Added Xss::filter() on output string to protect against XSS attacks

veegishx · Mar 1, 2019 · ed0cd85 · ed0cd85
1 parent cafb0bf
commit ed0cd85
Show file tree

Hide file tree

Showing 3 changed files with 5 additions and 4 deletions.
diff --git a/config/install/http451.settings.yml b/config/install/http451.settings.yml
@@ -3,4 +3,4 @@ http451:
   custom_field_name: ''
   page_title: '451 Unavailable For Legal Reasons'
   page_status: '451'
-  page_content: "<html><head><title>Unavailable For Legal Reasons</title></head><body><h1>Unavailable For Legal Reasons</h1><p>This request may not be serviced in the Roman Province of Judea due to the Lex Julia Majestatis, which disallows access to resources hosted on servers deemed to be operated by the People's Front of Judea.</p></body></html>"
+  page_content: "<html><head><title>Unavailable For Legal Reasons</title></head><body><p>This request may not be serviced in the Roman Province of Judea due to the Lex Julia Majestatis, which disallows access to resources hosted on servers deemed to be operated by the People's Front of Judea.</p></body></html>"
diff --git a/src/EventSubscriber/Http451RedirectSubscriber.php b/src/EventSubscriber/Http451RedirectSubscriber.php
@@ -6,6 +6,7 @@
 use Symfony\Component\HttpKernel\Event\GetResponseEvent;
 use Symfony\Component\HttpKernel\KernelEvents;
 use Symfony\Component\HttpFoundation\Response;
+use Drupal\Component\Utility\Xss;
 
 /**
  * Event Subscriber Http451RedirectSubscriber.
@@ -132,8 +133,8 @@ public function redirectMyContentTypeNode(GetResponseEvent $event) {
       // If flag = TRUE initialize a new response and set headers for HTTP451 status code.
       if ($found || $list == NULL) {
         $response = new Response();
-        $response->setContent(
-        '<p>' . $node->get($http451_custom_field)->page_content . '</p>
+        $response->setContent('<h1>' . $node->get($http451_custom_field)->page_title . '</h1>' .
+        '<p>' . Xss::filter($node->get($http451_custom_field)->page_content) . '</p>
                     <p>Enforced by: <a href="' . $node->get($http451_custom_field)->blocking_authority . '">' . $node->get($http451_custom_field)->blocking_authority . '</a></p>'
         );
 

diff --git a/src/Plugin/Field/FieldWidget/Http451Widget.php b/src/Plugin/Field/FieldWidget/Http451Widget.php
@@ -68,7 +68,7 @@ public function formElement(FieldItemListInterface $items, $delta, array $elemen
     $element['page_content'] = [
       '#type' => 'textarea',
       '#title' => $this->t('Reason for censorship: '),
-      '#default_value' => isset($items[$delta]->page_content) ? $items[$delta]->page_content : '<html><head><title>Unavailable For Legal Reasons</title></head><body><h1>451: Unavailable For Legal Reasons</h1><p>This request may not be serviced in the Roman Province of Judea due to the Lex Julia Majestatis, which disallows access to resources hosted on servers deemed to be operated by the People\'s Front of Judea.</p></body></html>',
+      '#default_value' => isset($items[$delta]->page_content) ? $items[$delta]->page_content : '<html><head><title>451: Unavailable For Legal Reasons</title></head><body><p>This request may not be serviced in the Roman Province of Judea due to the Lex Julia Majestatis, which disallows access to resources hosted on servers deemed to be operated by the People\'s Front of Judea.</p></body></html>',
       '#description' => $this->t('If you wish to use a custom message to show up on this page, you can set it here.'),
     ];