Problem/Motivation
There are at least 2 aspects that prove that this functionality has never worked as intended (it's broken in such a way that it is very unlikely that anyone has ever used it):
FilterFormat::getHTMLRestrictions()
computes the combined HTML restrictions across all filters, but doesn't correctly handle the case of using both theallowed
(allowlist) andforbidden_tags
(blocklist) aspects ofFilterInterface::getHTMLRestrictions
:
👉 #3271698: [PP-1] getHtmlRestrictions() ignores 'allowed_tags' settings if the first filter checked only provides 'forbidden_tags'- The one filter that uses the
forbidden_tags
functionality does not actually work and is part of a test module but no test actually uses it to forbid tags:
👉 #3271706: [PP-1] FilterFormat getHtmlRestrictions forbidden_tags expects different structure than the one provided by FilterTestRestrictTagsAndAttributes + #3231331: [PP-1] Generate test data compatible with interface in Drupal\filter_test\Plugin\Filter\FilterTestRestrictTagsAndAttributes::getHTMLRestrictions
Furthermore, a key security best practice to our knowledge is to use allowlists instead of blocklists.
Marked Major
because it impacts the upgrade path from ckeditor.module
(CKEditor 4) to ckeditor5.module
(CKEditor 5): #3231336: [PP-1] Add validation for HTML restrictor filters that only set forbidden_tags.
Proposed resolution
Because of the three points above, @bnjmnm and I wondered if it even makes sense to fix the two three bugs. Clearly nobody is using it.
Therefore we propose to deprecate this (obscure) functionality in Drupal 9.4 and remove it in Drupal 10.0.
This would allow us to close two bugs and be a net win for Drupal's security.
Remaining tasks
- ✅
Ask backend framework manager and release manager @catch for his input.👉 He responded:
@wimleers (he/him) I can't ever remember a filter that only disallows tags, if we want to remove, it's easy to deprecate in 9.4.x and remove in 10.0.x - can't really see a reason not to.
- ✅
Deprecate the returning offorbidden_tags
by a filter'sgetHTMLRestrictions()
in 9.4.
👉 #5 - ✅
Remove the "forbidden tags" functionality fromFilterTestRestrictTagsAndAttributes
in both Drupal 9.4 and 10.0, because it is not used anyway.
👉 #6
User interface changes
None.
API changes
- Drupal 9.4: any filter plugin's
getHTMLRestrictions()
that returns a top-levelforbidden_tags
key will result in a deprecation notice. - Drupal 10.0: any filter plugin's
getHTMLRestrictions()
that returns a top-levelforbidden_tags
key will result in an exception.
Data model changes
None.
Release notes snippet
TBD