Issue #2609928 by micropat, cilefen, Cottser, chx: Xss::attributes() mangles valid attribute names containing numbers

2015-11-24 14:22:36 +00:00 · 2015-11-24 14:22:36 +00:00 · ea1ec54be1
parent df11e497c5
commit ea1ec54be1
2 changed files with 8 additions and 2 deletions
--- a/core/lib/Drupal/Component/Utility/Xss.php
+++ b/core/lib/Drupal/Component/Utility/Xss.php
@ -215,7 +215,7 @@ class Xss {
      switch ($mode) {
        case 0:
          // Attribute name, href for instance.
-          if (preg_match('/^([-a-zA-Z]+)/', $attributes, $match)) {
+          if (preg_match('/^([-a-zA-Z][-a-zA-Z0-9]*)/', $attributes, $match)) {
            $attribute_name = strtolower($match[1]);
            $skip = ($attribute_name == 'style' || substr($attribute_name, 0, 2) == 'on');

@ -233,7 +233,7 @@ class Xss {
            ));

            $working = $mode = 1;
-            $attributes = preg_replace('/^[-a-zA-Z]+/', '', $attributes);
+            $attributes = preg_replace('/^[-a-zA-Z][-a-zA-Z0-9]*/', '', $attributes);
          }
          break;

--- a/core/tests/Drupal/Tests/Component/Utility/XssTest.php
+++ b/core/tests/Drupal/Tests/Component/Utility/XssTest.php
@ -516,6 +516,12 @@ class XssTest extends UnitTestCase {
        'Image tag with data attribute',
        array('img')
      ),
+      array(
+        '<a data-a2a-url="foo"></a>',
+        '<a data-a2a-url="foo"></a>',
+        'Link tag with numeric data attribute',
+        array('a')
+      ),
    );
  }