Quantcast
Channel: Issues for Drupal core
Viewing all articles
Browse latest Browse all 295161

FilterHtml accepts <*> but does not support it, resulting in inaccurate ::getHtmlRestrictions() return value

$
0
0

Discovered while working on #3216015: Generate CKEditor 5 configuration based on pre-existing text format configuration for CKEditor 5.

Problem/Motivation

\Drupal\filter\Plugin\Filter\FilterHtml::getHTMLRestrictions

Parses a string of html tags into an array that defines what tags/attributes are allowed by the filter. It allows for a wildcard <*> tag that represents all tags, and makes it possible to allow/disallow specific attributes for all tags.UPDATE per #6: While \Drupal\filter\Plugin\Filter\FilterHtml::settingsForm() does not check for this (there is zero validation for the allowed_html input 😱), which is why one can be reasonably led to believe that <*> is allowed…

That finding makes all of this wrong/irrelevant:

However, the returned array does not properly represent the config for "star" tags.

Before any parsing of the "allowed html" string occurs all * instaces are replaced.

$star_protector = '__zqh6vxfbk3cg__';
    $html = str_replace('*', $star_protector, $html);

Later in the code, any attributes using * have the star returned

 foreach ($node->attributes as $name => $attribute) {
          // Put back any trailing * on wildcard attribute name.
          $name = str_replace($star_protector, '*', $name);

But stars representing a tag never get un-starred, and the returned array will include the "tag" for the $star_protector string. For example, when it parses a string with the "tag"<* data-donk>


There is configuration for a __zqh6vxfbk3cg__ tag alongside the config for the * tag returned by default

Steps to reproduce

See above.

Proposed resolution

  1. Drop <*> while parsing ::getHtmlRestrictions()— done in https://git.drupalcode.org/project/drupal/-/merge_requests/998/diffs?com...
  2. Add test coverage proving that <*> in allowed_html has no effect— done in https://git.drupalcode.org/project/drupal/-/merge_requests/998/diffs?com...
  3. Add form-level validation.— done in https://git.drupalcode.org/project/drupal/-/merge_requests/998/diffs?com...

Remaining tasks

None.

User interface changes

API changes

None.

Data model changes

None.

Release notes snippet

None.


Viewing all articles
Browse latest Browse all 295161

Trending Articles



<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>