summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authoreffulgentsia2016-09-29 11:10:11 -0700
committereffulgentsia2016-09-29 11:10:11 -0700
commit8477ed5afd36e527783ae3423191b1d2e1639bd7 (patch)
tree30405d47d7a8ecf5c3f9ffc67058e970189c11c1
parent2766d1a7293f86d2a06c5d744249c4f3d249cc90 (diff)
Issue #2807705 by alexpott, dawehner, aburke626: FormattableMarkup::placeholderFormat() can result in unsafe replacements
-rw-r--r--core/lib/Drupal/Component/Render/FormattableMarkup.php5
-rw-r--r--core/tests/Drupal/Tests/Component/Utility/SafeMarkupTest.php4
2 files changed, 8 insertions, 1 deletions
diff --git a/core/lib/Drupal/Component/Render/FormattableMarkup.php b/core/lib/Drupal/Component/Render/FormattableMarkup.php
index d9fbf2f..e5637e3 100644
--- a/core/lib/Drupal/Component/Render/FormattableMarkup.php
+++ b/core/lib/Drupal/Component/Render/FormattableMarkup.php
@@ -227,11 +227,16 @@ class FormattableMarkup implements MarkupInterface, \Countable {
default:
// We do not trigger an error for placeholder that start with an
// alphabetic character.
+ // @todo https://www.drupal.org/node/2807743 Change to an exception
+ // and always throw regardless of the first character.
if (!ctype_alpha($key[0])) {
// We trigger an error as we may want to introduce new placeholders
// in the future without breaking backward compatibility.
trigger_error('Invalid placeholder (' . $key . ') in string: ' . $string, E_USER_ERROR);
}
+ // If the placeholder is not a recognised placeholder ensure non-safe
+ // values are escaped.
+ $args[$key] = '<em class="placeholder">' . static::placeholderEscape($value) . '</em>';
break;
}
}
diff --git a/core/tests/Drupal/Tests/Component/Utility/SafeMarkupTest.php b/core/tests/Drupal/Tests/Component/Utility/SafeMarkupTest.php
index cbf86d2..b149769 100644
--- a/core/tests/Drupal/Tests/Component/Utility/SafeMarkupTest.php
+++ b/core/tests/Drupal/Tests/Component/Utility/SafeMarkupTest.php
@@ -137,7 +137,7 @@ class SafeMarkupTest extends UnitTestCase {
UrlHelper::setAllowedProtocols(['http', 'https', 'mailto']);
$result = SafeMarkup::format($string, $args);
- $this->assertEquals($expected, $result, $message);
+ $this->assertEquals($expected, (string) $result, $message);
$this->assertEquals($expected_is_safe, $result instanceof MarkupInterface, 'SafeMarkup::format correctly sets the result as safe or not safe.');
foreach ($args as $arg) {
@@ -171,6 +171,8 @@ class SafeMarkupTest extends UnitTestCase {
$tests['non-url-with-colon'] = ['Hey giraffe <a href=":url">MUUUH</a>', [':url' => "llamas: they are not URLs"], 'Hey giraffe <a href=" they are not URLs">MUUUH</a>', '', TRUE];
$tests['non-url-with-html'] = ['Hey giraffe <a href=":url">MUUUH</a>', [':url' => "<span>not a url</span>"], 'Hey giraffe <a href="&lt;span&gt;not a url&lt;/span&gt;">MUUUH</a>', '', TRUE];
+ // Tests non-standard placeholders.
+ $tests['non-standard-placeholder'] = ['Hey risky', ['risky' => "<script>alert('foo');</script>"], 'Hey <em class="placeholder">&lt;script&gt;alert(&#039;foo&#039;);&lt;/script&gt;</em>', '', TRUE];
return $tests;
}
/**