Skip to content
Snippets Groups Projects
Verified Commit cb6d0184 authored by Lee Rowlands's avatar Lee Rowlands
Browse files

Issue #3410303 by longwave, Luke.Leber, Wim Leers, quietone, dslatkin:...

Issue #3410303 by longwave, Luke.Leber, Wim Leers, quietone, dslatkin: FilterHtml data loss when iframe and/or textarea is allowed

(cherry picked from commit 3ae37397)
parent bb42fa92
No related branches found
No related tags found
15 merge requests!8376Drupal views: adding more granularity to the ‘use ajax’ functionality,!8300Issue #3443586 View area displays even when parent view has no results.,!7567Issue #3153723 by quietone, Hardik_Patel_12: Change the scaffolding...,!7565Issue #3153723 by quietone, Hardik_Patel_12: Change the scaffolding...,!7509Change label "Block description" to "Block type",!7344Issue #3292350 by O'Briat, KlemenDEV, hswong3i, smustgrave, quietone: Update...,!6922Issue #3412959 by quietone, smustgrave, longwave: Fix 12 'un' words,!6848Issue #3417553 by longwave: Remove withConsecutive() in CacheCollectorTest,!6720Revert "Issue #3358581 by pfrenssen, _tarik_, a.dmitriiev, smustgrave:...,!6560Update ClaroPreRender.php, confirming classes provided are in array format,!6528Issue #3414261 by catch: Add authenticated user umami performance tests,!6501Issue #3263668 by omkar-pd, Wim Leers, hooroomoo: Re-enable inline form errors...,!6354Draft: Issue #3380392 by phma: Updating language weight from the overview reverts label if translated,!6324Issue #3416723 by Ludo.R: Provide a "node type" views default argument,!6119Issue #3405704 by Spokje, longwave: symfony/psr-http-message-bridge major version bump
Pipeline #70560 passed
Pipeline: drupal

#70562

    ......@@ -7,6 +7,9 @@
    use Drupal\Component\Utility\Html;
    use Drupal\filter\FilterProcessResult;
    use Drupal\filter\Plugin\FilterBase;
    use Masterminds\HTML5\Parser\DOMTreeBuilder;
    use Masterminds\HTML5\Parser\Scanner;
    use Masterminds\HTML5\Parser\Tokenizer;
    /**
    * Provides a filter to limit allowed HTML tags.
    ......@@ -258,7 +261,20 @@ public function getHTMLRestrictions() {
    $star_protector = '__zqh6vxfbk3cg__';
    $html = str_replace('*', $star_protector, $html);
    $dom = Html::load($html);
    // Use HTML5 parser with a custom tokenizer to correctly parse tags that
    // normally use text mode, such as iframe.
    $events = new DOMTreeBuilder(FALSE, ['disable_html_ns' => TRUE]);
    $scanner = new Scanner('<body>' . $html);
    $parser = new class($scanner, $events) extends Tokenizer {
    public function setTextMode($textMode, $untilTag = NULL) {
    // Do nothing, we never enter text mode.
    }
    };
    $parser->parse();
    $dom = $events->document();
    $xpath = new \DOMXPath($dom);
    foreach ($xpath->query('//body//*') as $node) {
    $tag = $node->tagName;
    ......
    ......@@ -579,6 +579,17 @@ public function testHtmlFilter() {
    $this->assertNormalized($f, '<a>link</a>', 'HTML filter removes allowed attributes that have a not explicitly allowed value.');
    $f = (string) $filter->process('<a href="/beautiful-animals" kitten="cute" llama="epic majestical">link</a>', Language::LANGCODE_NOT_SPECIFIED);
    $this->assertSame('<a href="/beautiful-animals" llama="epic majestical">link</a>', $f, 'HTML filter keeps explicitly allowed attributes with an attribute value that is also explicitly allowed.');
    // Allow iframes and check that the subsequent tags are parsed correctly.
    $filter->setConfiguration([
    'settings' => [
    'allowed_html' => '<iframe> <a href llama>',
    'filter_html_help' => 1,
    'filter_html_nofollow' => 0,
    ],
    ]);
    $f = (string) $filter->process('<a kitten="cute" llama="awesome">link</a>', Language::LANGCODE_NOT_SPECIFIED);
    $this->assertNormalized($f, '<a llama="awesome">link</a>');
    }
    /**
    ......
    0% Loading or .
    You are about to add 0 people to the discussion. Proceed with caution.
    Finish editing this message first!
    Please register or to comment