Unverified Commit d448b54d authored by alexpott's avatar alexpott

Issue #3151091 by dww, rik-dev, alexpott: Replace use of whitelist/blacklist...

Issue #3151091 by dww, rik-dev, alexpott: Replace use of whitelist/blacklist in \Drupal\Component\Utility\Xss and its test and core/lib/Drupal/Core/Render/theme.api.php

(cherry picked from commit 7430b472)
parent be21de7f
......@@ -70,7 +70,7 @@ public static function filter($string, array $html_tags = NULL) {
// Defuse all HTML entities.
$string = str_replace('&', '&', $string);
// Change back only well-formed entities in our whitelist:
// Change back only well-formed entities in our list of allowed html tags:
// Decimal numeric entities.
$string = preg_replace('/&#([0-9]+;)/', '&#\1', $string);
// Hexadecimal numeric entities.
......@@ -83,7 +83,7 @@ public static function filter($string, array $html_tags = NULL) {
$splitter = function ($matches) use ($html_tags, $class) {
return $class::split($matches[1], $html_tags, $class);
};
// Strip any tags that are not in the whitelist.
// Strip any tags that are not in the list of allowed html tags.
return preg_replace_callback('%
(
<(?=[^a-zA-Z!/]) # a lone <
......@@ -161,7 +161,9 @@ protected static function split($string, $html_tags, $class) {
$elem = '!--';
}
// When in whitelist mode, an element is disallowed when not listed.
// Defer to the ::needsRemoval() method to decide if the element is to be
// removed. This allows the list of tags to be treated as either a list of
// allowed tags or a list of denied tags.
if ($class::needsRemoval($html_tags, $elem)) {
return '';
}
......
......@@ -274,9 +274,9 @@
* vectors while allowing a permissive list of HTML tags that are not XSS
* vectors. (For example, <script> and <style> are not allowed.) See
* \Drupal\Component\Utility\Xss::$adminTags for the list of allowed tags. If
* your markup needs any of the tags not in this whitelist, then you can
* implement a theme hook and/or an asset library. Alternatively, you can use
* the key #allowed_tags to alter which tags are filtered.
* your markup needs any of the tags not in this list, then you can implement
* a theme hook and/or an asset library. Alternatively, you can use the key
* #allowed_tags to alter which tags are filtered.
* - #plain_text: Specifies that the array provides text that needs to be
* escaped. This value takes precedence over #markup.
* - #allowed_tags: If #markup is supplied, this can be used to change which
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment