Contrib.social

Rework XSS filtering implementation for more use cases

Open on Drupal.org →
Created on 23 September 2024, 6 months ago

Problem/Motivation

As of this writing we run the "replacement text" through Drupal's Xss::filterAdmin().

The problem is that this prevents legitimate use cases such as replacements that look like <$1> or <$1 $2>. The first example would end up as &lt;$1&gt; and end up breaking pasted content in usual ways.

Steps to reproduce

1. Install the CKEditor 5 Paste Filter module
2. Add or edit a text format (/admin/config/content/formats)
3. Set the Text editor of the text format to CKEditor 5
4. Under CKEditor 5 plugin settings select the Paste filter vertical tab
5. Enable the plugin by checking the Filter pasted content checkbox
6. (optional) Customize the filters if needed. If you are customizing the filters, please provide details below.
7. Save the text format: Scroll to the bottom and click Save configuration
8. Add a new node using the configured text format (/node/add)
9. Paste the rich content into the editor

Search expression: <(strong|em) class="remove">
Replacement: <$1>

Proposed resolution

Rework XSS implementation to selectively strip tags rather than selectively allow.

List to block:

  • script
  • iframe
  • style
  • link
  • meta
  • html
  • head
  • body

Remaining tasks

TBD

User interface changes

None

API changes

TBD, should be none

Data model changes

None

📌 Task
Status

Active

Version

1.0

Component

Code

Created by

🇨🇦Canada star-szr

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

  • Issue created by @star-szr
  • Comment 6 months ago
    🇨🇦Canada star-szr
  • Comment about 1 month ago
    🇨🇦Canada star-szr

    I found Drupal\editor\EditorXssFilter\Standard::filterXss() and was hoping that would solve this use case, but unfortunately it does not.

    I'm reluctant to roll our own XSS filtering for this use case, in part because it still wouldn't be bulletproof. For example:

    Search expression: <(em)>.*(bed).*<\/em>
    Replacement: <$1$2>
    Content: <em>go to bed</em>
    Result: <embed>

    I think we have two main options:

    1. Keep XSS filtering and document this as a known limitation (we could also switch filtering to use Standard::filterXss())
    2. Remove XSS filtering to allow for more use cases and acknowledge that there are many ways that security can go wrong when it comes to configuring text filters and formats beyond the scope of this module.

    I need to examine the bigger picture more to see if there are other protections/mitigations that might allow us to justify removing XSS filtering the replacement text.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024