core/lib/Drupal/Core/Template/TwigEnvironment.php
+++ b/core/lib/Drupal/Core/Template/TwigEnvironment.php
@@ -71,12 +71,11 @@ public function __construct(\Twig_LoaderInterface $loader = NULL, ModuleHandlerI
    $options += array(
      // @todo Ensure garbage collection of expired files.
      'cache' => TRUE,
-      // @todo Remove this.
-      // @see http://drupal.org/node/1712444
-      'autoescape' => FALSE,
      'debug' => FALSE,
      'auto_reload' => NULL,
    );
+    // Ensure autoescaping is always on.
+    $options['autoescape'] = TRUE;

    parent::__construct($loader, $options);
  }

--- a/core/modules/system/src/Tests/Theme/TwigEnvironmentTest.php
+++ b/core/modules/system/src/Tests/Theme/TwigEnvironmentTest.php
@@ -7,6 +7,7 @@

 namespace Drupal\system\Tests\Theme;

+use Drupal\Component\Utility\String;
 use Drupal\simpletest\KernelTestBase;

 /**
@@ -34,12 +35,13 @@ public function testInlineTemplate() {
    $this->assertEqual($environment->renderInline('test-with-context {{ lama }}', array('lama' => 'muuh')), 'test-with-context muuh');

    $element = array();
+    $unsafe_string = '<script>alert(\'Danger! High voltage!\');</script>';
    $element['test'] = array(
      '#type' => 'inline_template',
-      '#template' => 'test-with-context {{ lama }}',
-      '#context' => array('lama' => 'muuh'),
+      '#template' => 'test-with-context {{ unsafe_content }}',
+      '#context' => array('unsafe_content' => $unsafe_string),
    );
-    $this->assertEqual(drupal_render($element), 'test-with-context muuh');
+    $this->assertEqual(drupal_render($element), 'test-with-context ' . String::checkPlain($unsafe_string));
  }

 }

--- a/core/modules/system/src/Tests/Theme/TwigRawTest.php
+++ b/core/modules/system/src/Tests/Theme/TwigRawTest.php
@@ -7,6 +7,7 @@

 namespace Drupal\system\Tests\Theme;

+use Drupal\Component\Utility\String;
 use Drupal\simpletest\WebTestBase;

 /**
@@ -36,4 +37,21 @@ public function testAutoescapeRaw() {
    $this->assertRaw('<script>alert("This alert is real because I will put it through the raw filter!");</script>');
  }

+  /**
+   * Tests autoescaping of unsafe content.
+   *
+   * This is one of the most important tests in Drupal itself in terms of
+   * security.
+   */
+  public function testAutoescape() {
+    $script = '<script>alert("This alert is unreal!");</script>';
+    $build = [
+      '#theme' => 'twig_autoescape_test',
+      '#script' => $script,
+    ];
+    $rendered = drupal_render($build);
+    $this->setRawContent($rendered);
+    $this->assertRaw(String::checkPlain($script));
+  }
+
 }
--- a/core/modules/system/tests/modules/twig_theme_test/templates/twig-autoescape-test.html.twig
+++ b/core/modules/system/tests/modules/twig_theme_test/templates/twig-autoescape-test.html.twig
+{# Template for testing autoescape. #}
+{{ script }}
--- a/core/modules/system/tests/modules/twig_theme_test/twig_theme_test.module
+++ b/core/modules/system/tests/modules/twig_theme_test/twig_theme_test.module
@@ -23,6 +23,10 @@ function twig_theme_test_theme($existing, $type, $theme, $path) {
    'variables' => array('script' => ''),
    'template' => 'twig-raw-test',
  );
+  $items['twig_autoescape_test'] = array(
+    'variables' => array('script' => ''),
+    'template' => 'twig-autoescape-test',
+  );
  $items['twig_theme_test_url_generator'] = array(
    'variables' => array(),
    'template' => 'twig_theme_test.url_generator',