Skip to content
Snippets Groups Projects
Verified Commit 02c6babe authored by Dave Long's avatar Dave Long
Browse files

Issue #2800691 by bharath-kondeti, djsagar, ravi.shankar, Rishabh Vishwakarma,...

Issue #2800691 by bharath-kondeti, djsagar, ravi.shankar, Rishabh Vishwakarma, shashikant_chauhan, quietone, smustgrave, FeyP, joachim, Amber Himes Matz: Improve docs for the Xss::filter() $html_tags parameter

(cherry picked from commit 8624038a)
parent 1e888db0
Branches
Tags
20 merge requests!11628Update file MediaLibraryWidget.php,!7564Revert "Issue #3364773 by roshnichordiya, Chris Matthews, thakurnishant_06,...,!5752Issue #3275828 by joachim, quietone, bradjones1, Berdir: document the reason...,!5627Issue #3261805: Field not saved when change of 0 on string start,!5427Issue #3338518: send credentials in ajax if configured in CORS settings.,!5395Issue #3387916 by fjgarlin, Spokje: Each GitLab job exposes user email,!5217Issue #3386607 by alexpott: Improve spell checking in commit-code-check.sh,!5064Issue #3379522 by finnsky, Gauravvvv, kostyashupenko, smustgrave, Chi: Revert...,!5040SDC ComponentElement: Transform slots scalar values to #plain_text instead of throwing an exception,!4958Issue #3392147: Whitelist IP for a Ban module.,!4894Issue #3280279: Add API to allow sites to opt in to upload SVG images in CKEditor 5,!4857Issue #3336994: StringFormatter always displays links to entity even if the user in context does not have access,!4856Issue #3336994: StringFormatter always displays links to entity even if the user in context does not have access,!4788Issue #3272985: RSS Feed header reverts to text/html when cached,!4716Issue #3362929: Improve 400 responses for broken/invalid image style routes,!4553Draft: Issue #2980951: Permission to see own unpublished comments in comment thread,!3679Issue #115801: Allow password on registration without disabling e-mail verification,!3106Issue #3017548: "Filtered HTML" text format does not support manual teaser break (<!--break-->),!925Issue #2339235: Remove taxonomy hard dependency on node module,!872Draft: Issue #3221319: Race condition when creating menu links and editing content deletes menu links
......@@ -45,8 +45,8 @@ class Xss {
* @param string $string
* The string with raw HTML in it. It will be stripped of everything that
* can cause an XSS attack.
* @param string[] $html_tags
* An array of HTML tags.
* @param string[]|null $allowed_html_tags
* An array of allowed HTML tags.
*
* @return string
* An XSS safe version of $string, or an empty string if $string is not
......@@ -56,9 +56,9 @@ class Xss {
*
* @ingroup sanitization
*/
public static function filter($string, array $html_tags = NULL) {
if (is_null($html_tags)) {
$html_tags = static::$htmlTags;
public static function filter($string, array $allowed_html_tags = NULL) {
if (is_null($allowed_html_tags)) {
$allowed_html_tags = static::$htmlTags;
}
// Only operate on valid UTF-8 strings. This is necessary to prevent cross
// site scripting issues on Internet Explorer 6.
......@@ -79,11 +79,11 @@ public static function filter($string, array $html_tags = NULL) {
$string = preg_replace('/&amp;#[Xx]0*((?:[0-9A-Fa-f]{2})+;)/', '&#x\1', $string);
// Named entities.
$string = preg_replace('/&amp;([A-Za-z][A-Za-z0-9]*;)/', '&\1', $string);
$html_tags = array_flip($html_tags);
$allowed_html_tags = array_flip($allowed_html_tags);
// Late static binding does not work inside anonymous functions.
$class = static::class;
$splitter = function ($matches) use ($html_tags, $class) {
return $class::split($matches[1], $html_tags, $class);
$splitter = function ($matches) use ($allowed_html_tags, $class) {
return $class::split($matches[1], $allowed_html_tags, $class);
};
// Strip any tags that are not in the list of allowed html tags.
return preg_replace_callback('%
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment