Pierre Rudloff · 74cf66ee · 152bf69a · 5a57c681 · fa95cbea · d4706a27
--- a/core/modules/filter/src/FilterFormatFormBase.php

+ 8

− 0

View file @ e36d10d0

Open in Web IDE
+++ b/core/modules/filter/src/FilterFormatFormBase.php

+ 8

− 0

View file @ e36d10d0

Open in Web IDE
 @@ -8,6 +8,7 @@
 @@ -8,6 +8,7 @@
 use Drupal\filter\Plugin\Filter\FilterNull;
 use Drupal\user\Entity\Role;
 use Drupal\user\RoleInterface;
+use Drupal\Component\Utility\Xss;
 /**
 * Provides a base form for a filter format.
 @@ -237,6 +238,13 @@ public function submitForm(array &$form, FormStateInterface $form_state) {
 @@ -237,6 +238,13 @@ public function submitForm(array &$form, FormStateInterface $form_state) {
      }
    }
+    // Display warning for insecure HTML tags.
+    $allowed_html = $form_state->getValue('filters')['filter_html']['settings']['allowed_html'];
+    $xss_filtered_html = Xss::filterAdmin($allowed_html);
+    if (strcasecmp($allowed_html, $xss_filtered_html)) {
+      $this->messenger()->addWarning($this->t('You have insecure HTML tags in your filter format. Review documentation on <a href="@link">configuring text formats for security</a>.', ['@link' => 'https://www.drupal.org/node/224921']));
+    }
    return $this->entity;
  }