FilterHtml accepts <*> but does not support it, resulting in inaccurate ::getHtmlRestrictions() return value

Open on Drupal.org →

Created on 2 August 2021, almost 3 years ago

Updated 26 February 2024, 4 months ago

Discovered while working on #3216015: Generate CKEditor 5 configuration based on pre-existing text format configuration → for CKEditor 5.

Problem/Motivation

\Drupal\filter\Plugin\Filter\FilterHtml::getHTMLRestrictions

Parses a string of html tags into an array that defines what tags/attributes are allowed by the filter. UPDATE per #6: While \Drupal\filter\Plugin\Filter\FilterHtml::settingsForm() does not check for this (there is zero validation for the allowed_html input 😱), which is why one can be reasonably led to believe that <*> is allowed…

That finding makes all of this wrong/irrelevant:

However, the returned array does not properly represent the config for "star" tags.

Before any parsing of the "allowed html" string occurs all * instaces are replaced.
$star_protector = '__zqh6vxfbk3cg__';
    $html = str_replace('*', $star_protector, $html);
Later in the code, any attributes using * have the star returned
 foreach ($node->attributes as $name => $attribute) {
          // Put back any trailing * on wildcard attribute name.
          $name = str_replace($star_protector, '*', $name);
But stars representing a tag never get un-starred, and the returned array will include the "tag" for the $star_protector string. For example, when it parses a string with the "tag" <* data-donk>

There is configuration for a __zqh6vxfbk3cg__ tag alongside the config for the * tag returned by default

Steps to reproduce

See above.

Proposed resolution

— done in https://git.drupalcode.org/project/drupal/-/merge_requests/998/diffs?com...
— done in https://git.drupalcode.org/project/drupal/-/merge_requests/998/diffs?com...
— done in https://git.drupalcode.org/project/drupal/-/merge_requests/998/diffs?com...

Remaining tasks

None.

User interface changes

API changes

None.

Data model changes

None.

Release notes snippet

None.

🐛 Bug report

Status

Needs work

Version

11.0 🔥

Component

Last updated 3 days ago

No maintainer

Created by

🇺🇸United States bnjmnm Ann Arbor, MI

Live updates comments and jobs are added and updated live.

Drupal 10

Needs Review Queue Initiative

Incomplete comments

Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

Comment over 1 year ago →
🇧🇪Belgium Wim Leers Ghent 🇧🇪🇪🇺
#33 still applies cleanly to 10.1.x and matches the state of the MR. We should just close the MR IMHO?

Let's find out if it still passes tests. I cannot RTBC this, I worked too much on it.
Status changed to Needs work over 1 year ago3:50pm 20 February 2023
Comment over 1 year ago →
🇺🇸United States smustgrave
Let me know if I'm testing this wrong.

Tried <*> but get this error with and without the patch

InvalidArgumentException: The value for the special "*" global attribute HTML tag must be an array of attribute restrictions. in Drupal\ckeditor5\HTMLRestrictions::validateAllowedRestrictionsPhase2() (line 201 of core/modules/ckeditor5/src/HTMLRestrictions.php).

Tried <data *> page saves with the page but doesn't save the value.
Comment 5 months ago →
🇭🇺Hungary Pasqualle 🇭🇺 Budapest
Need reroll for 10.2
Open in Jenkins → Open on Drupal.org →
Environment: PHP 8.1 & MySQL 5.7
last update 5 months ago
Patch Failed to Apply
Comment 4 months ago →
🇨🇳China lawxen
Just a reroll of #33 for 10.2.x
Comment 4 months ago →
🇨🇳China lawxen
After reroll the patch and applied, but still couln't solve the problem of https://www.drupal.org/project/extended_html_filter/issues/3401513#comme... ✨ Match the filter_html <> ckeditor5 integration in Drupal core Needs work

contrib.social Blog FAQ Discussions

Production build 0.69.0 2024