- Issue created by @ram4nd
- Merge request !9783Issue #3479425: [D7] Module and theme names are not filtered on output → (Open) created by ram4nd
- 🇸🇰Slovakia poker10
Thank you for working on this!
I see there are some differences with the original D10 code:
1. The issue title is modules and themes are not filtered on output - I think the D7 backport is sanitizing the data a way sooner, than on output. I did not have time to review it if that have a potential to cause any troubles yet, but another option would be to move the sanitization to output - for example to
system_modules
andsystem_themes_page
(ortheme_system_themes_page
)2. Currently the code is adding
check_plain
on 'name', 'version' and 'package' attributes. According to the documentation, it seems correct, that these three should be in plaintext ( https://www.drupal.org/docs/7/creating-custom-modules/writing-module-inf... → ). In D10 code, there does not seems to be a direct sanitization, but I suppose the automatic twig sanitization is used (anything between {{ }} gets automatically sanitized ( https://www.drupal.org/docs/administering-a-drupal-site/security-in-drup... → )).3. package in D10 is sanitized using D10's version of
filter_xss_admin
, see:'#title' => Markup::create(Xss::filterAdmin($this->t($package))),
. In D7 is sanitized usingcheck_plain
. We should check, what is a correct approach (the output of the package name seems very similar to me - in D10 it is a title in "details" form element, in D7 it is a title in "fieldset" form element).4. D7 backport is missing tests. Can we add at least a simple test to check the output of name and description for script tags (like it is done in the D10 test)?
Thanks!
- 🇪🇪Estonia ram4nd Tallinn
If I remember correctly, I backported it from D11 not D10.