Quantcast
Channel: Issues for Drupal core
Viewing all articles
Browse latest Browse all 294160

a disabled block's admin title gets double-escaped

$
0
0

Problem/Motivation

If a block's admin title contains text such as ' then when it's disabled, that is double-escaped.

Eg, not disabled:

This block's great!

Disabled:

This block's great! (disabled)

Steps to reproduce

From #18:

Steps to test -
1. Go to the admin site.
2. Go to /admin/structure/block/list/bartik.
3. Click on Place block.
4. Pop-up will open, click on Add custom block.
5. Add a custom block, use a title with characters that are HTML escaped, and click on save.
6. Select the region where it should display and click on save block.
7. Click on Configure, select disable.
8. Verify.

Proposed resolution

From #8:

The #plain_text is meant to escape $info['label'], so this is introducing an XSS sanitization bypasses. The problem is having
#plain_text used for a filed that might sometimes contain:

$this->t('@label (disabled)', ['@label' => $info['label']])
@placholders also do their own plain-text escaping, so that means it happens twice for that case. So we still need it to be escaped at least once when the block is rendered.

An alternative would be to rewrite it with something like:

  if ($info_status) {
    $form[$entity_id]['info'][#'plain_text'] = $info['label'];
  }
  else {
    $form[$entity_id]['info'][#'markup'] = $this->t('@label (disabled)', ['@label' => $info['label']]);
  }

Before patch:

After patch:

Remaining tasks

Write patch
Write tests
Review

User interface changes

None

API changes

None

Data model changes

None

Release notes snippet

None


Viewing all articles
Browse latest Browse all 294160

Trending Articles