Verified Commit 46aadfc7 authored by Alex Pott's avatar Alex Pott
Browse files

Issue #3284254 by Wim Leers, smustgrave, nod_: HTMLRestrictions should not... 

Issue #3284254 by Wim Leers, smustgrave, nod_: HTMLRestrictions should not allow <tag attr="*"> because that is equivalent to <tag attr>

(cherry picked from commit 846cce70)
parent f4f57257

core/modules/ckeditor5/src/HTMLRestrictions.php

+3 −0
Original line number Diff line number Diff line
@@ -235,6 +235,9 @@ private static function validateAllowedRestrictionsPhase4(array $elements): void 
        if ($html_tag_attribute_restrictions === []) {

          throw new \InvalidArgumentException(sprintf('The "%s" HTML tag has an attribute restriction "%s" which is set to the empty array. This is not permitted, specify either TRUE to allow all attribute values, or list the attribute value restrictions.', $html_tag_name, $html_tag_attribute_name));

        }

        if (array_key_exists('*', $html_tag_attribute_restrictions)) {

          throw new \InvalidArgumentException(sprintf('The "%s" HTML tag has an attribute restriction "%s" with a "*" allowed attribute value. This implies all attributes values are allowed. Remove the attribute value restriction instead, or use a prefix (`*-foo`), infix (`*-foo-*`) or suffix (`foo-*`) wildcard restriction instead.', $html_tag_name, $html_tag_attribute_name));

        }

        // @codingStandardsIgnoreLine

        if (!Inspector::assertAll(function ($v) { return $v === TRUE; }, $html_tag_attribute_restrictions)) {

          throw new \InvalidArgumentException(sprintf('The "%s" HTML tag has attribute restriction "%s", but it is not an array of key-value pairs, with HTML tag attribute values as keys and TRUE as values.', $html_tag_name, $html_tag_attribute_name));

core/modules/ckeditor5/tests/src/Unit/HTMLRestrictionsTest.php

+8 −0
Original line number Diff line number Diff line
@@ -91,6 +91,10 @@ public function providerConstruct(): \Generator { 
      ['foo' => ['baz' => TRUE], 'bar' => ['qux' => ['a', 'b']]],

      'The "bar" HTML tag has attribute restriction "qux", but it is not an array of key-value pairs, with HTML tag attribute values as keys and TRUE as values.',

    ];

    yield 'INVALID: keys valid, values invalid attribute restrictions due to broad wildcard instead of prefix/infix/suffix wildcard allowed attribute value' => [

      ['foo' => ['bar' => ['*' => TRUE]]],

      'The "foo" HTML tag has an attribute restriction "bar" with a "*" allowed attribute value. This implies all attributes values are allowed. Remove the attribute value restriction instead, or use a prefix (`*-foo`), infix (`*-foo-*`) or suffix (`foo-*`) wildcard restriction instead.',

    ];



    // Valid values.

    yield 'VALID: keys valid, boolean attribute restriction values: also valid' => [
@@ -276,6 +280,10 @@ public function providerConvenienceConstructors(): \Generator { 
      '<a target>',

      ['a' => ['target' => TRUE]],

    ];

    yield 'tag with single attribute allowing any value unnecessarily explicitly' => [

      '<a target="*">',

      ['a' => ['target' => TRUE]],

    ];

    yield 'tag with single attribute allowing single specific value' => [

      '<a target="_blank">',

      ['a' => ['target' => ['_blank' => TRUE]]],