diff --git a/includes/common.inc b/includes/common.inc index 98c84f6..9540c70 100644 --- a/includes/common.inc +++ b/includes/common.inc @@ -2020,7 +2020,9 @@ function format_date($timestamp, $type = 'medium', $format = '', $timezone = NUL _format_date_callback(NULL, $langcode); // Translate the marked sequences. - return preg_replace_callback('/\xEF([AaeDlMTF]?)(.*?)\xFF/', '_format_date_callback', $format); + $formatted = preg_replace_callback('/\xEF([AaeDlMTF]?)(.*?)\xFF/', '_format_date_callback', $format); + + return filter_xss_admin($formatted); } /** diff --git a/modules/simpletest/tests/common.test b/modules/simpletest/tests/common.test index e8e4033..a5b6fc2 100644 --- a/modules/simpletest/tests/common.test +++ b/modules/simpletest/tests/common.test @@ -2368,6 +2368,20 @@ class FormatDateUnitTest extends DrupalWebTestCase { date_default_timezone_set(drupal_get_user_timezone()); drupal_save_session(TRUE); } + + /** + * Test that date formats are sanitized. + */ + function testDateFormatXSS() { + $date_format_info = array( + 'name' => 'XSS format', + 'pattern' => array('php' => '\<\s\c\r\i\p\t\>\a\l\e\r\t\(\'\X\S\S\'\)\;\<\/\s\c\r\i\p\t\>'), + ); + system_date_format_save('xss_short', $date_format_info); + + $this->drupalGet('admin/config/regional/date-time'); + $this->assertNoRaw("", 'The date format was properly sanitized'); + } } /**