Add tests for SA-CORE-2025-004: Link field attribute XSS

xjm → credited benjifisher → .

xjm → credited bramdriesen → .

xjm → credited larowlan → .

xjm → credited longwave → .

xjm → credited mcdruid → .

Adding credits for folks who contributed to the development and review of the tests on the private issue.

Looks like the string typehinting worked. However, I found a newer version of the tests with additional test coverage in a private repo that was not posted to the private issue as directly. Will update the MR shortly.

xjm → credited alexpott → .

xjm → credited catch → .

Adding credits from additional reviewers on the private MR.

The things are green. I gave the tests a quick once-over and they look in order to me.

.

Forgot the tag.

Opened an MR with 2024-004 revert

Unit test fails with

  Line   core/modules/link/tests/src/Unit/AttributeXssTest.php                
 ------ --------------------------------------------------------------------- 
  16     @covers value \Drupal\link\AttributeXss references an invalid class  
         or function.                                                         
         🪪 phpunit.covers                                                    
  24     Call to static method sanitizeAttributes() on an unknown class       
         Drupal\link\AttributeXss.                                            
         🪪 class.notFound                                                    
         💡 Learn more at https://phpstan.org/user-guide/discovering-symbols  

kernel tests don't run is it needed to opened a 3rd MR without the unit test?

smustgrave → changed the visibility of the branch 3530149-revert-changes-2024-004 to hidden.

Deleted the Unit test from my MR since we saw it fail, lets see if the kernel does now.

kernel failed

    
    FF                                                                  2 / 2 (100%)
    
    Time: 00:04.448, Memory: 8.00 MB
    
    Link Formatter (Drupal\Tests\link\Kernel\LinkFormatter)
     ✘ Link formatter with default·formatter
       ┐
       ├ Failed asserting that 'Hello world' [ASCII](length: 101) contains "" [ASCII](length: 49).
       │
       │ /builds/issue/drupal-3530149/core/modules/link/tests/src/Kernel/LinkFormatterTest.php:118
       ┴
     ✘ Link formatter with separate·link·text·and·URL
       ┐
       ├ Failed asserting that 'Hello world\n                                     
       ├ https://www.drupal.org/\n
       ├ ' [ASCII](length: 126) contains "" [ASCII](length: 49).
       │
       │ /builds/issue/drupal-3530149/core/modules/link/tests/src/Kernel/LinkFormatterTest.php:118

MenuLinkTest failed with

      ┐
       ├ Failed asserting that 'Link test' [ASCII](length: 99) contains "" [ASCII](length: 49).
       │
       │ /builds/issue/drupal-3530149/core/modules/menu_link_content/tests/src/Kernel/MenuLinksTest.php:505

So believe this shows the test coverage is good

Saving credits.

Committed/pushed to 11.x and cherry-picked to 11.2.x, since this cherry-picked cleanly also cherry-picked back to 10.6.x - it might help if we need to adjust this again and backport that, thanks!

catch → closed merge request !12377

smustgrave → closed merge request !12416

I think this also belongs in 10.5.x, but after having had an oopsidaisy with the other issue, will double-check the pipeline first.

I think this might be broken on 10.6.x, so let's try a revert and a 10.6.x MR.

Apparently it was unrelated. So let's try again with the backport to 10.6.x and 10.5.x.

Both backports pass, so it was still lingering issues from the other bad backports. So, committing these backports now.

Back to fixed, this time providing test coverage on all four branches. Thanks!

xjm → closed merge request !12559

xjm → closed merge request !12558