Quantcast
Channel: Issues for Drupal core
Viewing all articles
Browse latest Browse all 295264

Deprecate FilterInterface::getHTMLRestrictions()' forbidden_tags functionality

$
0
0

Problem/Motivation

There are at least 2 aspects that prove that this functionality has never worked as intended (it's broken in such a way that it is very unlikely that anyone has ever used it):

  1. FilterFormat::getHTMLRestrictions() computes the combined HTML restrictions across all filters, but doesn't correctly handle the case of using both the allowed (allowlist) and forbidden_tags (blocklist) aspects of FilterInterface::getHTMLRestrictions:
    👉 #3271698: [PP-1] getHtmlRestrictions() ignores 'allowed_tags' settings if the first filter checked only provides 'forbidden_tags'
  2. The one filter that uses the forbidden_tags functionality does not actually work and is part of a test module but no test actually uses it to forbid tags:
    👉 #3271706: [PP-1] FilterFormat getHtmlRestrictions forbidden_tags expects different structure than the one provided by FilterTestRestrictTagsAndAttributes + #3231331: [PP-1] Generate test data compatible with interface in Drupal\filter_test\Plugin\Filter\FilterTestRestrictTagsAndAttributes::getHTMLRestrictions

Furthermore, a key security best practice to our knowledge is to use allowlists instead of blocklists.

Marked Major because it impacts the upgrade path from ckeditor.module (CKEditor 4) to ckeditor5.module (CKEditor 5): #3231336: [PP-1] Add validation for HTML restrictor filters that only set forbidden_tags.

Proposed resolution

Because of the three points above, @bnjmnm and I wondered if it even makes sense to fix the two three bugs. Clearly nobody is using it.

Therefore we propose to deprecate this (obscure) functionality in Drupal 9.4 and remove it in Drupal 10.0.

This would allow us to close two bugs and be a net win for Drupal's security.

Remaining tasks

  1. Ask backend framework manager and release manager @catch for his input.

    👉 He responded:

    @wimleers (he/him) I can't ever remember a filter that only disallows tags, if we want to remove, it's easy to deprecate in 9.4.x and remove in 10.0.x - can't really see a reason not to.

  2. Deprecate the returning of forbidden_tags by a filter's getHTMLRestrictions() in 9.4.
    👉 #5
  3. Remove the "forbidden tags" functionality from FilterTestRestrictTagsAndAttributes in both Drupal 9.4 and 10.0, because it is not used anyway.
    👉 #6

User interface changes

None.

API changes

  1. Drupal 9.4: any filter plugin's getHTMLRestrictions() that returns a top-level forbidden_tags key will result in a deprecation notice.
  2. Drupal 10.0: any filter plugin's getHTMLRestrictions() that returns a top-level forbidden_tags key will result in an exception.

Data model changes

None.

Release notes snippet

TBD


Viewing all articles
Browse latest Browse all 295264

Trending Articles



<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>