Skip to content
Snippets Groups Projects
Verified Commit 3ae37397 authored by Lee Rowlands's avatar Lee Rowlands
Browse files

Issue #3410303 by longwave, Luke.Leber, Wim Leers, quietone, dslatkin:...

Issue #3410303 by longwave, Luke.Leber, Wim Leers, quietone, dslatkin: FilterHtml data loss when iframe and/or textarea is allowed
parent bd37e393
No related branches found
No related tags found
30 merge requests!8528Issue #3456871 by Tim Bozeman: Support NULL services,!8323Fix source code editing and in place front page site studio editing.,!6278Issue #3187770 by godotislate, smustgrave, catch, quietone: Views Rendered...,!3878Removed unused condition head title for views,!38582585169-10.1.x,!3818Issue #2140179: $entity->original gets stale between updates,!3742Issue #3328429: Create item list field formatter for displaying ordered and unordered lists,!3731Claro: role=button on status report items,!3668Resolve #3347842 "Deprecate the trusted",!3651Issue #3347736: Create new SDC component for Olivero (header-search),!3531Issue #3336994: StringFormatter always displays links to entity even if the user in context does not have access,!3355Issue #3209129: Scrolling problems when adding a block via layout builder,!3226Issue #2987537: Custom menu link entity type should not declare "bundle" entity key,!3154Fixes #2987987 - CSRF token validation broken on routes with optional parameters.,!3147Issue #3328457: Replace most substr($a, $i) where $i is negative with str_ends_with(),!3146Issue #3328456: Replace substr($a, 0, $i) with str_starts_with(),!3133core/modules/system/css/components/hidden.module.css,!2812Issue #3312049: [Followup] Fix Drupal.Commenting.FunctionComment.MissingReturnType returns for NULL,!2614Issue #2981326: Replace non-test usages of \Drupal::logger() with IoC injection,!2378Issue #2875033: Optimize joins and table selection in SQL entity query implementation,!2334Issue #3228209: Add hasRole() method to AccountInterface,!2062Issue #3246454: Add weekly granularity to views date sort,!1105Issue #3025039: New non translatable field on translatable content throws error,!1073issue #3191727: Focus states on mobile second level navigation items fixed,!877Issue #2708101: Default value for link text is not saved,!844Resolve #3036010 "Updaters",!617Issue #3043725: Provide a Entity Handler for user cancelation,!579Issue #2230909: Simple decimals fail to pass validation,!560Move callback classRemove outside of the loop,!555Issue #3202493
Pipeline #70553 passed
Pipeline: drupal

#70555

    ......@@ -7,6 +7,9 @@
    use Drupal\Component\Utility\Html;
    use Drupal\filter\FilterProcessResult;
    use Drupal\filter\Plugin\FilterBase;
    use Masterminds\HTML5\Parser\DOMTreeBuilder;
    use Masterminds\HTML5\Parser\Scanner;
    use Masterminds\HTML5\Parser\Tokenizer;
    /**
    * Provides a filter to limit allowed HTML tags.
    ......@@ -258,7 +261,20 @@ public function getHTMLRestrictions() {
    $star_protector = '__zqh6vxfbk3cg__';
    $html = str_replace('*', $star_protector, $html);
    $dom = Html::load($html);
    // Use HTML5 parser with a custom tokenizer to correctly parse tags that
    // normally use text mode, such as iframe.
    $events = new DOMTreeBuilder(FALSE, ['disable_html_ns' => TRUE]);
    $scanner = new Scanner('<body>' . $html);
    $parser = new class($scanner, $events) extends Tokenizer {
    public function setTextMode($textMode, $untilTag = NULL) {
    // Do nothing, we never enter text mode.
    }
    };
    $parser->parse();
    $dom = $events->document();
    $xpath = new \DOMXPath($dom);
    foreach ($xpath->query('//body//*') as $node) {
    $tag = $node->tagName;
    ......
    ......@@ -579,6 +579,17 @@ public function testHtmlFilter() {
    $this->assertNormalized($f, '<a>link</a>', 'HTML filter removes allowed attributes that have a not explicitly allowed value.');
    $f = (string) $filter->process('<a href="/beautiful-animals" kitten="cute" llama="epic majestical">link</a>', Language::LANGCODE_NOT_SPECIFIED);
    $this->assertSame('<a href="/beautiful-animals" llama="epic majestical">link</a>', $f, 'HTML filter keeps explicitly allowed attributes with an attribute value that is also explicitly allowed.');
    // Allow iframes and check that the subsequent tags are parsed correctly.
    $filter->setConfiguration([
    'settings' => [
    'allowed_html' => '<iframe> <a href llama>',
    'filter_html_help' => 1,
    'filter_html_nofollow' => 0,
    ],
    ]);
    $f = (string) $filter->process('<a kitten="cute" llama="awesome">link</a>', Language::LANGCODE_NOT_SPECIFIED);
    $this->assertNormalized($f, '<a llama="awesome">link</a>');
    }
    /**
    ......
    0% Loading or .
    You are about to add 0 people to the discussion. Proceed with caution.
    Finish editing this message first!
    Please register or to comment