From 4b633908332106148754b57e41060c7733b1bb0a Mon Sep 17 00:00:00 2001
From: Jen Lampton <jen@jeneration.com>
Date: Sun, 10 Sep 2017 16:38:08 -0700
Subject: [PATCH 1/4] Issue #2459339 by hgoto, dagmar, klausi, kporras07,
 David_Rothstein, stefan.r, catch, Fabianx: Log messages should be XSS
 filtered on display.

---
 core/modules/dblog/dblog.admin.inc  | 10 ++++++++--
 core/modules/dblog/tests/dblog.test | 28 ++++++++++++++++++++++++++++
 2 files changed, 36 insertions(+), 2 deletions(-)

diff --git a/core/modules/dblog/dblog.admin.inc b/core/modules/dblog/dblog.admin.inc
index 66e7f9c0f87..bb215745004 100755
--- a/core/modules/dblog/dblog.admin.inc
+++ b/core/modules/dblog/dblog.admin.inc
@@ -1,5 +1,4 @@
 <?php
-
 /**
  * @file
  * Administrative page callbacks for the Database Logging module.
@@ -309,11 +308,18 @@ function dblog_format_message($event, $is_link = FALSE) {
     else {
       $output = t($event->message, unserialize($event->variables));
     }
+    // If the output is expected to be a link, strip all the tags and
+    // special characters by using filter_xss() without any allowed tags.
+    // If not, use filter_xss_admin() to allow some tags.
     if ($is_link && isset($event->wid)) {
-      // Truncate message to 56 chars.
+      // Truncate message to 56 chars after stripping all the tags.
       $output = truncate_utf8(filter_xss($output, array()), 56, TRUE, TRUE);
       $output = l($output, 'admin/reports/event/' . $event->wid, array('html' => TRUE));
     }
+    else {
+      // Prevent XSS in log detail pages.
+      $output = filter_xss_admin($output);
+    }
   }
 
   return $output;
diff --git a/core/modules/dblog/tests/dblog.test b/core/modules/dblog/tests/dblog.test
index 4d7dcbf750d..60698794f8d 100755
--- a/core/modules/dblog/tests/dblog.test
+++ b/core/modules/dblog/tests/dblog.test
@@ -615,4 +615,32 @@ class DBLogTestCase extends BackdropWebTestCase {
     // Document Object Model (DOM).
     $this->assertLink(html_entity_decode($message_text), 0, $message);
   }
+
+  /**
+   * Make sure HTML tags are filtered out in the log detail page.
+   */
+  public function testLogMessageSanitized() {
+    $this->backdropLogin($this->big_user);
+
+    // Make sure dangerous HTML tags are filtered out in log detail page.
+    $log = array(
+      'uid' => 0,
+      'type' => 'custom',
+      'message' => "<script>alert('foo');</script> <strong>Lorem ipsum</strong>",
+      'variables' => NULL,
+      'severity' => WATCHDOG_NOTICE,
+      'link' => 'foo/bar',
+      'request_uri' => 'http://example.com?dblog=1',
+      'referer' => 'http://example.org?dblog=2',
+      'ip' => '0.0.1.0',
+      'timestamp' => REQUEST_TIME,
+    );
+    dblog_watchdog($log);
+
+    $wid = db_query('SELECT MAX(wid) FROM {watchdog}')->fetchField();
+    $this->backdropGet('admin/reports/event/' . $wid);
+    $this->assertResponse(200);
+    $this->assertNoRaw("<script>alert('foo');</script>");
+    $this->assertRaw("alert('foo'); <strong>Lorem ipsum</strong>");
+  }
 }

From 006059e1997039b153da45528a9b00287ae5c234 Mon Sep 17 00:00:00 2001
From: Jen Lampton <jen@jeneration.com>
Date: Sun, 10 Sep 2017 16:52:23 -0700
Subject: [PATCH 2/4] Issue #1443342 by joseph.olstad, mikeytown2, LauraRocks,
 xjm, stefan.r, joelpittet, webchick, brianV, effulgentsia, Fabianx,
 Mac_Weber: Inline file_uri_scheme() in file_stream_wrapper_uri_normalize()
 and other file.inc functions.

---
 core/includes/file.inc | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/core/includes/file.inc b/core/includes/file.inc
index 8a7620c3621..4c53f8a36a5 100755
--- a/core/includes/file.inc
+++ b/core/includes/file.inc
@@ -279,7 +279,9 @@ function file_default_scheme() {
  *   The normalized URI.
  */
 function file_stream_wrapper_uri_normalize($uri) {
-  $scheme = file_uri_scheme($uri);
+  // Inline file_uri_scheme() function call for performance reasons.
+  $position = strpos($uri, '://');
+  $scheme = $position ? substr($uri, 0, $position) : FALSE;
 
   if ($scheme && file_stream_wrapper_valid_scheme($scheme)) {
     $target = file_uri_target($uri);

From 4d968859d4ae0461550e81e13179e8f0d486c95f Mon Sep 17 00:00:00 2001
From: Jen Lampton <jen@jeneration.com>
Date: Sun, 10 Sep 2017 16:57:06 -0700
Subject: [PATCH 3/4] Issue #2379947 by ndobromirov, othermachines,
 David_Rothstein, hgoto: PHP Fatal error:  Maximum execution time of 240
 seconds exceeded in _locale_import_po.

---
 core/includes/gettext.inc | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/core/includes/gettext.inc b/core/includes/gettext.inc
index ddfc949f426..687c20624b4 100755
--- a/core/includes/gettext.inc
+++ b/core/includes/gettext.inc
@@ -1,5 +1,4 @@
 <?php
-
 /**
  * @file
  * Gettext parsing and generating API.
@@ -31,9 +30,6 @@
  *   TRUE if the import was successful, FALSE otherwise.
  */
 function _locale_import_po($file, $langcode, $mode) {
-  // Try to allocate enough time to parse and import the data.
-  backdrop_set_time_limit(240);
-
   // Check if we have the language already in the database.
   if (!language_load($langcode)) {
     backdrop_set_message(t('The language selected for import is not supported.'), 'error');
@@ -122,6 +118,11 @@ function _locale_import_read_po($op, $file, $mode = NULL, $langcode = NULL) {
   $lineno = 0;
 
   while (!feof($fd)) {
+    // Refresh time limit every 10 parsed rows.
+    if (!($lineno % 10)) {
+      backdrop_set_time_limit(30);
+    }
+
     // A line should not be longer than 10 * 1024.
     $line = fgets($fd, 10 * 1024);
 

From c421367156e0c6eb73c8ed3db3d143ab75d849d6 Mon Sep 17 00:00:00 2001
From: Jen Lampton <jen@jeneration.com>
Date: Sun, 10 Sep 2017 17:19:02 -0700
Subject: [PATCH 4/4] Issue #2808789 by stefan.r, David_Rothstein, hanoii,
 Fabianx: Fix "An AJAX HTTP request terminated abnormally" alert after user
 has navigated away from the page.

---
 core/misc/autocomplete.js |  2 +-
 core/misc/backdrop.js     | 23 +++++++++++++++++++++++
 2 files changed, 24 insertions(+), 1 deletion(-)

diff --git a/core/misc/autocomplete.js b/core/misc/autocomplete.js
index d2fc5936580..245798b56a5 100755
--- a/core/misc/autocomplete.js
+++ b/core/misc/autocomplete.js
@@ -333,7 +333,7 @@ Backdrop.ACDB.prototype.search = function (searchString) {
         }
       },
       error: function (xmlhttp) {
-        alert(Backdrop.ajaxError(xmlhttp, db.uri));
+        Backdrop.displayAjaxError(Backdrop.ajaxError(xmlhttp, db.uri));
       }
     });
   }, this.delay);
diff --git a/core/misc/backdrop.js b/core/misc/backdrop.js
index 573f605afe8..6e72b327dc6 100755
--- a/core/misc/backdrop.js
+++ b/core/misc/backdrop.js
@@ -403,6 +403,29 @@ Backdrop.getSelection = function (element) {
   return { 'start': element.selectionStart, 'end': element.selectionEnd };
 };
 
+/**
+ * Add a global variable which determines if the window is being unloaded.
+ *
+ * This is primarily used by Backdrop.displayAjaxError().
+ */
+Backdrop.beforeUnloadCalled = false;
+$(window).bind('beforeunload pagehide', function () {
+    Backdrop.beforeUnloadCalled = true;
+});
+
+/**
+ * Displays a JavaScript error from an Ajax response when appropriate to do so.
+ */
+Backdrop.displayAjaxError = function (message) {
+  // Skip displaying the message if the user deliberately aborted (for example,
+  // by reloading the page or navigating to a different page) while the Ajax
+  // request was still ongoing. See, for example, the discussion at
+  // http://stackoverflow.com/questions/699941/handle-ajax-error-when-a-user-clicks-refresh.
+  if (!Backdrop.beforeUnloadCalled) {
+    alert(message);
+  }
+};
+
 /**
  * Build an error message from an Ajax response.
  */