Problem/Motivation
Several valid formats for the datetime attribute of the time element contain a colon. Xss::filterAdmin removes the longest prefix ending in a colon, since it doesn't match a safe prefix. Other methods on the Xss class can also invoke the same behavior.
Note: This issue also affects the datetime attribute of del and ins elements.
Steps to reproduce
Psy Shell v0.7.2 (PHP 5.6.19 — cli) by Justin Hileman
>>> \Drupal\Component\Utility\Xss::filterAdmin('<time datetime="2016-11-10T00:00:00-08:00">November 10 2016</time>')
=> "<time datetime="00">November 10 2016</time>"Proposed resolution
Add datetime to the list of attributes that should skip protocol filtering in Xss:attributes().
Remaining tasks
Needs maintainer and security team review.
API changes
This is not an API change.
Release notes snippet
The Xss class will no longer filter protocols for datetime attributes. This will allow using <time>, <ins>, and <del> elements with colons in the datetime attribute. For further reference on valid datetime attribute values, see these MDN references:
Original Report
Tested this with 8.0.5, ran into this with Views field rewriting when using a custom Twig function that returns a custom 'Time' element. The Twig function works well enough in a template, but Views has a #post_render closure (in \Drupal\views\Plugin\views\PluginBase::viewsTokenReplace()) that runs it through Xss::filterAdmin() again.
Psy Shell v0.7.2 (PHP 5.6.19 — cli) by Justin Hileman
>>> \Drupal\Component\Utility\Xss::filterAdmin('<time datetime="2016-11-10T00:00:00-08:00">November 10 2016</time>')
=> "<time datetime="00">November 10 2016</time>"I'm not sure what it's trying to filter out, but this is definitely not desired behavior. Seems like it should either strip the attribute entirely, or leave it untouched instead of altering it.