Sanitize quick form labels, descriptions, and help text with Html::escape().
This commit is contained in:
Michael Stenta
parent
4d9bd96234
commit
d67e4492d1
|
|
@ -5,6 +5,7 @@
|
|||
* The farmOS Quick Form module.
|
||||
*/
|
||||
|
||||
use Drupal\Component\Utility\Html;
|
||||
use Drupal\Core\Entity\EntityTypeInterface;
|
||||
use Drupal\Core\Routing\RouteMatchInterface;
|
||||
|
||||
|
|
@ -25,11 +26,10 @@ function farm_quick_help($route_name, RouteMatchInterface $route_match) {
|
|||
if ($route_name == 'farm.quick.' . $quick_form_id) {
|
||||
/** @var \Drupal\farm_quick\Entity\QuickFormInstanceInterface $quick_form */
|
||||
$quick_form = \Drupal::service('quick_form.instance_manager')->getInstance($quick_form_id);
|
||||
$help_text = $quick_form->getHelpText();
|
||||
$output = [
|
||||
'#type' => 'html_tag',
|
||||
'#tag' => 'p',
|
||||
'#value' => $help_text,
|
||||
'#value' => Html::escape($quick_form->getHelpText()),
|
||||
'#cache' => [
|
||||
'tags' => $quick_form->getCacheTags(),
|
||||
],
|
||||
|
|
|
|||
|
|
@ -2,6 +2,7 @@
|
|||
|
||||
namespace Drupal\farm_quick\Controller;
|
||||
|
||||
use Drupal\Component\Utility\Html;
|
||||
use Drupal\Core\Controller\ControllerBase;
|
||||
use Drupal\Core\Link;
|
||||
use Drupal\farm_quick\QuickFormPluginManager;
|
||||
|
|
@ -66,8 +67,8 @@ class QuickFormAddPage extends ControllerBase {
|
|||
// Add link for each configurable plugin.
|
||||
foreach ($plugins as $plugin_id => $plugin) {
|
||||
$render['#bundles'][$plugin_id] = [
|
||||
'label' => $plugin['label'],
|
||||
'description' => $plugin['description'] ?? '',
|
||||
'label' => Html::escape($plugin['label']),
|
||||
'description' => Html::escape($plugin['description']) ?? '',
|
||||
'add_link' => Link::createFromRoute($plugin['label'], 'farm_quick.add_form', ['plugin' => $plugin_id]),
|
||||
];
|
||||
}
|
||||
|
|
|
|||
|
|
@ -2,8 +2,10 @@
|
|||
|
||||
namespace Drupal\farm_quick\Controller;
|
||||
|
||||
use Drupal\Component\Utility\Html;
|
||||
use Drupal\Core\Cache\CacheableMetadata;
|
||||
use Drupal\Core\Controller\ControllerBase;
|
||||
use Drupal\Core\Render\Markup;
|
||||
use Drupal\Core\StringTranslation\StringTranslationTrait;
|
||||
use Drupal\Core\Url;
|
||||
use Drupal\farm_quick\QuickFormInstanceManagerInterface;
|
||||
|
|
@ -63,8 +65,15 @@ class QuickFormController extends ControllerBase {
|
|||
$url = Url::fromRoute('farm.quick.' . $id);
|
||||
if ($url->access()) {
|
||||
$items[] = [
|
||||
'title' => $quick_form->getLabel(),
|
||||
'description' => $quick_form->getDescription(),
|
||||
// Wrap the title in Markup::create() because the template preprocess
|
||||
// function for admin_block_content uses Link::fromTextAndUrl(), which
|
||||
// sanitizes strings automatically. This avoids double-sanitization,
|
||||
// but also ensures we are sanitizing consistently in this code, in
|
||||
// case anything changes later.
|
||||
// @see template_preprocess_admin_block_content()
|
||||
// @see \Drupal\Core\Link::fromTextAndUrl()
|
||||
'title' => Markup::create(Html::escape($quick_form->getLabel())),
|
||||
'description' => Html::escape($quick_form->getDescription()),
|
||||
'url' => $url,
|
||||
];
|
||||
}
|
||||
|
|
|
|||
|
|
@ -2,6 +2,7 @@
|
|||
|
||||
namespace Drupal\farm_quick\Form;
|
||||
|
||||
use Drupal\Component\Utility\Html;
|
||||
use Drupal\Core\Entity\EntityForm;
|
||||
use Drupal\Core\Form\FormStateInterface;
|
||||
use Drupal\Core\Form\SubformState;
|
||||
|
|
@ -71,7 +72,7 @@ class QuickFormEntityForm extends EntityForm {
|
|||
// Render the plugin form in settings tab.
|
||||
$form['settings_tab'] = [
|
||||
'#type' => 'details',
|
||||
'#title' => $this->entity->getPlugin()->getLabel(),
|
||||
'#title' => Html::escape($this->entity->getPlugin()->getLabel()),
|
||||
'#group' => 'tabs',
|
||||
'#weight' => 50,
|
||||
];
|
||||
|
|
|
|||
|
|
@ -3,6 +3,7 @@
|
|||
namespace Drupal\farm_quick\Plugin\Derivative;
|
||||
|
||||
use Drupal\Component\Plugin\Derivative\DeriverBase;
|
||||
use Drupal\Component\Utility\Html;
|
||||
use Drupal\Core\Plugin\Discovery\ContainerDeriverInterface;
|
||||
use Drupal\farm_quick\QuickFormInstanceManagerInterface;
|
||||
use Symfony\Component\DependencyInjection\ContainerInterface;
|
||||
|
|
@ -68,7 +69,7 @@ class QuickFormMenuLink extends DeriverBase implements ContainerDeriverInterface
|
|||
// Create link.
|
||||
$route_id = 'farm.quick.' . $id;
|
||||
$links[$route_id] = [
|
||||
'title' => $quick_form->getLabel(),
|
||||
'title' => Html::escape($quick_form->getLabel()),
|
||||
'parent' => 'farm.quick:farm.quick',
|
||||
'route_name' => $route_id,
|
||||
] + $base_plugin_definition;
|
||||
|
|
|
|||
|
|
@ -117,16 +117,16 @@ class QuickFormListBuilder extends ConfigEntityListBuilder {
|
|||
],
|
||||
];
|
||||
$row['type'] = [
|
||||
'#markup' => $quick_form->getPlugin()->getLabel(),
|
||||
'#plain_text' => $quick_form->getPlugin()->getLabel(),
|
||||
];
|
||||
$row['label'] = [
|
||||
'#markup' => $quick_form->getLabel(),
|
||||
'#plain_text' => $quick_form->getLabel(),
|
||||
];
|
||||
$row['id'] = [
|
||||
'#markup' => $quick_form->id(),
|
||||
'#plain_text' => $quick_form->id(),
|
||||
];
|
||||
$row['description'] = [
|
||||
'#markup' => $quick_form->getDescription(),
|
||||
'#plain_text' => $quick_form->getDescription(),
|
||||
];
|
||||
return $row + parent::buildRow($entity);
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in New Issue