Skip to content
Snippets Groups Projects

Resolve #3413396 "Xss fiter data uri support for images"

Open Resolve #3413396 "Xss fiter data uri support for images"
issue/drupal-3413396:3413396-xss-fiter-data-uri-support-for-images into 11.x
6 unresolved threads
Open Dezső Biczó requested to merge issue/drupal-3413396:3413396-xss-fiter-data-uri-support-for-images into 11.x
6 unresolved threads

Closes #3413396

Merge request reports

Loading
Loading

Activity

Filter activity
  • Approvals
  • Assignees & reviewers
  • Comments (from bots)
  • Comments (from users)
  • Commits & branches
  • Edits
  • Labels
  • Lock status
  • Mentions
  • Merge request status
  • Tracking
core/lib/Drupal/Component/Utility/Xss.php
272 277 $working = 1;
273 278 // Attribute value, a URL after href= for instance.
274 279 if (preg_match('/^"([^"]*)"(\s+|$)/', $attributes, $match)) {
280 if ($element === 'img' && preg_match('/^data:image\/(?!svg\+xml;base64,)[^;]+;base64,/', $match[1]) === 1) {
  • Dezső Biczó added 3 commits

    added 3 commits

    • cb36534c - Removed unnecessary deprecation warning
    • 411e1ea9 - Handle potential uppercase characters in image media type part
    • 908d4fc2 - Added RFC references

    Compare with previous version

  • Dezső Biczó
    Dezső Biczó @mxr576 started a thread on an old version of the diff
    • core/lib/Drupal/Component/Utility/Xss.php
    195 195 *
    196 196 * @param string $attributes
    197 197 * The html attribute to process.
    198 * @param ?string $element
    199 * The html element.
    198 200 *
    199 201 * @return string
    200 202 * Cleaned up version of the HTML attributes.
    201 203 */
    202 protected static function attributes($attributes) {
    204 protected static function attributes($attributes, ?string $element) {
    205 if ($element === NULL) {
    • Dezső Biczó
      Dezső Biczó @mxr576 ·
      Author

      As @longwave and @chx highlighted on Drupal Slack, a deprecation warning is not required, which also means that a change record is not required either.

      Protected methods of a class should be assumed @internal and subject to change unless either the class or method itself are marked with @api.

    • Please register or sign in to reply
  • Dezső Biczó
    Dezső Biczó @mxr576 started a thread on an old version of the diff
    • core/lib/Drupal/Component/Utility/Xss.php
    272 277 $working = 1;
    273 278 // Attribute value, a URL after href= for instance.
    274 279 if (preg_match('/^"([^"]*)"(\s+|$)/', $attributes, $match)) {
    275 $value = $skip_protocol_filtering ? $match[1] : UrlHelper::filterBadProtocol($match[1]);
    280 if ($element === 'img' && preg_match('/^data:image\/(?!svg\+xml;base64,)[^;]+;base64,/', $match[1]) === 1) {
  • Stephen Mustgrave
    Stephen Mustgrave @smustgrave started a thread on the diff
    • core/lib/Drupal/Component/Utility/Xss.php
    274 274 *
    275 275 * @param string $attributes
    276 276 * The html attribute to process.
    277 * @param ?string $element
  • Stephen Mustgrave
    Stephen Mustgrave @smustgrave started a thread on the diff
    • core/lib/Drupal/Component/Utility/Xss.php
    274 274 *
    275 275 * @param string $attributes
    276 276 * The html attribute to process.
    277 * @param ?string $element
    278 * The html element.
  • Stephen Mustgrave
    Stephen Mustgrave @smustgrave started a thread on the diff
    • core/lib/Drupal/Component/Utility/Xss.php
    274 274 *
    275 275 * @param string $attributes
    276 276 * The html attribute to process.
    277 * @param ?string $element
    278 * The html element.
    277 279 *
    278 280 * @return string
    279 281 * Cleaned up version of the HTML attributes.
    280 282 */
    281 protected static function attributes($attributes) {
    283 protected static function attributes($attributes, ?string $element) {
    Please register or sign in to reply