diff --git a/core/lib/Drupal/Component/Utility/Xss.php b/core/lib/Drupal/Component/Utility/Xss.php index 7a06e124e6c4..9081fae3fe21 100644 --- a/core/lib/Drupal/Component/Utility/Xss.php +++ b/core/lib/Drupal/Component/Utility/Xss.php @@ -192,6 +192,7 @@ class Xss { $mode = 0; $attribute_name = ''; $skip = FALSE; + $skip_protocol_filtering = FALSE; while (strlen($attributes) != 0) { // Was the last operation successful? @@ -203,6 +204,20 @@ class Xss { if (preg_match('/^([-a-zA-Z]+)/', $attributes, $match)) { $attribute_name = strtolower($match[1]); $skip = ($attribute_name == 'style' || substr($attribute_name, 0, 2) == 'on'); + + // Values for attributes of type URI should be filtered for + // potentially malicious protocols (for example, an href-attribute + // starting with "javascript:"). However, for some non-URI + // attributes performing this filtering causes valid and safe data + // to be mangled. We prevent this by skipping protocol filtering on + // such attributes. + // @see \Drupal\Component\Utility\UrlHelper::filterBadProtocol() + // @see http://www.w3.org/TR/html4/index/attributes.html + $skip_protocol_filtering = substr($attribute_name, 0, 5) === 'data-' || in_array($attribute_name, array( + 'title', + 'alt', + )); + $working = $mode = 1; $attributes = preg_replace('/^[-a-zA-Z]+/', '', $attributes); } @@ -228,7 +243,7 @@ class Xss { case 2: // Attribute value, a URL after href= for instance. if (preg_match('/^"([^"]*)"(\s+|$)/', $attributes, $match)) { - $thisval = UrlHelper::filterBadProtocol($match[1]); + $thisval = $skip_protocol_filtering ? $match[1] : UrlHelper::filterBadProtocol($match[1]); if (!$skip) { $attributes_array[] = "$attribute_name=\"$thisval\""; @@ -240,7 +255,7 @@ class Xss { } if (preg_match("/^'([^']*)'(\s+|$)/", $attributes, $match)) { - $thisval = UrlHelper::filterBadProtocol($match[1]); + $thisval = $skip_protocol_filtering ? $match[1] : UrlHelper::filterBadProtocol($match[1]); if (!$skip) { $attributes_array[] = "$attribute_name='$thisval'"; @@ -251,7 +266,7 @@ class Xss { } if (preg_match("%^([^\s\"']+)(\s+|$)%", $attributes, $match)) { - $thisval = UrlHelper::filterBadProtocol($match[1]); + $thisval = $skip_protocol_filtering ? $match[1] : UrlHelper::filterBadProtocol($match[1]); if (!$skip) { $attributes_array[] = "$attribute_name=\"$thisval\""; diff --git a/core/modules/editor/src/EditorXssFilter/Standard.php b/core/modules/editor/src/EditorXssFilter/Standard.php index b34e3496bafa..43ef797684ac 100644 --- a/core/modules/editor/src/EditorXssFilter/Standard.php +++ b/core/modules/editor/src/EditorXssFilter/Standard.php @@ -7,7 +7,9 @@ namespace Drupal\editor\EditorXssFilter; +use Drupal\Component\Utility\Html; use Drupal\Component\Utility\Xss; +use Drupal\Component\Utility\SafeMarkup; use Drupal\filter\FilterFormatInterface; use Drupal\editor\EditorXssFilterInterface; @@ -85,7 +87,39 @@ class Standard extends Xss implements EditorXssFilterInterface { // Also blacklist tags that are explicitly forbidden in either text format. $blacklisted_tags = array_merge($blacklisted_tags, $forbidden_tags); - return static::filter($html, $blacklisted_tags); + $output = static::filter($html, $blacklisted_tags); + + // Since data-attributes can contain encoded HTML markup that could be + // decoded and interpreted by editors, we need to apply XSS filtering to + // their contents. + return static::filterXssDataAttributes($output); + } + + /** + * Applies a very permissive XSS/HTML filter to data-attributes. + * + * @param string $html + * The string to apply the data-attributes filtering to. + * + * @return string + * The filtered string. + */ + protected static function filterXssDataAttributes($html) { + if (stristr($html, 'data-') !== FALSE) { + $dom = Html::load($html); + $xpath = new \DOMXPath($dom); + foreach ($xpath->query('//@*[starts-with(name(.), "data-")]') as $node) { + // The data-attributes contain an HTML-encoded value, so we need to + // decode the value, apply XSS filtering and then re-save as encoded + // value. There is no need to explicitly decode $node->value, since the + // DOMAttr::value getter returns the decoded value. + $value = Xss::filterAdmin($node->value); + $node->value = SafeMarkup::checkPlain($value); + } + $html = Html::serialize($dom); + } + + return $html; } diff --git a/core/modules/editor/tests/src/Unit/EditorXssFilter/StandardTest.php b/core/modules/editor/tests/src/Unit/EditorXssFilter/StandardTest.php index ee25b00636e3..13c831129d81 100644 --- a/core/modules/editor/tests/src/Unit/EditorXssFilter/StandardTest.php +++ b/core/modules/editor/tests/src/Unit/EditorXssFilter/StandardTest.php @@ -512,6 +512,17 @@ xss:ex/*XSS*//*/*/pression(alert("XSS"))\'>', 'exp/*'); // sites, it only forbids linking to any protocols other than those that are // whitelisted. + // Test XSS filtering on data-attributes. + // @see \Drupal\editor\EditorXssFilter::filterXssDataAttributes() + + // The following two test cases verify that XSS attack vectors are filtered. + $data[] = array('', ''); + $data[] = array('', ''); + + // When including HTML-tags as visible content, they are double-escaped. + // This test case ensures that we leave that content unchanged. + $data[] = array('', ''); + return $data; } diff --git a/core/modules/filter/src/Tests/FilterUnitTest.php b/core/modules/filter/src/Tests/FilterUnitTest.php index 87eb773e3bee..d2b515b95789 100644 --- a/core/modules/filter/src/Tests/FilterUnitTest.php +++ b/core/modules/filter/src/Tests/FilterUnitTest.php @@ -9,6 +9,8 @@ namespace Drupal\filter\Tests; use Drupal\Component\Utility\Html; use Drupal\Component\Utility\SafeMarkup; +use Drupal\editor\EditorXssFilter\Standard; +use Drupal\filter\Entity\FilterFormat; use Drupal\filter\FilterPluginCollection; use Drupal\simpletest\KernelTestBase; @@ -176,6 +178,74 @@ class FilterUnitTest extends KernelTestBase { $output = $test($input); $this->assertIdentical($expected, $output->getProcessedText()); $this->assertIdentical($attached_library, $output->getAssets()); + + // So far we've tested that the caption filter works correctly. But we also + // want to make sure that it works well in tandem with the "Limit allowed + // HTML tags" filter, which it is typically used with. + $html_filter = $this->filters['filter_html']; + $html_filter->setConfiguration(array( + 'settings' => array( + 'allowed_html' => '', + 'filter_html_help' => 1, + 'filter_html_nofollow' => 0, + ) + )); + $test_with_html_filter = function ($input) use ($filter, $html_filter) { + // 1. Apply HTML filter's processing step. + $output = $html_filter->process($input, 'und'); + // 2. Apply caption filter's processing step. + $output = $filter->process($output, 'und'); + return $output->getProcessedText(); + }; + // Editor XSS filter. + $test_editor_xss_filter = function ($input) { + $dummy_filter_format = FilterFormat::create(); + return Standard::filterXss($input, $dummy_filter_format); + }; + + // All the tricky cases encountered at https://drupal.org/node/2105841. + // A plain URL preceded by text. + $input = ''; + $expected = '
See http://drupal.org
'; + $this->assertIdentical($expected, $test_with_html_filter($input)); + $this->assertIdentical($input, $test_editor_xss_filter($input)); + + // An anchor. + $input = ''; + $expected = '
This is a quick test…
'; + $this->assertIdentical($expected, $test_with_html_filter($input)); + $this->assertIdentical($input, $test_editor_xss_filter($input)); + + // A plain URL surrounded by parentheses. + $input = ''; + $expected = '
(http://drupal.org)
'; + $this->assertIdentical($expected, $test_with_html_filter($input)); + $this->assertIdentical($input, $test_editor_xss_filter($input)); + + // A source being credited. + $input = ''; + $expected = '
Source: Wikipedia
'; + $this->assertIdentical($expected, $test_with_html_filter($input)); + $this->assertIdentical($input, $test_editor_xss_filter($input)); + + // A source being credited, without a space after the colon. + $input = ''; + $expected = '
Source:Wikipedia
'; + $this->assertIdentical($expected, $test_with_html_filter($input)); + $this->assertIdentical($input, $test_editor_xss_filter($input)); + + // A pretty crazy edge case where we have two colons. + $input = ''; + $expected = '
Interesting (Scope resolution operator ::)
'; + $this->assertIdentical($expected, $test_with_html_filter($input)); + $this->assertIdentical($input, $test_editor_xss_filter($input)); + + // An evil anchor (to ensure XSS filtering is applied to the caption also). + $input = ''; + $expected = '
This is an evil test…
'; + $this->assertIdentical($expected, $test_with_html_filter($input)); + $expected_xss_filtered = ''; + $this->assertIdentical($expected_xss_filtered, $test_editor_xss_filter($input)); } /** diff --git a/core/tests/Drupal/Tests/Component/Utility/XssTest.php b/core/tests/Drupal/Tests/Component/Utility/XssTest.php index 1ffdfe0de6ea..e704538bf0b4 100644 --- a/core/tests/Drupal/Tests/Component/Utility/XssTest.php +++ b/core/tests/Drupal/Tests/Component/Utility/XssTest.php @@ -488,6 +488,37 @@ class XssTest extends UnitTestCase { $this->assertTrue(stripos($value, 'assertEquals($expected, $value, $message); + } + + /** + * Data provider for testFilterXssAdminNotNormalized(). + */ + public function providerTestAttributes() { + return array( + array( + 'Example: alt', + 'Example: alt', + 'Image tag with alt and title attribute', + array('img') + ), + array( + '', + '', + 'Image tag with data attribute', + array('img') + ), + ); + } + /** * Checks that \Drupal\Component\Utility\Xss::filterAdmin() correctly strips unallowed tags. */