Quantcast
Channel: Issues for Drupal core
Viewing all articles
Browse latest Browse all 295251

Xss::filterAdmin() incorrectly filters datetime attribute

$
0
0

Problem/Motivation

Several valid formats for the datetime attribute of the time element contain a colon. Xss::filterAdmin removes the longest prefix ending in a colon, since it doesn't match a safe prefix. Other methods on the Xss class can also invoke the same behavior.

Note: This issue also affects the datetime attribute of del and ins elements.

Steps to reproduce

Psy Shell v0.7.2 (PHP 5.6.19 — cli) by Justin Hileman
>>> \Drupal\Component\Utility\Xss::filterAdmin('<time datetime="2016-11-10T00:00:00-08:00">November 10 2016</time>')
=> "<time datetime="00">November 10 2016</time>"

Proposed resolution

Add datetime to the list of attributes that should skip protocol filtering in Xss:attributes().

Remaining tasks

Needs maintainer and security team review.

API changes

This is not an API change.

Release notes snippet

The Xss class will no longer filter protocols for datetime attributes. This will allow using <time>, <ins>, and <del> elements with colons in the datetime attribute. For further reference on valid datetime attribute values, see these MDN references:

Original Report

Tested this with 8.0.5, ran into this with Views field rewriting when using a custom Twig function that returns a custom 'Time' element. The Twig function works well enough in a template, but Views has a #post_render closure (in \Drupal\views\Plugin\views\PluginBase::viewsTokenReplace()) that runs it through Xss::filterAdmin() again.

Psy Shell v0.7.2 (PHP 5.6.19 — cli) by Justin Hileman
>>> \Drupal\Component\Utility\Xss::filterAdmin('<time datetime="2016-11-10T00:00:00-08:00">November 10 2016</time>')
=> "<time datetime="00">November 10 2016</time>"

I'm not sure what it's trying to filter out, but this is definitely not desired behavior. Seems like it should either strip the attribute entirely, or leave it untouched instead of altering it.


Viewing all articles
Browse latest Browse all 295251

Trending Articles



<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>