Skip to content
Snippets Groups Projects
Commit 17b31f93 authored by Daniel Korte's avatar Daniel Korte Committed by vitalie
Browse files

Issue #3302315 by Daniel Korte: Include SVG elements in allowed content and... 

Issue #3302315 by Daniel Korte: Include SVG elements in allowed content and align Twig XSS filtering
parent d493a692
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
src/SpamspanInterface.php
+ 5
0
View file @ 17b31f93
...@@ -75,6 +75,11 @@ interface SpamspanInterface { ...@@ -75,6 +75,11 @@ interface SpamspanInterface {
// Closing tag. // Closing tag.
. '</a>!ixs'; . '</a>!ixs';
/**
* The list of HTML tags allowed.
*/
const ALLOWED_HTML = ['abbr', 'acronym', 'address', 'article', 'aside', 'b', 'bdi', 'bdo', 'big', 'blockquote', 'br', 'caption', 'cite', 'code', 'col', 'colgroup', 'command', 'dd', 'del', 'details', 'dfn', 'div', 'dl', 'dt', 'em', 'figcaption', 'figure', 'footer', 'h1', 'h2', 'h3', 'h4', 'h5', 'h6', 'header', 'hgroup', 'hr', 'i', 'img', 'ins', 'kbd', 'li', 'mark', 'menu', 'meter', 'nav', 'ol', 'output', 'p', 'pre', 'progress', 'q', 'rp', 'rt', 'ruby', 's', 'samp', 'section', 'small', 'span', 'strong', 'sub', 'summary', 'sup', 'table', 'tbody', 'td', 'tfoot', 'th', 'thead', 'time', 'tr', 'tt', 'u', 'ul', 'var', 'wbr', '!--', 'svg', 'animate', 'title', 'use', 'g', 'text', 'textPath', 'tspan', 'symbol', 'defs', 'desc', 'mask', 'marker', 'mpath', 'path', 'polygon', 'polyline', 'circle', 'clipPath', 'ellipse', 'line', 'radialGradient', 'rect', 'image', 'linearGradient'];
/** /**
* Obfuscation based on PATTERN_EMAIL_BARE. * Obfuscation based on PATTERN_EMAIL_BARE.
* *
......
src/SpamspanTrait.php
+ 1
4
View file @ 17b31f93
...@@ -291,10 +291,7 @@ trait SpamspanTrait { ...@@ -291,10 +291,7 @@ trait SpamspanTrait {
// Remove anything except certain inline elements, just in case. // Remove anything except certain inline elements, just in case.
// Nested <a> elements are illegal. // Nested <a> elements are illegal.
// <img> needs to be here to allow for graphic @. // <img> needs to be here to allow for graphic @.
$contents = Xss::filter( $contents = Xss::filter($contents, SpamspanInterface::ALLOWED_HTML);
$contents,
['em', 'strong', 'cite', 'b', 'i', 'code', 'span', 'img', '!--', 'br']
);
} }
return $contents; return $contents;
......
src/TwigExtension/SpamspanExtension.php
+ 2
1
View file @ 17b31f93
...@@ -4,6 +4,7 @@ namespace Drupal\spamspan\TwigExtension; ...@@ -4,6 +4,7 @@ namespace Drupal\spamspan\TwigExtension;
use Drupal\Component\Utility\Xss; use Drupal\Component\Utility\Xss;
use Drupal\Core\Render\Renderer; use Drupal\Core\Render\Renderer;
use Drupal\spamspan\SpamspanInterface;
/** /**
* Provides the SpamSpan filter function within Twig templates. * Provides the SpamSpan filter function within Twig templates.
...@@ -55,7 +56,7 @@ class SpamspanExtension extends \Twig_Extension { ...@@ -55,7 +56,7 @@ class SpamspanExtension extends \Twig_Extension {
public function spamSpanFilter($string) { public function spamSpanFilter($string) {
$template_attached = ['#attached' => ['library' => ['spamspan/obfuscate']]]; $template_attached = ['#attached' => ['library' => ['spamspan/obfuscate']]];
$this->renderer->render($template_attached); $this->renderer->render($template_attached);
return Xss::filterAdmin(spamspan($string)); return Xss::filter(spamspan($string), SpamspanInterface::ALLOWED_HTML);
} }
} }
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment