Discovered while working on #3216015: Generate CKEditor 5 configuration based on pre-existing text format configuration for CKEditor 5.
Problem/Motivation
\Drupal\filter\Plugin\Filter\FilterHtml::getHTMLRestrictions
Parses a string of html tags into an array that defines what tags/attributes are allowed by the filter. It allows for a wildcard UPDATE per #6: While <*>
tag that represents all tags, and makes it possible to allow/disallow specific attributes for all tags.\Drupal\filter\Plugin\Filter\FilterHtml::settingsForm()
does not check for this (there is zero validation for the allowed_html
input 😱), which is why one can be reasonably led to believe that <*>
is allowed…
That finding makes all of this wrong/irrelevant:
However, the returned array does not properly represent the config for "star" tags.
Before any parsing of the "allowed html" string occurs all
*
instaces are replaced.$star_protector = '__zqh6vxfbk3cg__'; $html = str_replace('*', $star_protector, $html);
Later in the code, any
attributes
using*
have the star returnedforeach ($node->attributes as $name => $attribute) { // Put back any trailing * on wildcard attribute name. $name = str_replace($star_protector, '*', $name);
But stars representing a tag never get un-starred, and the returned array will include the "tag" for the
$star_protector
string. For example, when it parses a string with the "tag"<* data-donk>
There is configuration for a__zqh6vxfbk3cg__
tag alongside the config for the*
tag returned by default
Steps to reproduce
See above.
Proposed resolution
Drop— done in https://git.drupalcode.org/project/drupal/-/merge_requests/998/diffs?com...<*>
while parsing::getHtmlRestrictions()
Add test coverage proving that— done in https://git.drupalcode.org/project/drupal/-/merge_requests/998/diffs?com...<*>
inallowed_html
has no effectAdd form-level validation.— done in https://git.drupalcode.org/project/drupal/-/merge_requests/998/diffs?com...
Remaining tasks
None.
User interface changes
API changes
None.
Data model changes
None.
Release notes snippet
None.