[sechole] Remove blacklist mode from Filter:XSS

Created on 28 October 2014, over 9 years ago

Updated 13 September 2023, 10 months ago

Problem/Motivation

A FILTER_MODE_BLACKLIST was added to the Xss class. To call this dangerous is a serious understatement. People might get confused as to which one to use and a flawed call coupled with blacklist is a sechole. With the traditional whitelist, there is much less confusion and you need to straightforward enable insecure tags.

Proposed resolution

Remove FILTER_MODE_BLACKLIST from the Core namespace. Nuke it from orbit. Have you guys completely lost your mind?? One bad call to this and your site is toast.
Make Drupal\editor\EditorXssFilter\Standard extend Xss
Factor out if (!isset($html_tags[strtolower($elem)])) into a method.
Override method

Remaining tasks

User interface changes

API changes

The optional $mode argument is gone from Filter::Xss. Good riddance. Change notice at https://www.drupal.org/node/2365293 →

🐛 Bug report

Status

Fixed

Version

8.0 ⚰️

Component

Other →

Last updated less than a minute ago

Created by

🇨🇦Canada chx

Live updates comments and jobs are added and updated live.

Security improvements
It makes Drupal less vulnerable to abuse or misuse. Note, this is the preferred tag, though the Security tag has a large body of issues tagged to it. Do NOT publicly disclose security vulnerabilities; contact the security team instead. Anyone (whether security team or not) can apply this tag to security improvements that do not directly present a vulnerability e.g. hardening an API to add filtering to reduce a common mistake in contributed modules.

Incomplete comments

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

Comment 10 months ago →
🇳🇿New Zealand quietone New Zealand
Publish the change record.

contrib.social Blog FAQ Discussions

Production build 0.69.0 2024