Skip to content
Snippets Groups Projects

Resolve #3413396 "Xss fiter data uri support for images"

Open Resolve #3413396 "Xss fiter data uri support for images"
issue/drupal-3413396:3413396-xss-fiter-data-uri-support-for-images into 11.x
6 unresolved threads
Open Dezső Biczó requested to merge issue/drupal-3413396:3413396-xss-fiter-data-uri-support-for-images into 11.x
6 unresolved threads

Closes #3413396

Merge request reports

Members who can merge are allowed to add commits.

Merge request pipeline #74801 passed

Stage: 🏗️ Build
Stage: 🪄 Lint
Stage: 🗜️ Test
Pipeline: drupal-3413396

#74805

    Merge request pipeline passed for 908d4fc2

    Code Quality is loading
    Test summary results are being parsed
    Full report
    Ready to merge by members who can write to the target branch.
    Loading

    Activity

    Filter activity
    • Approvals
    • Assignees & reviewers
    • Comments (from bots)
    • Comments (from users)
    • Commits & branches
    • Edits
    • Labels
    • Lock status
    • Mentions
    • Merge request status
    • Tracking
    core/lib/Drupal/Component/Utility/Xss.php
    272 277 $working = 1;
    273 278 // Attribute value, a URL after href= for instance.
    274 279 if (preg_match('/^"([^"]*)"(\s+|$)/', $attributes, $match)) {
    280 if ($element === 'img' && preg_match('/^data:image\/(?!svg\+xml;base64,)[^;]+;base64,/', $match[1]) === 1) {
  • Dezső Biczó added 3 commits

    added 3 commits

    • cb36534c - Removed unnecessary deprecation warning
    • 411e1ea9 - Handle potential uppercase characters in image media type part
    • 908d4fc2 - Added RFC references

    Compare with previous version

  • Dezső Biczó
    Dezső Biczó @mxr576 started a thread on an old version of the diff
    • core/lib/Drupal/Component/Utility/Xss.php
    195 195 *
    196 196 * @param string $attributes
    197 197 * The html attribute to process.
    198 * @param ?string $element
    199 * The html element.
    198 200 *
    199 201 * @return string
    200 202 * Cleaned up version of the HTML attributes.
    201 203 */
    202 protected static function attributes($attributes) {
    204 protected static function attributes($attributes, ?string $element) {
    205 if ($element === NULL) {
    • Dezső Biczó
      Dezső Biczó @mxr576
      Author

      As @longwave and @chx highlighted on Drupal Slack, a deprecation warning is not required, which also means that a change record is not required either.

      Protected methods of a class should be assumed @internal and subject to change unless either the class or method itself are marked with @api.

    • Please register or sign in to reply
  • Dezső Biczó
    Dezső Biczó @mxr576 started a thread on an old version of the diff
    • core/lib/Drupal/Component/Utility/Xss.php
    272 277 $working = 1;
    273 278 // Attribute value, a URL after href= for instance.
    274 279 if (preg_match('/^"([^"]*)"(\s+|$)/', $attributes, $match)) {
    275 $value = $skip_protocol_filtering ? $match[1] : UrlHelper::filterBadProtocol($match[1]);
    280 if ($element === 'img' && preg_match('/^data:image\/(?!svg\+xml;base64,)[^;]+;base64,/', $match[1]) === 1) {
  • Stephen Mustgrave
    Stephen Mustgrave @smustgrave started a thread on the diff
    • core/lib/Drupal/Component/Utility/Xss.php
    274 274 *
    275 275 * @param string $attributes
    276 276 * The html attribute to process.
    277 * @param ?string $element
  • Stephen Mustgrave
    Stephen Mustgrave @smustgrave started a thread on the diff
    • core/lib/Drupal/Component/Utility/Xss.php
    274 274 *
    275 275 * @param string $attributes
    276 276 * The html attribute to process.
    277 * @param ?string $element
    278 * The html element.
  • Stephen Mustgrave
    Stephen Mustgrave @smustgrave started a thread on the diff
    • core/lib/Drupal/Component/Utility/Xss.php
    274 274 *
    275 275 * @param string $attributes
    276 276 * The html attribute to process.
    277 * @param ?string $element
    278 * The html element.
    277 279 *
    278 280 * @return string
    279 281 * Cleaned up version of the HTML attributes.
    280 282 */
    281 protected static function attributes($attributes) {
    283 protected static function attributes($attributes, ?string $element) {
    Please register or sign in to reply