Skip to content
Snippets Groups Projects
Verified Commit 846cce70 authored by Alex Pott's avatar Alex Pott
Browse files

Issue #3284254 by Wim Leers, smustgrave, nod_: HTMLRestrictions should not... 

Issue #3284254 by Wim Leers, smustgrave, nod_: HTMLRestrictions should not allow <tag attr="*"> because that is equivalent to <tag attr>
parent 3ddfcf58
No related branches found
No related tags found
37 merge requests!7452Issue #1797438. HTML5 validation is preventing form submit and not fully...,!54479.5.x SF update,!5014Issue #3071143: Table Render Array Example Is Incorrect,!4868Issue #1428520: Improve menu parent link selection,!4289Issue #1344552 by marcingy, Niklas Fiekas, Ravi.J, aleevas, Eduardo Morales...,!4114Issue #2707291: Disable body-level scrolling when a dialog is open as a modal,!4100Issue #3249600: Add support for PHP 8.1 Enums as allowed values for list_* data types,!3630Issue #2815301 by Chi, DanielVeza, kostyashupenko, smustgrave: Allow to create...,!3600Issue #3344629: Passing null to parameter #1 ($haystack) of type string is deprecated,!3291Issue #3336463: Rewrite rules for gzipped CSS and JavaScript aggregates never match,!3102Issue #3164428 by DonAtt, longwave, sahil.goyal, Anchal_gupta, alexpott: Use...,!2853#3274419 Makes BaseFieldOverride inherit the internal property from the base field.,!2378Issue #2875033: Optimize joins and table selection in SQL entity query implementation,!2334Issue #3228209: Add hasRole() method to AccountInterface,!2074Issue #2707689: NodeForm::actions() checks for delete access on new entities,!2062Issue #3246454: Add weekly granularity to views date sort,!1591Issue #3199697: Add JSON:API Translation experimental module,!1484Exposed filters get values from URL when Ajax is on,!1255Issue #3238922: Refactor (if feasible) uses of the jQuery serialize function to use vanillaJS,!1254Issue #3238915: Refactor (if feasible) uses of the jQuery ready function to use VanillaJS,!1162Issue #3100350: Unable to save '/' root path alias,!1105Issue #3025039: New non translatable field on translatable content throws error,!1073issue #3191727: Focus states on mobile second level navigation items fixed,!10223132456: Fix issue where views instances are emptied before an ajax request is complete,!957Added throwing of InvalidPluginDefinitionException from getDefinition().,!925Issue #2339235: Remove taxonomy hard dependency on node module,!877Issue #2708101: Default value for link text is not saved,!873Issue #2875228: Site install not using batch API service,!872Draft: Issue #3221319: Race condition when creating menu links and editing content deletes menu links,!844Resolve #3036010 "Updaters",!712Issue #2909128: Autocomplete intermittent on Chrome Android,!617Issue #3043725: Provide a Entity Handler for user cancelation,!579Issue #2230909: Simple decimals fail to pass validation,!560Move callback classRemove outside of the loop,!555Issue #3202493,!485Sets the autocomplete attribute for username/password input field on login form.,!30Issue #3182188: Updates composer usage to point at ./vendor/bin/composer
Hide whitespace changes
Inline Side-by-side
core/modules/ckeditor5/src/HTMLRestrictions.php
+ 3
0
View file @ 846cce70
...@@ -235,6 +235,9 @@ private static function validateAllowedRestrictionsPhase4(array $elements): void ...@@ -235,6 +235,9 @@ private static function validateAllowedRestrictionsPhase4(array $elements): void
if ($html_tag_attribute_restrictions === []) { if ($html_tag_attribute_restrictions === []) {
throw new \InvalidArgumentException(sprintf('The "%s" HTML tag has an attribute restriction "%s" which is set to the empty array. This is not permitted, specify either TRUE to allow all attribute values, or list the attribute value restrictions.', $html_tag_name, $html_tag_attribute_name)); throw new \InvalidArgumentException(sprintf('The "%s" HTML tag has an attribute restriction "%s" which is set to the empty array. This is not permitted, specify either TRUE to allow all attribute values, or list the attribute value restrictions.', $html_tag_name, $html_tag_attribute_name));
} }
if (array_key_exists('*', $html_tag_attribute_restrictions)) {
throw new \InvalidArgumentException(sprintf('The "%s" HTML tag has an attribute restriction "%s" with a "*" allowed attribute value. This implies all attributes values are allowed. Remove the attribute value restriction instead, or use a prefix (`*-foo`), infix (`*-foo-*`) or suffix (`foo-*`) wildcard restriction instead.', $html_tag_name, $html_tag_attribute_name));
}
// @codingStandardsIgnoreLine // @codingStandardsIgnoreLine
if (!Inspector::assertAll(function ($v) { return $v === TRUE; }, $html_tag_attribute_restrictions)) { if (!Inspector::assertAll(function ($v) { return $v === TRUE; }, $html_tag_attribute_restrictions)) {
throw new \InvalidArgumentException(sprintf('The "%s" HTML tag has attribute restriction "%s", but it is not an array of key-value pairs, with HTML tag attribute values as keys and TRUE as values.', $html_tag_name, $html_tag_attribute_name)); throw new \InvalidArgumentException(sprintf('The "%s" HTML tag has attribute restriction "%s", but it is not an array of key-value pairs, with HTML tag attribute values as keys and TRUE as values.', $html_tag_name, $html_tag_attribute_name));
......
core/modules/ckeditor5/tests/src/Unit/HTMLRestrictionsTest.php
+ 8
0
View file @ 846cce70
...@@ -91,6 +91,10 @@ public function providerConstruct(): \Generator { ...@@ -91,6 +91,10 @@ public function providerConstruct(): \Generator {
['foo' => ['baz' => TRUE], 'bar' => ['qux' => ['a', 'b']]], ['foo' => ['baz' => TRUE], 'bar' => ['qux' => ['a', 'b']]],
'The "bar" HTML tag has attribute restriction "qux", but it is not an array of key-value pairs, with HTML tag attribute values as keys and TRUE as values.', 'The "bar" HTML tag has attribute restriction "qux", but it is not an array of key-value pairs, with HTML tag attribute values as keys and TRUE as values.',
]; ];
yield 'INVALID: keys valid, values invalid attribute restrictions due to broad wildcard instead of prefix/infix/suffix wildcard allowed attribute value' => [
['foo' => ['bar' => ['*' => TRUE]]],
'The "foo" HTML tag has an attribute restriction "bar" with a "*" allowed attribute value. This implies all attributes values are allowed. Remove the attribute value restriction instead, or use a prefix (`*-foo`), infix (`*-foo-*`) or suffix (`foo-*`) wildcard restriction instead.',
];
// Valid values. // Valid values.
yield 'VALID: keys valid, boolean attribute restriction values: also valid' => [ yield 'VALID: keys valid, boolean attribute restriction values: also valid' => [
...@@ -276,6 +280,10 @@ public function providerConvenienceConstructors(): \Generator { ...@@ -276,6 +280,10 @@ public function providerConvenienceConstructors(): \Generator {
'<a target>', '<a target>',
['a' => ['target' => TRUE]], ['a' => ['target' => TRUE]],
]; ];
yield 'tag with single attribute allowing any value unnecessarily explicitly' => [
'<a target="*">',
['a' => ['target' => TRUE]],
];
yield 'tag with single attribute allowing single specific value' => [ yield 'tag with single attribute allowing single specific value' => [
'<a target="_blank">', '<a target="_blank">',
['a' => ['target' => ['_blank' => TRUE]]], ['a' => ['target' => ['_blank' => TRUE]]],
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment