From d4706a273b18e1c0f560c6853d54d5b09cd1f319 Mon Sep 17 00:00:00 2001
From: Pierre Rudloff <contact@rudloff.pro>
Date: Thu, 29 May 2025 23:03:02 +0200
Subject: [PATCH 1/8] Apply patch from comment 39
---
.../filter/src/FilterFormatFormBase.php | 11 ++++
.../FilterDangerousHTMLWarningTest.php | 64 +++++++++++++++++++
2 files changed, 75 insertions(+)
create mode 100644 core/modules/filter/tests/src/Functional/FilterDangerousHTMLWarningTest.php
diff --git a/core/modules/filter/src/FilterFormatFormBase.php b/core/modules/filter/src/FilterFormatFormBase.php
index 7e694188e4dc..dd4da670e783 100644
--- a/core/modules/filter/src/FilterFormatFormBase.php
+++ b/core/modules/filter/src/FilterFormatFormBase.php
@@ -8,6 +8,7 @@
use Drupal\filter\Plugin\Filter\FilterNull;
use Drupal\user\Entity\Role;
use Drupal\user\RoleInterface;
+use Drupal\Component\Utility\Xss;
/**
* Provides a base form for a filter format.
@@ -237,6 +238,16 @@ public function submitForm(array &$form, FormStateInterface $form_state) {
}
}
+ // Display warning for insecure HTML tags.
+ $allowed_html = $form_state->getValue('filters')['filter_html']['settings']['allowed_html'];
+ $safe_tags = ['a', 'abbr', 'acronym', 'address', 'article', 'aside', 'b', 'bdi', 'bdo', 'big', 'blockquote', 'caption', 'cite', 'code', 'col', 'colgroup', 'command', 'dd', 'del', 'details', 'dfn', 'dl', 'dt', 'em', 'figcaption', 'figure', 'footer', 'h1', 'h2', 'h3', 'h4', 'h5', 'h6', 'header', 'hgroup', 'hr', 'i', 'ins', 'kbd', 'li', 'mark', 'menu', 'meter', 'nav', 'ol', 'output', 'p', 'pre', 'progress', 'q', 'rp', 'rt', 'ruby', 's', 'samp', 'section', 'small', 'strong', 'sub', 'summary', 'sup', 'tbody', 'tfoot', 'th', 'thead', 'time', 'tt', 'u', 'ul', 'var', 'wbr'];
+ $xss_filtered_html = Xss::filter($allowed_html, $safe_tags);
+ if (strcasecmp($allowed_html, $xss_filtered_html)) {
+ $this->messenger()->addWarning($this->t('You have insecure HTML tags in your filter format. Please review documentation on <a href="@link">configuring text formats for security</a>.', ['@link' => 'https://www.drupal.org/node/224921']));
+ }
+
+ $form_state->setRedirect('filter.admin_overview');
+
return $this->entity;
}
diff --git a/core/modules/filter/tests/src/Functional/FilterDangerousHTMLWarningTest.php b/core/modules/filter/tests/src/Functional/FilterDangerousHTMLWarningTest.php
new file mode 100644
index 000000000000..e0978ed04a64
--- /dev/null
+++ b/core/modules/filter/tests/src/Functional/FilterDangerousHTMLWarningTest.php
@@ -0,0 +1,64 @@
+<?php
+
+namespace Drupal\Tests\filter\Functional;
+
+use Drupal\filter\Entity\FilterFormat;
+use Drupal\Tests\BrowserTestBase;
+use Drupal\user\RoleInterface;
+
+/**
+ * Tests that a warning message appears when dangerous HTML tags are allowed in
+ * a filter format.
+ *
+ * @group filter
+ */
+class FilterDangerousHTMLWarningTest extends BrowserTestBase {
+
+ /**
+ * Modules to enable.
+ *
+ * @var array
+ */
+ public static $modules = ['filter', 'filter_test'];
+
+ /**
+ * A user with administrative permissions.
+ *
+ * @var \Drupal\user\UserInterface
+ */
+ protected $adminUser;
+
+ /**
+ * {@inheritdoc}
+ */
+ protected function setUp() {
+ parent::setUp();
+
+ /** @var \Drupal\filter\Entity\FilterFormat $filtered_html_format */
+ $filtered_html_format = FilterFormat::load('filtered_html');
+ $filtered_html_permission = $filtered_html_format->getPermissionName();
+ user_role_grant_permissions(RoleInterface::ANONYMOUS_ID, [$filtered_html_permission]);
+
+ $this->adminUser = $this->drupalCreateUser(['administer modules', 'administer filters', 'administer site configuration']);
+ $this->drupalLogin($this->adminUser);
+ }
+
+ /**
+ * Tests that a warning message appears when dangerous HTML tags are allowed
+ */
+ public function testDangerousHTMLWarning() {
+ $format_id = 'filtered_html';
+
+ // Check if no warnings exist when no dangerous tags are present
+ $this->drupalPostForm('admin/config/content/formats/manage/' . $format_id, [], t('Save configuration'));
+ $this->assertNoText('Warning message', 'There are no warnings on this page');
+
+ // Check if warning pops up when dangerous tags are present
+ $edit = [
+ 'filters[filter_html][settings][allowed_html]' => '<iframe>',
+ ];
+ $this->drupalPostForm('admin/config/content/formats/manage/' . $format_id, $edit, t('Save configuration'));
+ $this->assertRaw('Warning message', 'There is a warning on this page');
+ }
+
+}
--
GitLab
From ee28347002e05b4df9395a9c40ac83da4370dd6e Mon Sep 17 00:00:00 2001
From: Pierre Rudloff <contact@rudloff.pro>
Date: Thu, 29 May 2025 23:08:54 +0200
Subject: [PATCH 2/8] Lint
---
.../FilterDangerousHTMLWarningTest.php | 20 +++++++++----------
1 file changed, 10 insertions(+), 10 deletions(-)
diff --git a/core/modules/filter/tests/src/Functional/FilterDangerousHTMLWarningTest.php b/core/modules/filter/tests/src/Functional/FilterDangerousHTMLWarningTest.php
index e0978ed04a64..2d9a98e2cdae 100644
--- a/core/modules/filter/tests/src/Functional/FilterDangerousHTMLWarningTest.php
+++ b/core/modules/filter/tests/src/Functional/FilterDangerousHTMLWarningTest.php
@@ -1,23 +1,23 @@
<?php
+declare(strict_types=1);
+
namespace Drupal\Tests\filter\Functional;
use Drupal\filter\Entity\FilterFormat;
use Drupal\Tests\BrowserTestBase;
use Drupal\user\RoleInterface;
+use Drupal\user\UserInterface;
/**
- * Tests that a warning message appears when dangerous HTML tags are allowed in
- * a filter format.
+ * Tests that a warning message appears when dangerous HTML tags are allowed in a filter format.
*
* @group filter
*/
class FilterDangerousHTMLWarningTest extends BrowserTestBase {
/**
- * Modules to enable.
- *
- * @var array
+ * {@inheritdoc}
*/
public static $modules = ['filter', 'filter_test'];
@@ -26,12 +26,12 @@ class FilterDangerousHTMLWarningTest extends BrowserTestBase {
*
* @var \Drupal\user\UserInterface
*/
- protected $adminUser;
+ protected UserInterface $adminUser;
/**
* {@inheritdoc}
*/
- protected function setUp() {
+ protected function setUp(): void {
parent::setUp();
/** @var \Drupal\filter\Entity\FilterFormat $filtered_html_format */
@@ -44,20 +44,20 @@ protected function setUp() {
}
/**
- * Tests that a warning message appears when dangerous HTML tags are allowed
+ * Tests that a warning message appears when dangerous HTML tags are allowed.
*/
public function testDangerousHTMLWarning() {
$format_id = 'filtered_html';
// Check if no warnings exist when no dangerous tags are present
- $this->drupalPostForm('admin/config/content/formats/manage/' . $format_id, [], t('Save configuration'));
+ $this->drupalPostForm('admin/config/content/formats/manage/' . $format_id, [], 'Save configuration');
$this->assertNoText('Warning message', 'There are no warnings on this page');
// Check if warning pops up when dangerous tags are present
$edit = [
'filters[filter_html][settings][allowed_html]' => '<iframe>',
];
- $this->drupalPostForm('admin/config/content/formats/manage/' . $format_id, $edit, t('Save configuration'));
+ $this->drupalPostForm('admin/config/content/formats/manage/' . $format_id, $edit, 'Save configuration');
$this->assertRaw('Warning message', 'There is a warning on this page');
}
--
GitLab
From fa95cbea594d26b3f3310d2cfed33a4ccda011bb Mon Sep 17 00:00:00 2001
From: Pierre Rudloff <contact@rudloff.pro>
Date: Thu, 29 May 2025 23:13:33 +0200
Subject: [PATCH 3/8] Fix test
---
.../Functional/FilterDangerousHTMLWarningTest.php | 15 +++++++++++----
1 file changed, 11 insertions(+), 4 deletions(-)
diff --git a/core/modules/filter/tests/src/Functional/FilterDangerousHTMLWarningTest.php b/core/modules/filter/tests/src/Functional/FilterDangerousHTMLWarningTest.php
index 2d9a98e2cdae..2d089f24fc95 100644
--- a/core/modules/filter/tests/src/Functional/FilterDangerousHTMLWarningTest.php
+++ b/core/modules/filter/tests/src/Functional/FilterDangerousHTMLWarningTest.php
@@ -28,6 +28,11 @@ class FilterDangerousHTMLWarningTest extends BrowserTestBase {
*/
protected UserInterface $adminUser;
+ /**
+ * {@inheritdoc}
+ */
+ protected $defaultTheme = 'stark';
+
/**
* {@inheritdoc}
*/
@@ -50,15 +55,17 @@ public function testDangerousHTMLWarning() {
$format_id = 'filtered_html';
// Check if no warnings exist when no dangerous tags are present
- $this->drupalPostForm('admin/config/content/formats/manage/' . $format_id, [], 'Save configuration');
- $this->assertNoText('Warning message', 'There are no warnings on this page');
+ $this->drupalGet('admin/config/content/formats/manage/' . $format_id);
+ $this->submitForm([], 'Save configuration');
+ $this->assertSession()->pageTextContains('Warning message', 'There are no warnings on this page');
// Check if warning pops up when dangerous tags are present
$edit = [
'filters[filter_html][settings][allowed_html]' => '<iframe>',
];
- $this->drupalPostForm('admin/config/content/formats/manage/' . $format_id, $edit, 'Save configuration');
- $this->assertRaw('Warning message', 'There is a warning on this page');
+ $this->drupalGet('admin/config/content/formats/manage/' . $format_id);
+ $this->submitForm($edit, 'Save configuration');
+ $this->assertSession()->responseContains('Warning message', 'There is a warning on this page');
}
}
--
GitLab
From 5a57c681c95a4bbdc3fdbba74ebc3f9216163f66 Mon Sep 17 00:00:00 2001
From: Pierre Rudloff <contact@rudloff.pro>
Date: Thu, 29 May 2025 23:14:23 +0200
Subject: [PATCH 4/8] "Please" is forbidden
---
core/modules/filter/src/FilterFormatFormBase.php | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/core/modules/filter/src/FilterFormatFormBase.php b/core/modules/filter/src/FilterFormatFormBase.php
index dd4da670e783..64045aa5b8d2 100644
--- a/core/modules/filter/src/FilterFormatFormBase.php
+++ b/core/modules/filter/src/FilterFormatFormBase.php
@@ -243,7 +243,7 @@ public function submitForm(array &$form, FormStateInterface $form_state) {
$safe_tags = ['a', 'abbr', 'acronym', 'address', 'article', 'aside', 'b', 'bdi', 'bdo', 'big', 'blockquote', 'caption', 'cite', 'code', 'col', 'colgroup', 'command', 'dd', 'del', 'details', 'dfn', 'dl', 'dt', 'em', 'figcaption', 'figure', 'footer', 'h1', 'h2', 'h3', 'h4', 'h5', 'h6', 'header', 'hgroup', 'hr', 'i', 'ins', 'kbd', 'li', 'mark', 'menu', 'meter', 'nav', 'ol', 'output', 'p', 'pre', 'progress', 'q', 'rp', 'rt', 'ruby', 's', 'samp', 'section', 'small', 'strong', 'sub', 'summary', 'sup', 'tbody', 'tfoot', 'th', 'thead', 'time', 'tt', 'u', 'ul', 'var', 'wbr'];
$xss_filtered_html = Xss::filter($allowed_html, $safe_tags);
if (strcasecmp($allowed_html, $xss_filtered_html)) {
- $this->messenger()->addWarning($this->t('You have insecure HTML tags in your filter format. Please review documentation on <a href="@link">configuring text formats for security</a>.', ['@link' => 'https://www.drupal.org/node/224921']));
+ $this->messenger()->addWarning($this->t('You have insecure HTML tags in your filter format. Review documentation on <a href="@link">configuring text formats for security</a>.', ['@link' => 'https://www.drupal.org/node/224921']));
}
$form_state->setRedirect('filter.admin_overview');
--
GitLab
From 152bf69a534ba1ff0c19431d01a32fed2f159dfb Mon Sep 17 00:00:00 2001
From: Pierre Rudloff <contact@rudloff.pro>
Date: Thu, 29 May 2025 23:21:32 +0200
Subject: [PATCH 5/8] Lint
---
.../tests/src/Functional/FilterDangerousHTMLWarningTest.php | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/core/modules/filter/tests/src/Functional/FilterDangerousHTMLWarningTest.php b/core/modules/filter/tests/src/Functional/FilterDangerousHTMLWarningTest.php
index 2d089f24fc95..3d51ab941311 100644
--- a/core/modules/filter/tests/src/Functional/FilterDangerousHTMLWarningTest.php
+++ b/core/modules/filter/tests/src/Functional/FilterDangerousHTMLWarningTest.php
@@ -19,7 +19,7 @@ class FilterDangerousHTMLWarningTest extends BrowserTestBase {
/**
* {@inheritdoc}
*/
- public static $modules = ['filter', 'filter_test'];
+ protected static $modules = ['filter', 'filter_test'];
/**
* A user with administrative permissions.
@@ -51,7 +51,7 @@ protected function setUp(): void {
/**
* Tests that a warning message appears when dangerous HTML tags are allowed.
*/
- public function testDangerousHTMLWarning() {
+ public function testDangerousHTMLWarning(): void {
$format_id = 'filtered_html';
// Check if no warnings exist when no dangerous tags are present
--
GitLab
From 97b00e6ccc0a0c161ed4a19b8df8dcbd6aed765b Mon Sep 17 00:00:00 2001
From: Pierre Rudloff <contact@rudloff.pro>
Date: Thu, 29 May 2025 23:29:00 +0200
Subject: [PATCH 6/8] Use list of safe tags from filterAdmin()
---
core/modules/filter/src/FilterFormatFormBase.php | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/core/modules/filter/src/FilterFormatFormBase.php b/core/modules/filter/src/FilterFormatFormBase.php
index 64045aa5b8d2..86819a0549f6 100644
--- a/core/modules/filter/src/FilterFormatFormBase.php
+++ b/core/modules/filter/src/FilterFormatFormBase.php
@@ -240,8 +240,7 @@ public function submitForm(array &$form, FormStateInterface $form_state) {
// Display warning for insecure HTML tags.
$allowed_html = $form_state->getValue('filters')['filter_html']['settings']['allowed_html'];
- $safe_tags = ['a', 'abbr', 'acronym', 'address', 'article', 'aside', 'b', 'bdi', 'bdo', 'big', 'blockquote', 'caption', 'cite', 'code', 'col', 'colgroup', 'command', 'dd', 'del', 'details', 'dfn', 'dl', 'dt', 'em', 'figcaption', 'figure', 'footer', 'h1', 'h2', 'h3', 'h4', 'h5', 'h6', 'header', 'hgroup', 'hr', 'i', 'ins', 'kbd', 'li', 'mark', 'menu', 'meter', 'nav', 'ol', 'output', 'p', 'pre', 'progress', 'q', 'rp', 'rt', 'ruby', 's', 'samp', 'section', 'small', 'strong', 'sub', 'summary', 'sup', 'tbody', 'tfoot', 'th', 'thead', 'time', 'tt', 'u', 'ul', 'var', 'wbr'];
- $xss_filtered_html = Xss::filter($allowed_html, $safe_tags);
+ $xss_filtered_html = Xss::filterAdmin($allowed_html);
if (strcasecmp($allowed_html, $xss_filtered_html)) {
$this->messenger()->addWarning($this->t('You have insecure HTML tags in your filter format. Review documentation on <a href="@link">configuring text formats for security</a>.', ['@link' => 'https://www.drupal.org/node/224921']));
}
--
GitLab
From 74cf66eeea81a218318ee2eedc75bb6342f887d2 Mon Sep 17 00:00:00 2001
From: Pierre Rudloff <contact@rudloff.pro>
Date: Thu, 29 May 2025 23:33:27 +0200
Subject: [PATCH 7/8] Fix test
---
.../tests/src/Functional/FilterDangerousHTMLWarningTest.php | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/core/modules/filter/tests/src/Functional/FilterDangerousHTMLWarningTest.php b/core/modules/filter/tests/src/Functional/FilterDangerousHTMLWarningTest.php
index 3d51ab941311..7c14376c3d89 100644
--- a/core/modules/filter/tests/src/Functional/FilterDangerousHTMLWarningTest.php
+++ b/core/modules/filter/tests/src/Functional/FilterDangerousHTMLWarningTest.php
@@ -57,7 +57,7 @@ public function testDangerousHTMLWarning(): void {
// Check if no warnings exist when no dangerous tags are present
$this->drupalGet('admin/config/content/formats/manage/' . $format_id);
$this->submitForm([], 'Save configuration');
- $this->assertSession()->pageTextContains('Warning message', 'There are no warnings on this page');
+ $this->assertSession()->statusMessageNotExists('warning');
// Check if warning pops up when dangerous tags are present
$edit = [
@@ -65,7 +65,7 @@ public function testDangerousHTMLWarning(): void {
];
$this->drupalGet('admin/config/content/formats/manage/' . $format_id);
$this->submitForm($edit, 'Save configuration');
- $this->assertSession()->responseContains('Warning message', 'There is a warning on this page');
+ $this->assertSession()->statusMessageContains('You have insecure HTML tags in your filter format.', 'warning');
}
}
--
GitLab
From 2e521d3180b051de59dc7113d56a295a9b54c042 Mon Sep 17 00:00:00 2001
From: Pierre Rudloff <contact@rudloff.pro>
Date: Thu, 29 May 2025 23:41:51 +0200
Subject: [PATCH 8/8] Not sure why we add a redirect
It breaks existing tests
---
core/modules/filter/src/FilterFormatFormBase.php | 2 --
1 file changed, 2 deletions(-)
diff --git a/core/modules/filter/src/FilterFormatFormBase.php b/core/modules/filter/src/FilterFormatFormBase.php
index 86819a0549f6..0388e581f428 100644
--- a/core/modules/filter/src/FilterFormatFormBase.php
+++ b/core/modules/filter/src/FilterFormatFormBase.php
@@ -245,8 +245,6 @@ public function submitForm(array &$form, FormStateInterface $form_state) {
$this->messenger()->addWarning($this->t('You have insecure HTML tags in your filter format. Review documentation on <a href="@link">configuring text formats for security</a>.', ['@link' => 'https://www.drupal.org/node/224921']));
}
- $form_state->setRedirect('filter.admin_overview');
-
return $this->entity;
}
--
GitLab