From 846cce70f4f00db950dd0a8223a5ed336cfd26f2 Mon Sep 17 00:00:00 2001
From: Alex Pott <alex.a.pott@googlemail.com>
Date: Mon, 3 Oct 2022 16:53:07 +0100
Subject: [PATCH] Issue #3284254 by Wim Leers, smustgrave, nod_:
 HTMLRestrictions should not allow <tag attr="*"> because that is equivalent
 to <tag attr>

---
 core/modules/ckeditor5/src/HTMLRestrictions.php           | 3 +++
 .../ckeditor5/tests/src/Unit/HTMLRestrictionsTest.php     | 8 ++++++++
 2 files changed, 11 insertions(+)

diff --git a/core/modules/ckeditor5/src/HTMLRestrictions.php b/core/modules/ckeditor5/src/HTMLRestrictions.php
index 2da610ef5ade..f7be01a33d5a 100644
--- a/core/modules/ckeditor5/src/HTMLRestrictions.php
+++ b/core/modules/ckeditor5/src/HTMLRestrictions.php
@@ -235,6 +235,9 @@ private static function validateAllowedRestrictionsPhase4(array $elements): void
         if ($html_tag_attribute_restrictions === []) {
           throw new \InvalidArgumentException(sprintf('The "%s" HTML tag has an attribute restriction "%s" which is set to the empty array. This is not permitted, specify either TRUE to allow all attribute values, or list the attribute value restrictions.', $html_tag_name, $html_tag_attribute_name));
         }
+        if (array_key_exists('*', $html_tag_attribute_restrictions)) {
+          throw new \InvalidArgumentException(sprintf('The "%s" HTML tag has an attribute restriction "%s" with a "*" allowed attribute value. This implies all attributes values are allowed. Remove the attribute value restriction instead, or use a prefix (`*-foo`), infix (`*-foo-*`) or suffix (`foo-*`) wildcard restriction instead.', $html_tag_name, $html_tag_attribute_name));
+        }
         // @codingStandardsIgnoreLine
         if (!Inspector::assertAll(function ($v) { return $v === TRUE; }, $html_tag_attribute_restrictions)) {
           throw new \InvalidArgumentException(sprintf('The "%s" HTML tag has attribute restriction "%s", but it is not an array of key-value pairs, with HTML tag attribute values as keys and TRUE as values.', $html_tag_name, $html_tag_attribute_name));
diff --git a/core/modules/ckeditor5/tests/src/Unit/HTMLRestrictionsTest.php b/core/modules/ckeditor5/tests/src/Unit/HTMLRestrictionsTest.php
index 2dea410170a2..59b0f423504b 100644
--- a/core/modules/ckeditor5/tests/src/Unit/HTMLRestrictionsTest.php
+++ b/core/modules/ckeditor5/tests/src/Unit/HTMLRestrictionsTest.php
@@ -91,6 +91,10 @@ public function providerConstruct(): \Generator {
       ['foo' => ['baz' => TRUE], 'bar' => ['qux' => ['a', 'b']]],
       'The "bar" HTML tag has attribute restriction "qux", but it is not an array of key-value pairs, with HTML tag attribute values as keys and TRUE as values.',
     ];
+    yield 'INVALID: keys valid, values invalid attribute restrictions due to broad wildcard instead of prefix/infix/suffix wildcard allowed attribute value' => [
+      ['foo' => ['bar' => ['*' => TRUE]]],
+      'The "foo" HTML tag has an attribute restriction "bar" with a "*" allowed attribute value. This implies all attributes values are allowed. Remove the attribute value restriction instead, or use a prefix (`*-foo`), infix (`*-foo-*`) or suffix (`foo-*`) wildcard restriction instead.',
+    ];
 
     // Valid values.
     yield 'VALID: keys valid, boolean attribute restriction values: also valid' => [
@@ -276,6 +280,10 @@ public function providerConvenienceConstructors(): \Generator {
       '<a target>',
       ['a' => ['target' => TRUE]],
     ];
+    yield 'tag with single attribute allowing any value unnecessarily explicitly' => [
+      '<a target="*">',
+      ['a' => ['target' => TRUE]],
+    ];
     yield 'tag with single attribute allowing single specific value' => [
       '<a target="_blank">',
       ['a' => ['target' => ['_blank' => TRUE]]],
-- 
GitLab