Skip to content
Snippets Groups Projects

Resolve #3413396 "Xss fiter data uri support for images"

6 unresolved threads

Closes #3413396

Merge request reports

Loading
Loading

Activity

Filter activity
  • Approvals
  • Assignees & reviewers
  • Comments (from bots)
  • Comments (from users)
  • Commits & branches
  • Edits
  • Labels
  • Lock status
  • Mentions
  • Merge request status
  • Tracking
272 277 $working = 1;
273 278 // Attribute value, a URL after href= for instance.
274 279 if (preg_match('/^"([^"]*)"(\s+|$)/', $attributes, $match)) {
280 if ($element === 'img' && preg_match('/^data:image\/(?!svg\+xml;base64,)[^;]+;base64,/', $match[1]) === 1) {
  • Dezső Biczó added 3 commits

    added 3 commits

    • cb36534c - Removed unnecessary deprecation warning
    • 411e1ea9 - Handle potential uppercase characters in image media type part
    • 908d4fc2 - Added RFC references

    Compare with previous version

  • 195 195 *
    196 196 * @param string $attributes
    197 197 * The html attribute to process.
    198 * @param ?string $element
    199 * The html element.
    198 200 *
    199 201 * @return string
    200 202 * Cleaned up version of the HTML attributes.
    201 203 */
    202 protected static function attributes($attributes) {
    204 protected static function attributes($attributes, ?string $element) {
    205 if ($element === NULL) {
    • As @longwave and @chx highlighted on Drupal Slack, a deprecation warning is not required, which also means that a change record is not required either.

      Protected methods of a class should be assumed @internal and subject to change unless either the class or method itself are marked with @api.

    • Please register or sign in to reply
  • 272 277 $working = 1;
    273 278 // Attribute value, a URL after href= for instance.
    274 279 if (preg_match('/^"([^"]*)"(\s+|$)/', $attributes, $match)) {
    275 $value = $skip_protocol_filtering ? $match[1] : UrlHelper::filterBadProtocol($match[1]);
    280 if ($element === 'img' && preg_match('/^data:image\/(?!svg\+xml;base64,)[^;]+;base64,/', $match[1]) === 1) {
  • 274 274 *
    275 275 * @param string $attributes
    276 276 * The html attribute to process.
    277 * @param ?string $element
  • 274 274 *
    275 275 * @param string $attributes
    276 276 * The html attribute to process.
    277 * @param ?string $element
    278 * The html element.
  • 274 274 *
    275 275 * @param string $attributes
    276 276 * The html attribute to process.
    277 * @param ?string $element
    278 * The html element.
    277 279 *
    278 280 * @return string
    279 281 * Cleaned up version of the HTML attributes.
    280 282 */
    281 protected static function attributes($attributes) {
    283 protected static function attributes($attributes, ?string $element) {
    Please register or sign in to reply
    Loading