CKEditor mangles tokens in URLs, due to bug in Xss::attributes()

Open on Drupal.org →

Created on 12 February 2018, almost 7 years ago

Updated 18 August 2023, over 1 year ago

Problem/Motivation

It is pretty common to want to use a token for a URL when editing text. For instance, you might want something like:

<a href="[my:token:here]">link text here</a>

However, if you try to do this in a body field that is using CKEditor, with a text format that uses the "Limit allowed HTML tags and correct faulty HTML" filter, if you enter a token like that in the field, and then later edit the content that contains that field and either look at the HTML source or save the content, the token is corrupted. This seems to be independent of which CKEditor buttons you have configured, so it isn't a problem (apparently) with a particular button plugin.

Additionally, some (but not all) other attributes in HTML get corrupted in the same way, if your text format allows these attributes. Some examples that were tested:

Tokens in the text that are outside of HTML attributes do not get corrupted.

Steps to reproduce:
a) In a content item with a field that has a text format that is configured to use CKEditor for editing, and which contains the "Limit allowed HTML tags and correct faulty HTML" filter, and allows the A tag, type some link text in the editor.
b) Highlight to select the link text.
c) Click the Link button (chains) in the editor toolbar, and enter [my:token:here] as the URL in the popup.
d) Click Save in the popup. Verify that the HTML source looks like

<a href="[my:token:here]">link text here</a>

e) Save the content item you are editing.
f) Test -- the link works fine (assuming you are running a token replace so it gets replaced by the right URL).
g) Edit the content item again.
h) When you get back to the editor, look at the HTML source. Instead of seeing what was there before, you will see something like this:

<a href="en:here]">link text here</a>

So that's the bug: if you re-edit some HTML text using CKEditor and the "Limit allowed HTML tags and correct faulty HTML" filter, and there is an A tag with a token in the URL (or tokens in various other attributes, but not all attributes), CKEditor truncates and mangles the token, leading to data loss. According to Priority Levels of Issues → , this means it is a Critical bug (or at least Major?) because it leads to data loss.

Note: We are specifically seeing this in the proposed Help Topics module (see related issue #2943974: Work-around for route tokens in Help text format getting truncated after editing a help topic → ).

Proposed resolution

Fix Drupal so that CKEditor doesn't mangle tokens in URLs in A tags.

The problem was traced down to a bug in \Drupal\Component\Utility\Xss::attributes(). If you pass in an attribute string like href="[something:something:config_basic]" to this function, you get out something that looks like href="config_basic]".

Remaining tasks

Fix the bug in Xss::attributes().

User interface changes

CKEditor will not mangle HTML containing tokens for URLs in A tags, or other HTML tag attributes.

API changes

None.

Data model changes

None.

🐛 Bug report

Status

Needs work

Version

11.0 🔥

Component

Last updated about 9 hours ago

Maintained by
🇺🇸United States @effulgentsia
🇬🇧United Kingdom @catch
🇬🇧United Kingdom @alexpott
🇦🇺Australia @larowlan
🇺🇸United States @bnjmnm
🇫🇷France @nod_
🇪🇸Spain @ckrina
🇬🇧United Kingdom @justafish

Created by

🇺🇸United States jhodgdon Spokane, WA, USA

Live updates comments and jobs are added and updated live.

Needs issue summary update
Issue summaries save everyone time if they are kept up-to-date. See Update issue summary task instructions.

Incomplete comments

Sign in to follow issues

Merge Requests

!10819CKEditor mangles tokens in URLs, due to bug in Xss::attributes()
Open
🇳🇱Netherlands richard hoogstad
updated about 12 hours ago

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

Comment over 1 year ago →
🇨🇦Canada jibran Toronto, Canada
RE #65: It is a very well-made point so thank you for that.

I feel like it shouldn't be \Drupal\Component\Utility\Xss::attributes() responsibility. If it can happen after token replacement using token_filter then I think it should be dealt with in token_filter. Once the token is replaced using token_filter then src and href should be passed to \Drupal\Component\Utility\UrlHelper::filterBadProtocol().
Comment over 1 year ago →
🇨🇦Canada mandclu
I ran into this issue today, and had to implement a messy workaround. It would great if this could get more attention.
Comment 4 days ago →
🇳🇱Netherlands richard hoogstad
Hello Drupal Community
This merge request addresses an existing issue with tokens in attributes. Here’s a brief overview of the changes made:

Allows Tokens for src and html Attributes: This will enhance flexibility in how tokens are utilized within these attributes.

Added Support for href Attribute: In addition to the above, I've added support for tokens within the href attribute..

This implementation is built upon two patches provided by @danflanagan8.

I welcome any feedback or suggestions from the community, as I strive to ensure that this merge request meets our shared standards and needs.

Thank you for your consideration!

Best regards,
Richard Hoogstad
Comment 3 days ago →
🇳🇱Netherlands watergate
watergate → changed the visibility of the branch 11.x to hidden.
Merge request !10819Issue #2944173 by jhodgdon: Allow tokens for href, src and html attributes → (Open) created by richard hoogstad
Pipeline finished with Failed
about 12 hours ago
Total: 95s
#387206
Pipeline finished with Success
about 12 hours ago
Total: 778s
#387228

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024