Module and theme names are not filtered on output.

We should sanitize all the elements of te .info file that may be displayed on output, as they are output as a simple hardening.

Agreed :)

This no longer applied, rerolling.

Since I would like to see all of these silly XSS bugs in core gone, should this be critical?

http://api.drupal.org/api/function/t/7

@variable: Indicates that the text should be run through check_plain(), to escape HTML characters.

You shouldn't call check_plain() on @module and @version manually.

Removed extraneous check_plain()s
Edited patch by hand - let's see if it passes.

and again

are you complaining about the name of my file, testbot?
otherwise, i'm out of ideas

Windows newlines...

silly me - I figured I wouldn't have to worry about Windows newlines since I'm on a Mac.

#12: info_xss-637538-12.patch queued for re-testing.

• Re-rolled to keep up with head
• Added check_plain() for the package property which was missing from the previous patch.

Patch mr.baileys wrote is for D8

This no longer applies.

Removing all the old files to focus on 8.x. Here's a start at updating this to 8.x.

Straight reroll.

• Added a missing use-stagement
• Theme description was not yet sanitized, added

Needs re-roll.

Re-rolled!

Fixed missing `use` statement.

Closed #2527544: Module list page is not XSS safe as a duplicate of this issue. Adding credit - it is worth checking if I did that correctly.

There is more discussion in that issue about the problem space. I'll just put the summary of that discussion, by cilefen here,

Arguably, there is no reason not to sanitize these but the threat model is so small this should be normal priority. #2 made the point that if you have a malicious YAML file you could also have malicious PHP and how would this help then?

Closed #846430: Run filter_xss() over .info values as a duplicate, adding credit.

Re-rolled the last patch for 9.3

The Needs Review Queue Bot tested this issue. It either no longer applies to Drupal core, or fails the Drupal core commit checks. Therefore, this issue status is now "Needs work".

Apart from a re-roll or rebase, this issue may need more work to address feedback in the issue or MR comments. To progress an issue, incorporate this feedback as part of the process of updating the issue. This helps other contributors to know what is outstanding.

Consult the Drupal Contributor Guide to find step-by-step guides for working with issues.

Attached patch against Drupal 10.1.x

Patch #46 is not applied for Drupal 10 so Inter-diff file is not added.

Checking patch core/modules/system/src/Form/ModulesListForm.php...
Hunk #1 succeeded at 21 (offset 1 line).
Hunk #2 succeeded at 143 (offset 3 lines).
Hunk #3 succeeded at 208 (offset 8 lines).
error: while searching for:
$row['#requires'] = [];
$row['#required_by'] = [];

$row['name']['#markup'] = $module->info['name'];
$row['description']['#markup'] = $this->t($module->info['description']);
$row['version']['#markup'] = $module->info['version'];

// Generate link for module's help page. Assume that if a hook_help()
// implementation exists then the module provides an overview page, rather

error: patch failed: core/modules/system/src/Form/ModulesListForm.php:247
error: core/modules/system/src/Form/ModulesListForm.php: patch does not apply
Checking patch core/modules/system/system.admin.inc...

Came from http://www.madirish.net/555

Re-Rolled patch from #46 against 11.x head.

The Needs Review Queue Bot tested this issue.

While you are making the above changes, we recommend that you convert this patch to a merge request. Merge requests are preferred over patches. Be sure to hide the old patch files as well. (Converting an issue to a merge request without other contributions to the issue will not receive credit.)

Addressed the test failures & pipeline passed

Please review , moved NR

Thanks for continuing to work on this. Will need a test case showing the issue.

Added test case .

Please review , moved NR

Have not reviewed yet but issue summary appears to be incomplete could that be updated please

Can use https://www.drupal.org/docs/develop/issues/fields-and-other-parts-of-an-.... for help if needed.

Issue summary updated w.r.t to standard issue template.

Please review, moved NR

Hiding all patches for clarity

Ran test-only feature which gve

1) Drupal\Tests\system\FunctionalJavascript\PageXssVulnerabilityTest::testPageLoadWithoutXss
WebDriver\Exception\UnexpectedAlertOpen: unexpected alert open: {Alert text : evil desc}
  (Session info: headless chrome=106.0.5249.103)
  (Driver info: chromedriver=106.0.5249.61 (511755355844955cd3e264779baf0dd38212a4d0-refs/branch-heads/5249@{#569}),platform=Linux 5.4.266-178.365.amzn2.x86_64 x86_64)
/builds/issue/drupal-637538/vendor/lullabot/php-webdriver/lib/WebDriver/Exception.php:198
/builds/issue/drupal-637538/vendor/lullabot/php-webdriver/lib/WebDriver/AbstractWebDriver.php:216
/builds/issue/drupal-637538/vendor/lullabot/php-webdriver/lib/WebDriver/AbstractWebDriver.php:287
/builds/issue/drupal-637538/vendor/lullabot/php-webdriver/lib/WebDriver/Container.php:231
/builds/issue/drupal-637538/vendor/lullabot/php-webdriver/lib/WebDriver/Session.php:579
/builds/issue/drupal-637538/vendor/lullabot/mink-selenium2-driver/src/Selenium2Driver.php:541
/builds/issue/drupal-637538/core/tests/Drupal/Tests/DocumentElement.php:41
/builds/issue/drupal-637538/core/tests/Drupal/Tests/UiHelperTrait.php:261
/builds/issue/drupal-637538/core/modules/system/tests/src/FunctionalJavascript/PageXssVulnerabilityTest.php:44
ERRORS!
Tests: 1, Assertions: 6, Errors: 1.

Removing that tag

Left some comments on the MR

Addressed the mentioned feedbacks & rebased the MR

Please review, move NR.

I couldn't find a better place for this test so think it's own file should be fine.

Rebased the MR with latest code, seems working fine

Added some comments to the MR.

Applied the mentioned suggestions.

Please review, moving NR

Believe feedback has been addressed

Added some more review comments to address.

Applied mentioned suggestion to the MR.

Please review, moving NR

Applied the mentioned suggestion & left some comments for some feedbacks.

The Needs Review Queue Bot tested this issue. It fails the Drupal core commit checks. Therefore, this issue status is now "Needs work".

This does not mean that the patch necessarily needs to be re-rolled or the MR rebased. Read the Issue Summary, the issue tags and the latest discussion here to determine what needs to be done.

Consult the Drupal Contributor Guide to find step-by-step guides for working with issues.

Rebased MR with latest code & applied the left suggestion as well.

Please review, moving NR.

The Needs Review Queue Bot tested this issue. It fails the Drupal core commit checks. Therefore, this issue status is now "Needs work".

This does not mean that the patch necessarily needs to be re-rolled or the MR rebased. Read the Issue Summary, the issue tags and the latest discussion here to determine what needs to be done.

Consult the Drupal Contributor Guide to find step-by-step guides for working with issues.

Addressed test failures & pipeline passed successfully.

Please review, moving NR.

@all
I have reviewed MR !7436. It's looks good.
Moving to RTBC.
Thank you!!

To maintain consistency some minor changes done

Please review, moving NR

Re-viewed the changes in the recent MR, Looks good.

Moving to RTBC+1

Only Rebased the MR with latest code, keeping it to the prev RTBC status

Committed and pushed 4c82b7eaac to 11.x and 80833d6441 to 11.0.x and 62fb919925 to 10.4.x and 9a57269327 to 10.3.x. Thanks!