Commit 86ae96e4 authored by webchick's avatar webchick

Issue #2089433 by ianthomas_uk, grom358, herom, thedavidmeister, visabhishek,...

Issue #2089433 by ianthomas_uk, grom358, herom, thedavidmeister, visabhishek, longwave, Sweetchuck: Remove uses of deprecated XSS filter functions.
parent 5c1869b6
......@@ -2934,9 +2934,10 @@ function _drupal_bootstrap_code() {
// Set the allowed protocols once we have the config available.
$allowed_protocols = \Drupal::config('system.filter')->get('protocols');
if (!isset($allowed_protocols)) {
// filter_xss_admin() is called by the installer and update.php, in which
// case the configuration may not exist (yet). Provide a minimal default set
// of allowed protocols for these cases.
// \Drupal\Component\Utility\UrlHelper::filterBadProtocol() is called by the
// installer and update.php, in which case the configuration may not exist
// (yet). Provide a minimal default set of allowed protocols for these
// cases.
$allowed_protocols = array('http', 'https');
}
UrlHelper::setAllowedProtocols($allowed_protocols);
......
......@@ -5,6 +5,7 @@
* Functions for error handling.
*/
use Drupal\Component\Utility\Xss;
use Drupal\Core\Utility\Error;
use Drupal\Component\Utility\String;
use Symfony\Component\HttpFoundation\Response;
......@@ -70,7 +71,7 @@ function _drupal_error_handler_real($error_level, $message, $filename, $line, $c
'%type' => isset($types[$error_level]) ? $severity_msg : 'Unknown error',
// The standard PHP error handler considers that the error messages
// are HTML. We mimick this behavior here.
'!message' => filter_xss_admin($message),
'!message' => Xss::filterAdmin($message),
'%function' => $caller['function'],
'%file' => $caller['file'],
'%line' => $caller['line'],
......
......@@ -2964,7 +2964,7 @@ function theme_form_element_label($variables) {
$required = drupal_render($marker);
}
$title = filter_xss_admin($element['#title']);
$title = Xss::filterAdmin($element['#title']);
$attributes = array();
// Style the label as class option to display inline with the element.
......@@ -3062,9 +3062,10 @@ function _form_set_attributes(&$element, $class = array()) {
* Note: if the batch 'title', 'init_message', 'progress_message', or
* 'error_message' could contain any user input, it is the responsibility of
* the code calling batch_set() to sanitize them first with a function like
* \Drupal\Component\Utility\String::checkPlain() or filter_xss(). Furthermore,
* if the batch operation returns any user input in the 'results' or 'message'
* keys of $context, it must also sanitize them first.
* \Drupal\Component\Utility\String::checkPlain() or
* \Drupal\Component\Utility\Xss::filter(). Furthermore, if the batch operation
* returns any user input in the 'results' or 'message' keys of $context, it
* must also sanitize them first.
*
* Sample callback_batch_operation():
* @code
......
......@@ -10,6 +10,7 @@
use Drupal\Component\Utility\String;
use Drupal\Component\Utility\UrlHelper;
use Drupal\Component\Utility\Xss;
use Drupal\Core\Config\Config;
use Drupal\Core\Language\Language;
use Drupal\Core\Extension\Extension;
......@@ -2001,7 +2002,7 @@ function template_preprocess_html(&$variables) {
else {
$head_title = array('name' => String::checkPlain($site_config->get('name')));
if ($site_config->get('slogan')) {
$head_title['slogan'] = strip_tags(filter_xss_admin($site_config->get('slogan')));
$head_title['slogan'] = strip_tags(Xss::filterAdmin($site_config->get('slogan')));
}
}
......@@ -2097,7 +2098,7 @@ function template_preprocess_page(&$variables) {
$variables['secondary_menu'] = theme_get_setting('features.secondary_menu') ? menu_secondary_menu() : array();
$variables['action_links'] = menu_get_local_actions();
$variables['site_name'] = (theme_get_setting('features.name') ? String::checkPlain($site_config->get('name')) : '');
$variables['site_slogan'] = (theme_get_setting('features.slogan') ? filter_xss_admin($site_config->get('slogan')) : '');
$variables['site_slogan'] = (theme_get_setting('features.slogan') ? Xss::filterAdmin($site_config->get('slogan')) : '');
$variables['tabs'] = menu_local_tabs();
// Pass the main menu and secondary menu to the template as render arrays.
......@@ -2287,7 +2288,7 @@ function template_preprocess_maintenance_page(&$variables) {
else {
$head_title = array('name' => String::checkPlain($site_name));
if ($site_slogan) {
$head_title['slogan'] = strip_tags(filter_xss_admin($site_slogan));
$head_title['slogan'] = strip_tags(Xss::filterAdmin($site_slogan));
}
}
......@@ -2309,7 +2310,7 @@ function template_preprocess_maintenance_page(&$variables) {
$variables['language'] = $language_interface;
$variables['logo'] = theme_get_setting('logo.url');
$variables['site_name'] = (theme_get_setting('features.name') ? String::checkPlain($site_name) : '');
$variables['site_slogan'] = (theme_get_setting('features.slogan') ? filter_xss_admin($site_slogan) : '');
$variables['site_slogan'] = (theme_get_setting('features.slogan') ? Xss::filterAdmin($site_slogan) : '');
// Compile a list of classes that are going to be applied to the body element.
$variables['attributes']['class'][] = 'maintenance-page';
......
......@@ -79,7 +79,8 @@ public static function decodeEntities($text) {
* this for text that has already been prepared for HTML display (for
* example, user-supplied text that has already been run through
* String::checkPlain() previously, or is expected to contain some limited
* HTML tags and has already been run through filter_xss() previously).
* HTML tags and has already been run through
* \Drupal\Component\Utility\Xss::filter() previously).
*
* @return mixed
* The formatted string, or FALSE if no args specified.
......
......@@ -7,6 +7,7 @@
namespace Drupal\Core\EventSubscriber;
use Drupal\Component\Utility\Xss;
use Symfony\Component\HttpFoundation\RedirectResponse;
use Symfony\Component\HttpFoundation\Response;
use Symfony\Component\HttpKernel\KernelEvents;
......@@ -47,7 +48,7 @@ public function onKernelRequestMaintenance(GetResponseEvent $event) {
$maintenance_page = array(
'#theme' => 'maintenance_page',
'#title' => t('Site under maintenance'),
'#content' => filter_xss_admin(
'#content' => Xss::filterAdmin(
t(\Drupal::config('system.maintenance')->get('message'), array('@site' => \Drupal::config('system.site')->get('name')))
),
);
......
......@@ -107,9 +107,10 @@ public function __construct(ModuleHandlerInterface $module_handler) {
* final text if no replacement value can be generated.
* - sanitize: A boolean flag indicating that tokens should be sanitized for
* display to a web browser. Defaults to TRUE. Developers who set this
* option to FALSE assume responsibility for running filter_xss(),
* String::checkPlain() or other appropriate scrubbing functions before
* displaying data to users.
* option to FALSE assume responsibility for running
* \Drupal\Component\Utility\Xss::filter(),
* \Drupal\Component\Utility\String::checkPlain() or other appropriate
* scrubbing functions before displaying data to users.
*
* @return string
* Text with tokens replaced.
......@@ -200,8 +201,9 @@ public function scan($text) {
* encoding or truncation to a specific length.
* - sanitize: A boolean flag indicating that tokens should be sanitized for
* display to a web browser. Developers who set this option to FALSE assume
* responsibility for running filter_xss(), String::checkPlain() or other
* appropriate scrubbing functions before displaying data to users.
* responsibility for running \Drupal\Component\Utility\Xss::filter(),
* \Drupal\Component\Utility\String::checkPlain() or other appropriate
* scrubbing functions before displaying data to users.
*
* @return array
* An associative array of replacement values, keyed by the original 'raw'
......
......@@ -6,6 +6,7 @@
*/
use Drupal\aggregator\FeedInterface;
use Drupal\Component\Utility\Xss;
/**
* Denotes that a feed's items should never expire.
......@@ -171,7 +172,7 @@ function aggregator_feed_load($fid) {
* The filtered content.
*/
function aggregator_filter_xss($value) {
return filter_xss($value, preg_split('/\s+|<|>/', \Drupal::config('aggregator.settings')->get('items.allowed_html'), -1, PREG_SPLIT_NO_EMPTY));
return Xss::filter($value, preg_split('/\s+|<|>/', \Drupal::config('aggregator.settings')->get('items.allowed_html'), -1, PREG_SPLIT_NO_EMPTY));
}
/**
......
......@@ -5,6 +5,7 @@
* Provides page callbacks for custom blocks.
*/
use Drupal\Component\Utility\Xss;
use Drupal\custom_block\Entity\CustomBlockType;
use Drupal\custom_block\Entity\CustomBlock;
use Symfony\Component\HttpFoundation\RedirectResponse;
......@@ -26,7 +27,7 @@ function template_preprocess_custom_block_add_list(&$variables) {
foreach ($variables['content'] as $type) {
$variables['types'][$type->id()] = array(
'link' => \Drupal::l($type->label(), 'custom_block.add_form', array('custom_block_type' => $type->id()), array('query' => $query)),
'description' => filter_xss_admin($type->description),
'description' => Xss::filterAdmin($type->description),
'title' => $type->label(),
'localized_options' => array(
'query' => $query,
......
......@@ -7,6 +7,7 @@
namespace Drupal\custom_block;
use Drupal\Component\Utility\Xss;
use Drupal\Core\Config\Entity\ConfigEntityListBuilder;
use Drupal\Core\Entity\EntityInterface;
......@@ -44,7 +45,7 @@ public function buildHeader() {
*/
public function buildRow(EntityInterface $entity) {
$row['type'] = \Drupal::linkGenerator()->generateFromUrl($entity->label(), $entity->urlInfo());
$row['description'] = filter_xss_admin($entity->description);
$row['description'] = Xss::filterAdmin($entity->description);
return $row + parent::buildRow($entity);
}
......
......@@ -5,6 +5,8 @@
* Builds placeholder replacement tokens for comment-related data.
*/
use Drupal\Component\Utility\Xss;
/**
* Implements hook_token_info().
*/
......@@ -152,7 +154,7 @@ function comment_tokens($type, $tokens, array $data = array(), array $options =
break;
case 'title':
$replacements[$original] = $sanitize ? filter_xss($comment->getSubject()) : $comment->getSubject();
$replacements[$original] = $sanitize ? Xss::filter($comment->getSubject()) : $comment->getSubject();
break;
case 'body':
......@@ -175,13 +177,13 @@ function comment_tokens($type, $tokens, array $data = array(), array $options =
case 'name':
case 'author':
$name = $comment->getAuthorName();
$replacements[$original] = $sanitize ? filter_xss($name) : $name;
$replacements[$original] = $sanitize ? Xss::filter($name) : $name;
break;
case 'parent':
if ($comment->hasParentComment()) {
$parent = $comment->getParentComment();
$replacements[$original] = $sanitize ? filter_xss($parent->getSubject()) : $parent->getSubject();
$replacements[$original] = $sanitize ? Xss::filter($parent->getSubject()) : $parent->getSubject();
}
break;
......@@ -196,7 +198,7 @@ function comment_tokens($type, $tokens, array $data = array(), array $options =
case 'entity':
$entity = $comment->getCommentedEntity();
$title = $entity->label();
$replacements[$original] = $sanitize ? filter_xss($title) : $title;
$replacements[$original] = $sanitize ? Xss::filter($title) : $title;
break;
case 'node':
......@@ -206,7 +208,7 @@ function comment_tokens($type, $tokens, array $data = array(), array $options =
if ($comment->getCommentedEntityTypeId() == 'node') {
$entity = $comment->getCommentedEntity();
$title = $entity->label();
$replacements[$original] = $sanitize ? filter_xss($title) : $title;
$replacements[$original] = $sanitize ? Xss::filter($title) : $title;
}
else {
$replacements[$original] = NULL;
......
......@@ -7,6 +7,7 @@
namespace Drupal\comment\Tests;
use Drupal\Component\Utility\Xss;
use Drupal\Core\Language\Language;
/**
......@@ -54,11 +55,11 @@ function testCommentTokenReplacement() {
$tests = array();
$tests['[comment:cid]'] = $comment->id();
$tests['[comment:hostname]'] = check_plain($comment->getHostname());
$tests['[comment:name]'] = filter_xss($comment->getAuthorName());
$tests['[comment:author]'] = filter_xss($comment->getAuthorName());
$tests['[comment:name]'] = Xss::filter($comment->getAuthorName());
$tests['[comment:author]'] = Xss::filter($comment->getAuthorName());
$tests['[comment:mail]'] = check_plain($this->admin_user->getEmail());
$tests['[comment:homepage]'] = check_url($comment->getHomepage());
$tests['[comment:title]'] = filter_xss($comment->getSubject());
$tests['[comment:title]'] = Xss::filter($comment->getSubject());
$tests['[comment:body]'] = $comment->comment_body->processed;
$tests['[comment:url]'] = url('comment/' . $comment->id(), $url_options + array('fragment' => 'comment-' . $comment->id()));
$tests['[comment:edit-url]'] = url('comment/' . $comment->id() . '/edit', $url_options);
......
......@@ -181,7 +181,7 @@ public function overview() {
}
if (isset($dblog->wid)) {
// Truncate link_text to 56 chars of message.
$log_text = Unicode::truncate(filter_xss($message, array()), 56, TRUE, TRUE);
$log_text = Unicode::truncate(Xss::filter($message, array()), 56, TRUE, TRUE);
$message = $this->l($log_text, 'dblog.event', array('event_id' => $dblog->wid), array('html' => TRUE));
}
}
......
......@@ -7,6 +7,7 @@
namespace Drupal\dblog\Tests;
use Drupal\Component\Utility\Xss;
use Drupal\Core\Language\Language;
use Drupal\dblog\Controller\DbLogController;
use Drupal\simpletest\WebTestBase;
......@@ -264,7 +265,7 @@ private function doUser() {
$this->assertLogMessage(t('Session closed for %name.', array('%name' => $name)), 'DBLog event was recorded: [logout user]');
// Delete user.
$message = t('Deleted user: %name %email.', array('%name' => $name, '%email' => '<' . $user->getEmail() . '>'));
$message_text = truncate_utf8(filter_xss($message, array()), 56, TRUE, TRUE);
$message_text = truncate_utf8(Xss::filter($message, array()), 56, TRUE, TRUE);
// Verify that the full message displays on the details page.
$link = FALSE;
if ($links = $this->xpath('//a[text()="' . html_entity_decode($message_text) . '"]')) {
......@@ -613,10 +614,10 @@ protected function asText(\SimpleXMLElement $element) {
* The message to pass to simpletest.
*/
protected function assertLogMessage($log_message, $message) {
$message_text = truncate_utf8(filter_xss($log_message, array()), 56, TRUE, TRUE);
// After filter_xss(), HTML entities should be converted to their character
// equivalents because assertLink() uses this string in xpath() to query the
// Document Object Model (DOM).
$message_text = truncate_utf8(Xss::filter($log_message, array()), 56, TRUE, TRUE);
// After \Drupal\Component\Utility\Xss::filter(), HTML entities should be
// converted to their character equivalents because assertLink() uses this
// string in xpath() to query the Document Object Model (DOM).
$this->assertLink(html_entity_decode($message_text), 0, $message);
}
}
......@@ -77,7 +77,8 @@ public function testIntegration() {
$entries[] = array(
'message' => '@token1 !token2',
'variables' => array('@token1' => $this->randomName(), '!token2' => $this->randomName()),
// Setup a link with a tag which is filtered by filter_xss_admin.
// Setup a link with a tag which is filtered by
// \Drupal\Component\Utility\Xss::filterAdmin().
'link' => l('<object>Link</object>', 'node/2', array('html' => TRUE)),
);
foreach ($entries as $entry) {
......
......@@ -25,8 +25,8 @@ public static function filterXss($html, FilterFormatInterface $format, FilterFor
// The <script> and <style> tags are blacklisted because their contents
// can be malicious (and therefor they are inherently unsafe), whereas for
// all other tags, only their attributes can make them malicious. Since
// Xss::filter() protects against malicious attributes, we take no
// blacklisting action.
// \Drupal\Component\Utility\Xss::filter() protects against malicious
// attributes, we take no blacklisting action.
// The exceptions to the above rule are <link>, <embed> and <object>:
// - <link> because the href attribute allows the attacker to import CSS
// using the HTTP(S) protocols which Xss::filter() considers safe by
......
......@@ -7,6 +7,7 @@
namespace Drupal\entity_reference\Plugin\views\style;
use Drupal\Component\Utility\Xss;
use Drupal\views\Plugin\views\style\StylePluginBase;
/**
......@@ -92,7 +93,7 @@ public function render() {
// Sanitize HTML, remove line breaks and extra whitespace.
$output = $this->view->rowPlugin->render($values);
$output = drupal_render($output);
$results[$values->{$id_field_alias}] = filter_xss_admin(preg_replace('/\s\s+/', ' ', str_replace("\n", '', $output)));
$results[$values->{$id_field_alias}] = Xss::filterAdmin(preg_replace('/\s\s+/', ' ', str_replace("\n", '', $output)));
$this->view->row_index++;
}
}
......
......@@ -266,7 +266,8 @@ function field_cache_clear() {
/**
* Filters an HTML string to prevent cross-site-scripting (XSS) vulnerabilities.
*
* Like filter_xss_admin(), but with a shorter list of allowed tags.
* Like \Drupal\Component\Utility\Xss::filterAdmin(), but with a shorter list
* of allowed tags.
*
* Used for items entered by administrators, like field descriptions, allowed
* values, where some (mainly inline) mark-up may be desired (so
......
......@@ -7,6 +7,7 @@
namespace Drupal\field\Plugin\views\field;
use Drupal\Component\Utility\Xss;
use Drupal\Core\Entity\EntityInterface;
use Drupal\Core\Entity\EntityManagerInterface;
use Drupal\Core\Entity\EntityStorageInterface;
......@@ -650,7 +651,7 @@ protected function renderItems($items) {
}
if ($this->options['multi_type'] == 'separator') {
return implode(filter_xss_admin($this->options['separator']), $items);
return implode(Xss::filterAdmin($this->options['separator']), $items);
}
else {
$item_list = array(
......@@ -834,8 +835,9 @@ protected function documentSelfTokens(&$tokens) {
protected function addSelfTokens(&$tokens, $item) {
$field = $this->field_info;
foreach ($field->getColumns() as $id => $column) {
// Use filter_xss_admin because it's user data and we can't be sure it is safe.
// We know nothing about the data, though, so we can't really do much else.
// Use \Drupal\Component\Utility\Xss::filterAdmin() because it's user data
// and we can't be sure it is safe. We know nothing about the data,
// though, so we can't really do much else.
if (isset($item['raw'])) {
// If $item['raw'] is an array then we can use as is, if it's an object
......@@ -844,7 +846,7 @@ protected function addSelfTokens(&$tokens, $item) {
(is_object($item['raw']) ? (array)$item['raw'] : NULL);
}
if (isset($raw) && isset($raw[$id]) && is_scalar($raw[$id])) {
$tokens['[' . $this->options['id'] . '-' . $id . ']'] = filter_xss_admin($raw[$id]);
$tokens['[' . $this->options['id'] . '-' . $id . ']'] = Xss::filterAdmin($raw[$id]);
}
else {
// Make sure that empty values are replaced as well.
......
......@@ -7,6 +7,7 @@
namespace Drupal\field\Tests;
use Drupal\Component\Utility\Xss;
use Drupal\Core\Entity\EntityInterface;
use Drupal\Core\Language\Language;
use Drupal\simpletest\DrupalUnitTestBase;
......@@ -235,7 +236,7 @@ protected function assertText($text, $message = '', $group = 'Other') {
if (!$message) {
$message = t('Raw "@raw" found', array('@raw' => $text));
}
return $this->assert(strpos(filter_xss($this->content, array()), $text) !== FALSE, $message, $group);
return $this->assert(strpos(Xss::filter($this->content, array()), $text) !== FALSE, $message, $group);
}
/**
......@@ -260,6 +261,6 @@ protected function assertNoText($text, $message = '', $group = 'Other') {
if (!$message) {
$message = t('Raw "@raw" not found', array('@raw' => $text));
}
return $this->assert(strpos(filter_xss($this->content, array()), $text) === FALSE, $message, $group);
return $this->assert(strpos(Xss::filter($this->content, array()), $text) === FALSE, $message, $group);
}
}
......@@ -7,6 +7,7 @@
use Drupal\Component\Utility\Html;
use Drupal\Component\Utility\String;
use Drupal\Component\Utility\Xss;
use Drupal\Core\Cache\Cache;
use Drupal\Core\Language\Language;
use Drupal\Core\Render\Element;
......@@ -728,7 +729,7 @@ function template_preprocess_filter_tips(&$variables) {
*/
function _filter_html($text, $filter) {
$allowed_tags = preg_split('/\s+|<|>/', $filter->settings['allowed_html'], -1, PREG_SPLIT_NO_EMPTY);
$text = filter_xss($text, $allowed_tags);
$text = Xss::filter($text, $allowed_tags);
if ($filter->settings['filter_html_nofollow']) {
$html_dom = Html::load($text);
......@@ -772,7 +773,7 @@ function _filter_url($text, $filter) {
// the identical list. While '//' is technically optional for MAILTO only,
// we cannot cleanly differ between protocols here without hard-coding MAILTO,
// so '//' is optional for all protocols.
// @see filter_xss_bad_protocol()
// @see \Drupal\Component\Utility\UrlHelper::filterBadProtocol()
$protocols = \Drupal::config('system.filter')->get('protocols');
$protocols = implode(':(?://)?|', $protocols) . ':(?://)?';
......
......@@ -6,6 +6,7 @@
*/
use Drupal\comment\Plugin\Field\FieldType\CommentItemInterface;
use Drupal\Component\Utility\Xss;
use Drupal\Core\Entity\EntityInterface;
use Drupal\Component\Utility\String;
use Drupal\field\Field;
......@@ -709,7 +710,7 @@ function template_preprocess_forum_list(&$variables) {
$row = 0;
// Sanitize each forum so that the template can safely print the data.
foreach ($variables['forums'] as $id => $forum) {
$variables['forums'][$id]->description = filter_xss_admin($forum->description->value);
$variables['forums'][$id]->description = Xss::filterAdmin($forum->description->value);
$variables['forums'][$id]->link = url("forum/" . $forum->id());
$variables['forums'][$id]->name = String::checkPlain($forum->label());
$variables['forums'][$id]->is_container = !empty($forum->forum_container->value);
......
......@@ -11,6 +11,7 @@
*/
use Drupal\Component\Utility\Json;
use Drupal\Component\Utility\Xss;
use Drupal\Core\Cache\Cache;
use Drupal\Core\Language\Language;
use Drupal\language\Entity\Language as LanguageEntity;
......@@ -1035,15 +1036,16 @@ function locale_translation_use_remote_source() {
* not have any false positives. But it is only a test, not a transformation,
* as it destroys valid HTML. We cannot reliably filter translation strings
* on import because some strings are irreversibly corrupted. For example,
* a &amp; in the translation would get encoded to &amp;amp; by filter_xss()
* before being put in the database, and thus would be displayed incorrectly.
* a &amp; in the translation would get encoded to &amp;amp; by
* \Drupal\Component\Utility\Xss::filter() before being put in the database,
* and thus would be displayed incorrectly.
*
* The allowed tag list is like filter_xss_admin(), but omitting div and img as
* not needed for translation and likely to cause layout issues (div) or a
* possible attack vector (img).
* The allowed tag list is like \Drupal\Component\Utility\Xss::filterAdmin(),
* but omitting div and img as not needed for translation and likely to cause
* layout issues (div) or a possible attack vector (img).
*/
function locale_string_is_safe($string) {
return decode_entities($string) == decode_entities(filter_xss($string, array('a', 'abbr', 'acronym', 'address', 'b', 'bdo', 'big', 'blockquote', 'br', 'caption', 'cite', 'code', 'col', 'colgroup', 'dd', 'del', 'dfn', 'dl', 'dt', 'em', 'h1', 'h2', 'h3', 'h4', 'h5', 'h6', 'hr', 'i', 'ins', 'kbd', 'li', 'ol', 'p', 'pre', 'q', 'samp', 'small', 'span', 'strong', 'sub', 'sup', 'table', 'tbody', 'td', 'tfoot', 'th', 'thead', 'tr', 'tt', 'ul', 'var')));
return decode_entities($string) == decode_entities(Xss::filter($string, array('a', 'abbr', 'acronym', 'address', 'b', 'bdo', 'big', 'blockquote', 'br', 'caption', 'cite', 'code', 'col', 'colgroup', 'dd', 'del', 'dfn', 'dl', 'dt', 'em', 'h1', 'h2', 'h3', 'h4', 'h5', 'h6', 'hr', 'i', 'ins', 'kbd', 'li', 'ol', 'p', 'pre', 'q', 'samp', 'small', 'span', 'strong', 'sub', 'sup', 'table', 'tbody', 'td', 'tfoot', 'th', 'thead', 'tr', 'tt', 'ul', 'var')));
}
/**
......
......@@ -7,6 +7,7 @@
namespace Drupal\menu;
use Drupal\Component\Utility\Xss;
use Drupal\Core\Config\Entity\ConfigEntityListBuilder;
use Drupal\Core\Entity\EntityInterface;
......@@ -38,7 +39,7 @@ public function buildRow(EntityInterface $entity) {
'data' => $this->getLabel($entity),
'class' => array('menu-label'),
);
$row['description'] = filter_xss_admin($entity->description);
$row['description'] = Xss::filterAdmin($entity->description);
return $row + parent::buildRow($entity);
}
......
......@@ -8,6 +8,7 @@
* API pattern.
*/
use Drupal\Component\Utility\Xss;
use Drupal\Core\Language\Language;
use Drupal\Core\Render\Element;
use Drupal\Core\Url;
......@@ -137,12 +138,12 @@ function node_help($path, $arg) {
case 'node/%/edit':
$node = node_load($arg[1]);
$type = node_type_load($node->bundle());
return (!empty($type->help) ? filter_xss_admin($type->help) : '');
return (!empty($type->help) ? Xss::filterAdmin($type->help) : '');
}
if ($arg[0] == 'node' && $arg[1] == 'add' && $arg[2]) {
$type = node_type_load($arg[2]);
return (!empty($type->help) ? filter_xss_admin($type->help) : '');
return (!empty($type->help) ? Xss::filterAdmin($type->help) : '');
}
}
......
......@@ -9,6 +9,7 @@
* @see node_menu()
*/
use Drupal\Component\Utility\Xss;
use Symfony\Component\HttpFoundation\RedirectResponse;
use Drupal\node\NodeInterface;
......@@ -30,7 +31,7 @@ function template_preprocess_node_add_list(&$variables) {
$variables['types'][$type->type] = array(
'type' => $type->type,
'add_link' => l($type->name, 'node/add/' . $type->type),
'description' => filter_xss_admin($type->description),
'description' => Xss::filterAdmin($type->description),
);
}
}
......@@ -141,7 +142,7 @@ function node_revision_overview($node) {
'#account' => user_load($revision->uid),
);
$row[] = array('data' => t('!date by !username', array('!date' => l(format_date($revision->revision_timestamp, 'short'), 'node/' . $node->id()), '!username' => drupal_render($username)))
. (($revision->log != '') ? '<p class="revision-log">' . filter_xss($revision->log) . '</p>' : ''),
. (($revision->log != '') ? '<p class="revision-log">' . Xss::filter($revision->log) . '</p>' : ''),
'class' => array('revision-current'));
$row[] = array('data' => drupal_placeholder(t('current revision')), 'class' => array('revision-current'));
}
......@@ -151,7 +152,7 @@ function node_revision_overview($node) {
'#account' => user_load($revision->uid),
);
$row[] = t('!date by !username', array('!date' => l(format_date($revision->revision_timestamp, 'short'), "node/" . $node->id() . "/revisions/" . $revision->vid . "/view"), '!username' => drupal_render($username)))
. (($revision->log != '') ? '<p class="revision-log">' . filter_xss($revision->log) . '</p>' : '');
. (($revision->log != '') ? '<p class="revision-log">' . Xss::filter($revision->log) . '</p>' : '');
if ($revert_permission) {
$links['revert'] = array(
'title' => t('Revert'),
......
......@@ -11,6 +11,7 @@
use Drupal\Component\Utility\Json;
use Drupal\Component\Utility\NestedArray;
use Drupal\Component\Utility\String;
use Drupal\Component\Utility\Xss;
use Drupal\Core\DrupalKernel;
use Drupal\Core\Database\Database;
use Drupal\Core\Database\ConnectionNotDefinedException;
......@@ -2766,7 +2767,7 @@ protected function assertNoText($text, $message = '', $group = 'Other') {
*/
protected function assertTextHelper($text, $message = '', $group, $not_exists) {
if ($this->plainTextContent === FALSE) {
$this->plainTextContent = filter_xss($this->drupalGetContent(), array());
$this->plainTextContent = Xss::filter($this->drupalGetContent(), array());
}
if (!$message) {
$message = !$not_exists ? String::format('"@text" found', array('@text' => $text)) : String::format('"@text" not found', array('@text' => $text));
......@@ -2851,7 +2852,7 @@ protected function assertNoUniqueText($text, $message = '', $group = 'Other') {
*/
protected function assertUniqueTextHelper($text, $message = '', $group, $be_unique) {
if ($this->plainTextContent === FALSE) {
$this->plainTextContent = filter_xss($this->drupalGetContent(), array());
$this->plainTextContent = Xss::filter($this->drupalGetContent(), array());
}
if (!$message) {
$message = '"' . $text . '"' . ($be_unique ? ' found only once' : ' found more than once');
......
......@@ -11,7 +11,7 @@
use Drupal\simpletest\DrupalUnitTestBase;
/**
* Tests for filter_xss() and check_url().
* Tests for \Drupal\Component\Utility\Xss::filter() and check_url().
*/
class XssUnitTest extends DrupalUnitTestBase {
......@@ -25,7 +25,7 @@ class XssUnitTest extends DrupalUnitTestBase {
public static function getInfo() {
return array(
'name' => 'String filtering tests',
'description' => 'Confirm that filter_xss() and check_url() work correctly, including invalid multi-byte sequences.',
'description' => 'Confirm that \Drupal\Component\Utility\Xss::filter() and check_url() work correctly, including invalid multi-byte sequences.',
'group' => 'Common',
);
}
......
......@@ -7,6 +7,7 @@
namespace Drupal\system\Tests\Form;
use Drupal\Component\Utility\Xss;
use Drupal\simpletest\WebTestBase;
/**
......@@ -42,7 +43,7 @@ function testExecutionOrder() {
'form_test_form_form_test_alter_form_alter() executed.',
'system_form_form_test_alter_form_alter() executed.',
);
$content = preg_replace('/\s+/', ' ', filter_xss($this->content, array()));
$content = preg_replace('/\s+/', ' ', Xss::filter($this->content, array()));
$this->assert(strpos($content, implode(' ', $expected)) !== FALSE, 'Form alter hooks executed in the expected order.');
}
}
......@@ -7,6 +7,7 @@
namespace Drupal\system\Tests\System;
use Drupal\Component\Utility\Xss;
use Drupal\Core\Utility\Title;
use Drupal\simpletest\WebTestBase;
......@@ -73,7 +74,7 @@ function testTitleXSS() {
$title_filtered = check_plain($title);
$slogan = '<script type="text/javascript">alert("Slogan XSS!");</script>';
$slogan_filtered = filter_xss_admin($slogan);
$slogan_filtered = Xss::filterAdmin($slogan);
// Activate needed appearance settings.
$edit = array(
......
......@@ -7,6 +7,7 @@
namespace Drupal\system\Tests\Theme;
use Drupal\Component\Utility\Xss;
use Drupal\simpletest\WebTestBase;
/**
......@@ -182,7 +183,7 @@ function testExecutionOrder() {
'test_theme_theme_suggestions_alter() executed.',
'test_theme_theme_suggestions_theme_test_suggestions_alter() executed.',
);
$content = preg_replace('/\s+/', ' ', filter_xss($this->content, array()));
$content = preg_replace('/\s+/', ' ', Xss::filter($this->content, array()));
$this->assert(strpos($content, implode(' ', $expected)) !== FALSE, 'Suggestion alter hooks executed in the expected order.');
}
......
......@@ -5,6 +5,7 @@
* Admin page callbacks for the system module.
*/
use Drupal\Component\Utility\Xss;
use Drupal\Core\Cache\Cache;
use Drupal\Core\Extension\Extension;
use Drupal\Core\Render\Element;
......@@ -105,7 +106,7 @@ function template_prepro