Review/update $adminTags variable for new html elements to be whitelisted

Created on 1 August 2016, almost 9 years ago
Updated 25 January 2023, over 2 years ago

Problem/Motivation

Xss::filterAdmin() is currently stripping out the picture & source html elements that are part of the Core module Responsive Image. $adminTags sets the elements that are whitelisted and would need to be updated.

This bug was first found at https://www.drupal.org/node/2687479 โ†’ . Views is stripping out the picture & source elements when responsive images fields are being rewritten. The patch there will be uploaded here to start / demo a fix that would need to be reviewed.

Steps to reproduce

This is for testing responsive image support (picture):

1. Install Drupal with Umami profile
2. Create new View: Content of type Article, Create a page, Save and edit
3. Switch Format from Content to Fields
4. Add a Media Image field
5. Choose Formatter = Rendered entity and View mode = Responsive 3x2
6. Look at the page
7. Result: See original image for the articles
8. Expected: See responsive image for the articles

Proposed resolution

Review/update $adminTags to include picture & source. It would probably be good to review $adminTags to see if there are any other html elements that should be whitelisted at the same time.

Remaining tasks

  • Review what HTML elements to add
  • New HTML elements to be reviewed for XSS vulnerabilities

User interface changes

none

API changes

none

Data model changes

none

๐Ÿ“Œ Task
Status

Needs work

Version

10.1 โœจ

Component
Otherย  โ†’

Last updated about 5 hours ago

Created by

๐Ÿ‡บ๐Ÿ‡ธUnited States nmillin

Live updates comments and jobs are added and updated live.
  • Security improvements

    It makes Drupal less vulnerable to abuse or misuse. Note, this is the preferred tag, though the Security tag has a large body of issues tagged to it. Do NOT publicly disclose security vulnerabilities; contact the security team instead. Anyone (whether security team or not) can apply this tag to security improvements that do not directly present a vulnerability e.g. hardening an API to add filtering to reduce a common mistake in contributed modules.

  • Needs issue summary update

    Issue summaries save everyone time if they are kept up-to-date. See Update issue summary task instructions.

Sign in to follow issues

Merge Requests

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

Production build 0.71.5 2024