Issue #3302315 by Daniel Korte: Include SVG elements in allowed content and...

Issue #3302315 by Daniel Korte: Include SVG elements in allowed content and align Twig XSS filtering

Issue #3302315 by Daniel Korte: Include SVG elements in allowed content and...
17b31f93 · Daniel Korte · vitalie · d493a692 · 17b31f93 · 17b31f93
Commit 17b31f93 authored Aug 18, 2022 by Daniel Korte Committed by vitalie Aug 18, 2022
--- a/src/SpamspanInterface.php
+++ b/src/SpamspanInterface.php
@@ -75,6 +75,11 @@ interface SpamspanInterface {
    // Closing tag.
    . '</a>!ixs';

+  /**
+   * The list of HTML tags allowed.
+   */
+  const ALLOWED_HTML = ['abbr', 'acronym', 'address', 'article', 'aside', 'b', 'bdi', 'bdo', 'big', 'blockquote', 'br', 'caption', 'cite', 'code', 'col', 'colgroup', 'command', 'dd', 'del', 'details', 'dfn', 'div', 'dl', 'dt', 'em', 'figcaption', 'figure', 'footer', 'h1', 'h2', 'h3', 'h4', 'h5', 'h6', 'header', 'hgroup', 'hr', 'i', 'img', 'ins', 'kbd', 'li', 'mark', 'menu', 'meter', 'nav', 'ol', 'output', 'p', 'pre', 'progress', 'q', 'rp', 'rt', 'ruby', 's', 'samp', 'section', 'small', 'span', 'strong', 'sub', 'summary', 'sup', 'table', 'tbody', 'td', 'tfoot', 'th', 'thead', 'time', 'tr', 'tt', 'u', 'ul', 'var', 'wbr', '!--', 'svg', 'animate', 'title', 'use', 'g', 'text', 'textPath', 'tspan', 'symbol', 'defs', 'desc', 'mask', 'marker', 'mpath', 'path', 'polygon', 'polyline', 'circle', 'clipPath', 'ellipse', 'line', 'radialGradient', 'rect', 'image', 'linearGradient'];
+
  /**
   * Obfuscation based on PATTERN_EMAIL_BARE.
   *

--- a/src/SpamspanTrait.php
+++ b/src/SpamspanTrait.php
@@ -291,10 +291,7 @@ trait SpamspanTrait {
      // Remove anything except certain inline elements, just in case.
      // Nested <a> elements are illegal.
      // <img> needs to be here to allow for graphic @.
-      $contents = Xss::filter(
-        $contents,
-        ['em', 'strong', 'cite', 'b', 'i', 'code', 'span', 'img', '!--', 'br']
-      );
+      $contents = Xss::filter($contents, SpamspanInterface::ALLOWED_HTML);
    }

    return $contents;

--- a/src/TwigExtension/SpamspanExtension.php
+++ b/src/TwigExtension/SpamspanExtension.php
@@ -4,6 +4,7 @@ namespace Drupal\spamspan\TwigExtension;

 use Drupal\Component\Utility\Xss;
 use Drupal\Core\Render\Renderer;
+use Drupal\spamspan\SpamspanInterface;

 /**
 * Provides the SpamSpan filter function within Twig templates.
@@ -55,7 +56,7 @@ class SpamspanExtension extends \Twig_Extension {
  public function spamSpanFilter($string) {
    $template_attached = ['#attached' => ['library' => ['spamspan/obfuscate']]];
    $this->renderer->render($template_attached);
-    return Xss::filterAdmin(spamspan($string));
+    return Xss::filter(spamspan($string), SpamspanInterface::ALLOWED_HTML);
  }

 }