Issue #2315255 by Dave Reid, Devin Carlson: Allow custom HTML tags with a dash in the name to pass through filter_xss() when specified in the list of allowed tags

CHANGELOG.txt

@@ -1,6 +1,8 @@
 
 Drupal 7.37, xxxx-xx-xx (development version)
 -----------------------
+- Allowed custom HTML tags with a dash in the name to pass through filter_xss()
+  when specified in the list of allowed tags.
 - Allowed hook_field_schema() implementations to specify indexes for fields
   based on a fixed-length column prefix (rather than the entire column), as was
   already allowed in hook_schema() implementations.

includes/common.inc

@@ -1522,7 +1522,7 @@ function _filter_xss_split($m, $store = FALSE) {
     return '<';
   }
 
-  if (!preg_match('%^<\s*(/\s*)?([a-zA-Z0-9]+)([^>]*)>?|(<!--.*?-->)$%', $string, $matches)) {
+  if (!preg_match('%^<\s*(/\s*)?([a-zA-Z0-9\-]+)([^>]*)>?|(<!--.*?-->)$%', $string, $matches)) {
     // Seriously malformed.
     return '';
   }

modules/filter/filter.test

@@ -1148,7 +1148,7 @@ class FilterUnitTestCase extends DrupalUnitTestCase {
     // Setup dummy filter object.
     $filter = new stdClass();
     $filter->settings = array(
-      'allowed_html' => '<a> <em> <strong> <cite> <blockquote> <code> <ul> <ol> <li> <dl> <dt> <dd>',
+      'allowed_html' => '<a> <em> <strong> <cite> <blockquote> <code> <ul> <ol> <li> <dl> <dt> <dd> <test-element>',
       'filter_html_help' => 1,
       'filter_html_nofollow' => 0,
     );
@@ -1184,6 +1184,10 @@ class FilterUnitTestCase extends DrupalUnitTestCase {
 
     $f = _filter_html('<code onerror>&nbsp;</code>', $filter);
     $this->assertNoNormalized($f, 'onerror', 'HTML filter should remove empty on* attributes on default.');
+
+    // Custom tags are supported and should be allowed through.
+    $f = _filter_html('<test-element></test-element>', $filter);
+    $this->assertNormalized($f, 'test-element', 'HTML filter should allow custom elements.');
   }
 
   /**