Skip to content

Commit

Permalink
Issue #3151091 by dww, rik-dev, alexpott: Replace use of whitelist/bl…
Browse files Browse the repository at this point in the history 
…acklist in \Drupal\Component\Utility\Xss and its test and core/lib/Drupal/Core/Render/theme.api.php

(cherry picked from commit 7430b47266be2dd2a9239a1e084780a0dc6136b0)
  • Loading branch information
@alexpott
alexpott committed Jun 22, 2020
1 parent 3fc06c7 commit d116897
Show file tree
Hide file tree
Showing 2 changed files with 8 additions and 6 deletions.
8 changes: 5 additions & 3 deletions lib/Drupal/Component/Utility/Xss.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -70,7 +70,7 @@ public static function filter($string, array $html_tags = NULL) {

// Defuse all HTML entities.
$string = str_replace('&', '&', $string);
// Change back only well-formed entities in our whitelist:
// Change back only well-formed entities in our list of allowed html tags:
// Decimal numeric entities.
$string = preg_replace('/&#([0-9]+;)/', '&#\1', $string);
// Hexadecimal numeric entities.
Expand All @@ -83,7 +83,7 @@ public static function filter($string, array $html_tags = NULL) {
$splitter = function ($matches) use ($html_tags, $class) {
return $class::split($matches[1], $html_tags, $class);
};
// Strip any tags that are not in the whitelist.
// Strip any tags that are not in the list of allowed html tags.
return preg_replace_callback('%
(
<(?=[^a-zA-Z!/]) # a lone <
Expand Down Expand Up @@ -161,7 +161,9 @@ protected static function split($string, $html_tags, $class) {
$elem = '!--';
}

// When in whitelist mode, an element is disallowed when not listed.
// Defer to the ::needsRemoval() method to decide if the element is to be
// removed. This allows the list of tags to be treated as either a list of
// allowed tags or a list of denied tags.
if ($class::needsRemoval($html_tags, $elem)) {
return '';
}
Expand Down
6 changes: 3 additions & 3 deletions lib/Drupal/Core/Render/theme.api.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -274,9 +274,9 @@
* vectors while allowing a permissive list of HTML tags that are not XSS
* vectors. (For example, <script> and <style> are not allowed.) See
* \Drupal\Component\Utility\Xss::$adminTags for the list of allowed tags. If
* your markup needs any of the tags not in this whitelist, then you can
* implement a theme hook and/or an asset library. Alternatively, you can use
* the key #allowed_tags to alter which tags are filtered.
* your markup needs any of the tags not in this list, then you can implement
* a theme hook and/or an asset library. Alternatively, you can use the key
* #allowed_tags to alter which tags are filtered.
* - #plain_text: Specifies that the array provides text that needs to be
* escaped. This value takes precedence over #markup.
* - #allowed_tags: If #markup is supplied, this can be used to change which
Expand Down

0 comments on commit d116897

Please sign in to comment.