Skip to content
Snippets Groups Projects
Commit 16a44263 authored by catch's avatar catch
Browse files

Issue #3259255 by gordon, smustgrave, cilefen, quietone, catch, larowlan:...

Issue #3259255 by gordon, smustgrave, cilefen, quietone, catch, larowlan: Html::escapeCdataElement() not adding CDATA correctly
parent 36ef945b
No related branches found
No related tags found
25 merge requests!54479.5.x SF update,!5014Issue #3071143: Table Render Array Example Is Incorrect,!4868Issue #1428520: Improve menu parent link selection,!4289Issue #1344552 by marcingy, Niklas Fiekas, Ravi.J, aleevas, Eduardo Morales...,!4114Issue #2707291: Disable body-level scrolling when a dialog is open as a modal,!4100Issue #3249600: Add support for PHP 8.1 Enums as allowed values for list_* data types,!2378Issue #2875033: Optimize joins and table selection in SQL entity query implementation,!2334Issue #3228209: Add hasRole() method to AccountInterface,!2062Issue #3246454: Add weekly granularity to views date sort,!1591Issue #3199697: Add JSON:API Translation experimental module,!1484Exposed filters get values from URL when Ajax is on,!1255Issue #3238922: Refactor (if feasible) uses of the jQuery serialize function to use vanillaJS,!1105Issue #3025039: New non translatable field on translatable content throws error,!1073issue #3191727: Focus states on mobile second level navigation items fixed,!10223132456: Fix issue where views instances are emptied before an ajax request is complete,!925Issue #2339235: Remove taxonomy hard dependency on node module,!877Issue #2708101: Default value for link text is not saved,!872Draft: Issue #3221319: Race condition when creating menu links and editing content deletes menu links,!844Resolve #3036010 "Updaters",!617Issue #3043725: Provide a Entity Handler for user cancelation,!579Issue #2230909: Simple decimals fail to pass validation,!560Move callback classRemove outside of the loop,!555Issue #3202493,!485Sets the autocomplete attribute for username/password input field on login form.,!30Issue #3182188: Updates composer usage to point at ./vendor/bin/composer
...@@ -350,17 +350,16 @@ public static function serialize(\DOMDocument $document) { ...@@ -350,17 +350,16 @@ public static function serialize(\DOMDocument $document) {
public static function escapeCdataElement(\DOMNode $node, $comment_start = '//', $comment_end = '') { public static function escapeCdataElement(\DOMNode $node, $comment_start = '//', $comment_end = '') {
foreach ($node->childNodes as $child_node) { foreach ($node->childNodes as $child_node) {
if ($child_node instanceof \DOMCdataSection) { if ($child_node instanceof \DOMCdataSection) {
$embed_prefix = "\n<!--{$comment_start}--><![CDATA[{$comment_start} ><!--{$comment_end}\n"; $data = $child_node->data;
$embed_suffix = "\n{$comment_start}--><!]]>{$comment_end}\n"; if (!str_contains($child_node->data, 'CDATA')) {
$embed_prefix = "\n{$comment_start}<![CDATA[{$comment_end}\n";
$embed_suffix = "\n{$comment_start}]]>{$comment_end}\n";
// Prevent invalid cdata escaping as this would throw a DOM error. $data = $embed_prefix . $data . $embed_suffix;
// This is the same behavior as found in libxml2. }
// Related W3C standard: http://www.w3.org/TR/REC-xml/#dt-cdsection
// Fix explanation: http://wikipedia.org/wiki/CDATA#Nesting
$data = str_replace(']]>', ']]]]><![CDATA[>', $child_node->data);
$fragment = $node->ownerDocument->createDocumentFragment(); $fragment = $node->ownerDocument->createDocumentFragment();
$fragment->appendXML($embed_prefix . $data . $embed_suffix); $fragment->appendXML($data);
$node->appendChild($fragment); $node->appendChild($fragment);
$node->removeChild($child_node); $node->removeChild($child_node);
} }
......
...@@ -1015,23 +1015,23 @@ public function testHtmlCorrectorFilter() { ...@@ -1015,23 +1015,23 @@ public function testHtmlCorrectorFilter() {
$f = Html::normalize('<script>alert("test")</script>'); $f = Html::normalize('<script>alert("test")</script>');
$this->assertEquals('<script> $this->assertEquals('<script>
<!--//--><![CDATA[// ><!-- //<![CDATA[
alert("test") alert("test")
//--><!]]> //]]>
</script>', $f, 'HTML corrector -- CDATA added to script element'); </script>', $f, 'HTML corrector -- CDATA added to script element');
$f = Html::normalize('<p><script>alert("test")</script></p>'); $f = Html::normalize('<p><script>alert("test")</script></p>');
$this->assertEquals('<p><script> $this->assertEquals('<p><script>
<!--//--><![CDATA[// ><!-- //<![CDATA[
alert("test") alert("test")
//--><!]]> //]]>
</script></p>', $f, 'HTML corrector -- CDATA added to a nested script element'); </script></p>', $f, 'HTML corrector -- CDATA added to a nested script element');
$f = Html::normalize('<p><style> /* Styling */ body {color:red}</style></p>'); $f = Html::normalize('<p><style> /* Styling */ body {color:red}</style></p>');
$this->assertEquals('<p><style> $this->assertEquals('<p><style>
<!--/*--><![CDATA[/* ><!--*/ /*<![CDATA[*/
/* Styling */ body {color:red} /* Styling */ body {color:red}
/*--><!]]>*/ /*]]>*/
</style></p>', $f, 'HTML corrector -- CDATA added to a style element.'); </style></p>', $f, 'HTML corrector -- CDATA added to a style element.');
$filtered_data = Html::normalize('<p><style> $filtered_data = Html::normalize('<p><style>
...@@ -1041,50 +1041,38 @@ public function testHtmlCorrectorFilter() { ...@@ -1041,50 +1041,38 @@ public function testHtmlCorrectorFilter() {
/*]]>*/ /*]]>*/
</style></p>'); </style></p>');
$this->assertEquals('<p><style> $this->assertEquals('<p><style>
<!--/*--><![CDATA[/* ><!--*/
/*<![CDATA[*/ /*<![CDATA[*/
/* Styling */ /* Styling */
body {color:red} body {color:red}
/*]]]]><![CDATA[>*/ /*]]>*/
/*--><!]]>*/
</style></p>', $filtered_data, </style></p>', $filtered_data,
new FormattableMarkup('HTML corrector -- Existing cdata section @pattern_name properly escaped', ['@pattern_name' => '/*<![CDATA[*/']) new FormattableMarkup('HTML corrector -- Existing cdata section @pattern_name properly escaped', ['@pattern_name' => '/*<![CDATA[*/'])
); );
$filtered_data = Html::normalize('<p><style> $filtered_data = Html::normalize('<p><style>
<!--/*--><![CDATA[/* ><!--*/ /*<![CDATA[*/
/* Styling */ /* Styling */
body {color:red} body {color:red}
/*--><!]]>*/ /*]]>*/
</style></p>'); </style></p>');
$this->assertEquals('<p><style> $this->assertEquals('<p><style>
<!--/*--><![CDATA[/* ><!--*/ /*<![CDATA[*/
<!--/*--><![CDATA[/* ><!--*/
/* Styling */ /* Styling */
body {color:red} body {color:red}
/*--><!]]]]><![CDATA[>*/ /*]]>*/
/*--><!]]>*/
</style></p>', $filtered_data, </style></p>', $filtered_data,
new FormattableMarkup('HTML corrector -- Existing cdata section @pattern_name properly escaped', ['@pattern_name' => '<!--/*--><![CDATA[/* ><!--*/']) new FormattableMarkup('HTML corrector -- Existing cdata section @pattern_name properly escaped', ['@pattern_name' => '<!--/*--><![CDATA[/* ><!--*/'])
); );
$filtered_data = Html::normalize('<p><script> $filtered_data = Html::normalize('<p><script>
<!--//--><![CDATA[// ><!-- //<![CDATA[
alert("test"); alert("test");
//--><!]]> //]]>
</script></p>'); </script></p>');
$this->assertEquals('<p><script> $this->assertEquals('<p><script>
<!--//--><![CDATA[// ><!-- //<![CDATA[
<!--//--><![CDATA[// ><!--
alert("test"); alert("test");
//--><!]]]]><![CDATA[> //]]>
//--><!]]>
</script></p>', $filtered_data, </script></p>', $filtered_data,
new FormattableMarkup('HTML corrector -- Existing cdata section @pattern_name properly escaped', ['@pattern_name' => '<!--//--><![CDATA[// ><!--']) new FormattableMarkup('HTML corrector -- Existing cdata section @pattern_name properly escaped', ['@pattern_name' => '<!--//--><![CDATA[// ><!--'])
); );
...@@ -1092,20 +1080,45 @@ public function testHtmlCorrectorFilter() { ...@@ -1092,20 +1080,45 @@ public function testHtmlCorrectorFilter() {
$filtered_data = Html::normalize('<p><script> $filtered_data = Html::normalize('<p><script>
// <![CDATA[ // <![CDATA[
alert("test"); alert("test");
// ]]> //]]>
</script></p>'); </script></p>');
$this->assertEquals('<p><script> $this->assertEquals('<p><script>
<!--//--><![CDATA[// ><!--
// <![CDATA[ // <![CDATA[
alert("test"); alert("test");
// ]]]]><![CDATA[> //]]>
//--><!]]>
</script></p>', $filtered_data, </script></p>', $filtered_data,
new FormattableMarkup('HTML corrector -- Existing cdata section @pattern_name properly escaped', ['@pattern_name' => '// <![CDATA[']) new FormattableMarkup('HTML corrector -- Existing cdata section @pattern_name properly escaped', ['@pattern_name' => '// <![CDATA['])
); );
$filtered_data = Html::normalize('<p><script>
// <![CDATA[![CDATA[![CDATA[
alert("test");
//]]]]]]>
</script></p>');
$this->assertEquals('<p><script>
// <![CDATA[![CDATA[![CDATA[
alert("test");
//]]]]]]>
</script></p>', $filtered_data,
new FormattableMarkup('HTML corrector -- Existing cdata section @pattern_name properly escaped', ['@pattern_name' => '// <![CDATA[![CDATA[![CDATA['])
);
// Test calling Html::normalize() twice.
$filtered_data = Html::normalize('<p><script>
// <![CDATA[![CDATA[![CDATA[
alert("test");
//]]]]]]>
</script></p>');
$filtered_data = Html::normalize($filtered_data);
$this->assertEquals('<p><script>
// <![CDATA[![CDATA[![CDATA[
alert("test");
//]]]]]]>
</script></p>', $filtered_data,
new FormattableMarkup('HTML corrector -- Existing cdata section @pattern_name properly escaped', ['@pattern_name' => '// <![CDATA[![CDATA[![CDATA['])
);
} }
/** /**
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment