Xss::filter() damages attribute names with unconventional chars

Open on Drupal.org →

Created on 5 July 2023, almost 2 years ago

Problem/Motivation

Xss::filter() damages attribute names with chars other than alphanumeric or dash.

E.g. <div data-x_y="hello"></div> becomes <div y="hello"></div>

I already reported this in a comment in #2544110-165: XSS attribute filtering is inconsistent and strips valid attributes → , but I think it is useful to have a dedicated issue for reference.
This is also a place to have a patch that people can use to fix this issue specifically, without a full buy-in to the work from 🐛 XSS attribute filtering is inconsistent and strips valid attributes Needs work .

In the end, fixes for both issues will likely conflict.

Steps to reproduce

Call Xss::filter('<div data-x_y="hello"></div>').

Expected: Either <div data-x_y="hello"></div> or just <div></div>, depending if we want to remove funny-looking attributes (I think we want to keep them).

Actual: <div y="hello"></div>

Proposed resolution

Always parse the complete attribute name. Then decide whether to keep the attribute or not.
(I think in general we just keep it)

Remaining tasks

User interface changes

API changes

Data model changes

Release notes snippet

🐛 Bug report

Status

Active

Version

11.0 🔥

Component

Last updated about 14 hours ago

Maintained by
🇺🇸United States @effulgentsia
🇬🇧United Kingdom @catch
🇬🇧United Kingdom @alexpott
🇦🇺Australia @larowlan
🇺🇸United States @bnjmnm
🇫🇷France @nod_
🇪🇸Spain @ckrina
🇬🇧United Kingdom @justafish

Created by

🇩🇪Germany donquixote

Live updates comments and jobs are added and updated live.

Sign in to follow issues

Merge Requests

!4322Xss::filter() damages attribute names with unconventional chars
Open
🇩🇪Germany donquixote
updated about 15 hours ago

Comments & Activities

Issue created by @donquixote
Merge request !4322Issue #3372586: Xss::filter() damages attribute names with unconventional chars → (Open) created by donquixote
Open in Jenkins → Open on Drupal.org →
Environment: PHP 8.2 & MySQL 8
last update almost 2 years ago
Custom Commands Failed
Comment almost 2 years ago →
🇩🇪Germany donquixote
The merge requests only adds underscore support and nothing else.
And only if the underscore is not the first character in the attribute name.
Please do _not_ merge it as-is.
Comment almost 2 years ago →
🇩🇪Germany donquixote
Comment almost 2 years ago →
🇩🇪Germany donquixote
Comment almost 2 years ago →
🇩🇪Germany donquixote
Open in Jenkins → Open on Drupal.org →
Environment: PHP 8.2 & MySQL 8
last update almost 2 years ago
29,798 pass
First commit to issue fork.
Pipeline finished with Success
about 14 hours ago
Total: 617s
#499791
Comment about 14 hours ago →
🇫🇷France prudloff Lille
I can confirm this is still a problem.

I rebased the MR and tests are passing so I think this is ready for review.

Please do _not_ merge it as-is.

I am not sure I understand why this should not be merged.
If it is because 🐛 XSS attribute filtering is inconsistent and strips valid attributes Needs work is working on a larger solution, I still think it is useful to have this small fix in the meantime.

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024