Verified Commit cb6d0184 authored by Lee Rowlands's avatar Lee Rowlands
Browse files

Issue #3410303 by longwave, Luke.Leber, Wim Leers, quietone, dslatkin:... 

Issue #3410303 by longwave, Luke.Leber, Wim Leers, quietone, dslatkin: FilterHtml data loss when iframe and/or textarea is allowed

(cherry picked from commit 3ae37397)
parent bb42fa92

core/modules/filter/src/Plugin/Filter/FilterHtml.php

+17 −1
Original line number Diff line number Diff line
@@ -7,6 +7,9 @@ 
use Drupal\Component\Utility\Html;

use Drupal\filter\FilterProcessResult;

use Drupal\filter\Plugin\FilterBase;

use Masterminds\HTML5\Parser\DOMTreeBuilder;

use Masterminds\HTML5\Parser\Scanner;

use Masterminds\HTML5\Parser\Tokenizer;



/**

 * Provides a filter to limit allowed HTML tags.
@@ -258,7 +261,20 @@ public function getHTMLRestrictions() { 
    $star_protector = '__zqh6vxfbk3cg__';

    $html = str_replace('*', $star_protector, $html);



    $dom = Html::load($html);

    // Use HTML5 parser with a custom tokenizer to correctly parse tags that

    // normally use text mode, such as iframe.

    $events = new DOMTreeBuilder(FALSE, ['disable_html_ns' => TRUE]);

    $scanner = new Scanner('<body>' . $html);

    $parser = new class($scanner, $events) extends Tokenizer {



      public function setTextMode($textMode, $untilTag = NULL) {

        // Do nothing, we never enter text mode.

      }



    };

    $parser->parse();



    $dom = $events->document();

    $xpath = new \DOMXPath($dom);

    foreach ($xpath->query('//body//*') as $node) {

      $tag = $node->tagName;

core/modules/filter/tests/src/Kernel/FilterKernelTest.php

+11 −0
Original line number Diff line number Diff line
@@ -579,6 +579,17 @@ public function testHtmlFilter() { 
    $this->assertNormalized($f, '<a>link</a>', 'HTML filter removes allowed attributes that have a not explicitly allowed value.');

    $f = (string) $filter->process('<a href="/beautiful-animals" kitten="cute" llama="epic majestical">link</a>', Language::LANGCODE_NOT_SPECIFIED);

    $this->assertSame('<a href="/beautiful-animals" llama="epic majestical">link</a>', $f, 'HTML filter keeps explicitly allowed attributes with an attribute value that is also explicitly allowed.');



    // Allow iframes and check that the subsequent tags are parsed correctly.

    $filter->setConfiguration([

      'settings' => [

        'allowed_html' => '<iframe> <a href llama>',

        'filter_html_help' => 1,

        'filter_html_nofollow' => 0,

      ],

    ]);

    $f = (string) $filter->process('<a kitten="cute" llama="awesome">link</a>', Language::LANGCODE_NOT_SPECIFIED);

    $this->assertNormalized($f, '<a llama="awesome">link</a>');

  }



  /**