Contrib.social

Add protocol filtering to Attribute

Open on Drupal.org →
Created on 13 September 2015, over 9 years ago
Updated 22 March 2025, about 1 month ago

Problem/Motivation

Xss::filter() automatically does HTML escaping and protocol filtering on attributes. Protocols are filtered on everything except title, alt and data-

Attribute however, while it claims to make attributes sanitized and safe (issue to fix the claim at #2567741: Attribute/drupal_attributes() docs do not mention protocol filtering on URLs ), does no such protocol filtering.

Proposed resolution

Apply protocol stripping to everything except title, alt and data- too.

Remaining tasks

User interface changes

API changes

Data model changes

📌 Task
Status

Needs work

Version

11.0 🔥

Component

base system

Created by

🇬🇧United Kingdom catch

Live updates comments and jobs are added and updated live.
  • Security

    It is used for security vulnerabilities which do not need a security advisory. For example, security issues in projects which do not have security advisory coverage, or forward-porting a change already disclosed in a security advisory. See Drupal’s security advisory policy for details. Be careful publicly disclosing security vulnerabilities! Use the “Report a security vulnerability” link in the project page’s sidebar. See how to report a security issue for details.

  • Security improvements

    It makes Drupal less vulnerable to abuse or misuse. Note, this is the preferred tag, though the Security tag has a large body of issues tagged to it. Do NOT publicly disclose security vulnerabilities; contact the security team instead. Anyone (whether security team or not) can apply this tag to security improvements that do not directly present a vulnerability e.g. hardening an API to add filtering to reduce a common mistake in contributed modules.

Sign in to follow issues

Merge Requests

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • First commit to issue fork.
  • Merge request !11575Don't duplicate attribute list → (Open) created by prudloff
  • Pipeline finished with Failed
    about 1 month ago
    Total: 104s
    #455081
  • Pipeline finished with Failed
    about 1 month ago
    Total: 657s
    #455084
  • Pipeline finished with Failed
    about 1 month ago
    Total: 590s
    #455105
  • Pipeline finished with Failed
    about 1 month ago
    Total: 173s
    #455114
  • Pipeline finished with Success
    about 1 month ago
    Total: 642s
    #455115
  • Comment about 1 month ago
    🇫🇷France prudloff Lille

    I agree this is important and would help prevent some XSS vulnerabilities.
    I rebased the latest patch and adjusted some things to make tests pass.

    However, I see two potential problems with the solution:

    • It would require maintaining a long list of attributes in which protocols should not be filtered (see 🐛 XSS attribute filtering is inconsistent and strips valid attributes Needs work ).
      This is an existing problem with the XSS filter, but filtering attributes everywhere makes it more visible.
    • Using MarkupInterface to explicitly bypass the filter seems a bit weird semantically, because an attribute value is not really markup.
      (When this was proposed the interface was still called SafeStringInterface.)

    Also filtering the style attribute would break too many places in core where it is used (because every CSS rule contains the : character) and I don't think it is the job stripDangerousProtocols() to remove dangerous URLs in CSS.
    Removing dangerous CSS could be implemented later in Allow inline style to certain html elements despite of "Limit allowed HTML tags and correct faulty HTML" filter turned on Active .

  • Comment 26 days ago
    needs-review-queue-bot

    The Needs Review Queue Bot tested this issue. It no longer applies to Drupal core. Therefore, this issue status is now "Needs work".

    This does not mean that the patch necessarily needs to be re-rolled or the MR rebased. Read the Issue Summary, the issue tags and the latest discussion here to determine what needs to be done.

    Consult the Drupal Contributor Guide to find step-by-step guides for working with issues.

  • Pipeline finished with Success
    24 days ago
    Total: 518s
    #465495
  • Comment 24 days ago
    🇫🇷France prudloff Lille

    I rebased the MR.

  • Comment 23 days ago
    🇨🇦Canada joelpittet Vancouver

    It would be so nice if the tests didn’t change. Are the test changes really necessary? Adding more expected assertions is fine, but changing the provider values reduces confidence in the change.

    Thanks for picking this up, it's been sitting for a while.

  • Pipeline finished with Success
    23 days ago
    #465963
  • Comment 23 days ago
    🇫🇷France prudloff Lille

    The tests have to change (well at least the expected values) because attribute values that were not sanitized before now have their protocol removed.
    However, I adjusted the MR a bit to limit the changes in tests.

  • Comment 14 days ago
    needs-review-queue-bot

    The Needs Review Queue Bot tested this issue. It no longer applies to Drupal core. Therefore, this issue status is now "Needs work".

    This does not mean that the patch necessarily needs to be re-rolled or the MR rebased. Read the Issue Summary, the issue tags and the latest discussion here to determine what needs to be done.

    Consult the Drupal Contributor Guide to find step-by-step guides for working with issues.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024