FilterHtml accepts <*> but does not support it, resulting in inaccurate ::getHtmlRestrictions() return value

Open on Drupal.org →

Created on 2 August 2021, almost 4 years ago

Updated 26 February 2024, over 1 year ago

Discovered while working on #3216015: Generate CKEditor 5 configuration based on pre-existing text format configuration → for CKEditor 5.

Problem/Motivation

\Drupal\filter\Plugin\Filter\FilterHtml::getHTMLRestrictions

Parses a string of html tags into an array that defines what tags/attributes are allowed by the filter. UPDATE per #6: While \Drupal\filter\Plugin\Filter\FilterHtml::settingsForm() does not check for this (there is zero validation for the allowed_html input 😱), which is why one can be reasonably led to believe that <*> is allowed…

That finding makes all of this wrong/irrelevant:

However, the returned array does not properly represent the config for "star" tags.

Before any parsing of the "allowed html" string occurs all * instaces are replaced.
$star_protector = '__zqh6vxfbk3cg__';
    $html = str_replace('*', $star_protector, $html);
Later in the code, any attributes using * have the star returned
 foreach ($node->attributes as $name => $attribute) {
          // Put back any trailing * on wildcard attribute name.
          $name = str_replace($star_protector, '*', $name);
But stars representing a tag never get un-starred, and the returned array will include the "tag" for the $star_protector string. For example, when it parses a string with the "tag" <* data-donk>

There is configuration for a __zqh6vxfbk3cg__ tag alongside the config for the * tag returned by default

Steps to reproduce

See above.

Proposed resolution

— done in https://git.drupalcode.org/project/drupal/-/merge_requests/998/diffs?com...
— done in https://git.drupalcode.org/project/drupal/-/merge_requests/998/diffs?com...
— done in https://git.drupalcode.org/project/drupal/-/merge_requests/998/diffs?com...

Remaining tasks

None.

User interface changes

API changes

None.

Data model changes

None.

Release notes snippet

None.

🐛 Bug report

Status

Needs work

Version

11.0 🔥

Component

Last updated 24 days ago

No maintainer

Created by

🇺🇸United States bnjmnm Ann Arbor, MI

Live updates comments and jobs are added and updated live.

Drupal 10

Needs Review Queue Initiative
Used to track the progress of issues reviewed by the Drupal Needs Review Queue Initiative.

Incomplete comments

Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

Comment over 2 years ago →
🇧🇪Belgium wim leers Ghent 🇧🇪🇪🇺
#33 still applies cleanly to 10.1.x and matches the state of the MR. We should just close the MR IMHO?

Let's find out if it still passes tests. I cannot RTBC this, I worked too much on it.
Status changed to Needs work over 2 years ago3:50pm 20 February 2023
Comment over 2 years ago →
🇺🇸United States smustgrave
Let me know if I'm testing this wrong.

Tried <*> but get this error with and without the patch

InvalidArgumentException: The value for the special "*" global attribute HTML tag must be an array of attribute restrictions. in Drupal\ckeditor5\HTMLRestrictions::validateAllowedRestrictionsPhase2() (line 201 of core/modules/ckeditor5/src/HTMLRestrictions.php).

Tried <data *> page saves with the page but doesn't save the value.
Comment over 1 year ago →
🇭🇺Hungary pasqualle 🇭🇺 Budapest
Need reroll for 10.2
Open in Jenkins → Open on Drupal.org →
Environment: PHP 8.1 & MySQL 5.7
last update over 1 year ago
Patch Failed to Apply
Comment over 1 year ago →
🇨🇳China lawxen
Just a reroll of #33 for 10.2.x
Comment over 1 year ago →
🇨🇳China lawxen
After reroll the patch and applied, but still couln't solve the problem of https://www.drupal.org/project/extended_html_filter/issues/3401513#comme... ✨ Match the filter_html <> ckeditor5 integration in Drupal core Needs work

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024