Remove type="text/javascript" from <script> tags.

@Jacine, yes it needs to be there. Relevant comment from other issue: http://drupal.org/node/1174756#comment-4759566

It looks good. but what happen if we remove it:

+++ b/core/includes/common.incundefined
@@ -4205,9 +4205,7 @@ function drupal_pre_render_scripts($elements) {
+    '#attributes' => array(),

testBot!! Please tell me :)

-3 days to next Drupal core point release.

looks like a nice patch. Does it need manual testing? I'll see if a reroll is necessary but this looks like it should be on a fast track to RTBC

I think no manual testing needed.

oh, no. dedtior script changed :(

This patch needs a reroll. Tagging novice to do a simple rebase:

git checkout -b 1362974-script-html5 25ef3c917fc3c8daf502
git apply [the-patch-from-#8]
git commit -a
git rebase 8.x
git diff 8.x > [rerolled-patch-file-name]

Other than that, having:

+++ b/core/modules/system/system.testundefined
@@ -1355,10 +1355,10 @@ class PageTitleFiltering extends DrupalWebTestCase {
-    $slogan = '<script type="text/javascript">alert("Slogan XSS!");</script>';
+    $slogan = '<script>alert("Slogan XSS!");</script>';

Not sure if removing type="text/javascript" from the XSS tests is applicable - but that shouldn't make a difference anyway. Should we have the html corrector remove type="text/javascript" as a follow-up?

Rerolled.

Thank you @tkrajcar. I'd totally RTBC this after this is clear: Do we now need #attributes => array() for anything, or not?

@Niklas Fiekas, see #3 for the link to the convo where it is needed. I'm not savvy enough about the theme layer to know whether that's accurate or not, but that's what was referenced earlier. :-)

Yeah ... me neither. The patch is green - so I wonder whether this is not true for our case.

@#13,

keep the XSS is not a bad idea. but I think somewhere we already have tests covered those attributes.

Yeah. RTBC seconded.

@Niklas Fiekas We might be needing #attributes later on, just not at this level.
agree with rtbc.

Not sure if removing type="text/javascript" from the XSS tests is applicable - but that shouldn't make a difference anyway. Should we have the html corrector remove type="text/javascript" as a follow-up?

Yeah I don't think this is the place to do that, XSS attacks might include type="text/javascript" so if anything I'd add to the existing tests rather than changing them. Either way can we split that to a new issue?

XSS tests in CORE are so weak. only tested "SCRIPT" tag in title & path.

It used check_plain to compare the result, remove the type attribute is no harms. and a separated issue to enhance XSS test cases is required.

back to RTBC. ( welcome switch back to needs work, and I will reroll it again )

Yeah sorry I'd really prefer to do that in another issue, even if it's harmless it is going to make for weird commit history.

If I'm understanding the discussion correctly, the changes to testTitleXSS() needed to be removed and handled in a separate issue.

The first patch is a reroll of #14 since the test files were moved. Plus, I removed type='text/javascript' from a few more lines that had been added to JavaScriptTest.php.

The second patch is the same as the first, but with the changes to the XSS tests in PageTitleFilteringTest.php removed.

#24: no-xss-test-1362974-24.patch queued for re-testing.

no-xss-test-1362974-24.patch reviewed.

Sorry same for this test, no need to remove the text/javascript there either:

--- a/core/modules/system/lib/Drupal/system/Tests/Mail/HtmlToTextTest.php
+++ b/core/modules/system/lib/Drupal/system/Tests/Mail/HtmlToTextTest.php
@@ -153,7 +153,7 @@ class HtmlToTextTest extends WebTestBase {
       // Tests some unsupported HTML tags.
       '<html>Drupal</html>' => "Drupal\n",
       // @todo Perhaps the contents of <script> tags should be dropped.
-      '<script type="text/javascript">Drupal</script>' => "Drupal\n",
+      '<script>Drupal</script>' => "Drupal\n",
       // A couple of tests for Unicode characters.
       '<q>I <em>will</em> be back…</q>' => "I /will/ be back…\n",
       'FrançAIS is ÜBER-åwesome' => "FrançAIS is ÜBER-åwesome\n",

Removed the Mail module test.

#28: no-mail-test-1362974-28.patch queued for re-testing.

Confirm that removed.

Less bytes, wooo!

Committed/pushed to 8.x.