diff --git a/core/lib/Drupal/Component/Utility/Xss.php b/core/lib/Drupal/Component/Utility/Xss.php index 8d0d257..4114ed9 100644 --- a/core/lib/Drupal/Component/Utility/Xss.php +++ b/core/lib/Drupal/Component/Utility/Xss.php @@ -22,6 +22,15 @@ class Xss { protected static $adminTags = array('a', 'abbr', 'acronym', 'address', 'article', 'aside', 'b', 'bdi', 'bdo', 'big', 'blockquote', 'br', 'caption', 'cite', 'code', 'col', 'colgroup', 'command', 'dd', 'del', 'details', 'dfn', 'div', 'dl', 'dt', 'em', 'figcaption', 'figure', 'footer', 'h1', 'h2', 'h3', 'h4', 'h5', 'h6', 'header', 'hgroup', 'hr', 'i', 'img', 'ins', 'kbd', 'li', 'mark', 'menu', 'meter', 'nav', 'ol', 'output', 'p', 'pre', 'progress', 'q', 'rp', 'rt', 'ruby', 's', 'samp', 'section', 'small', 'span', 'strong', 'sub', 'summary', 'sup', 'table', 'tbody', 'td', 'tfoot', 'th', 'thead', 'time', 'tr', 'tt', 'u', 'ul', 'var', 'wbr'); /** + * The list of html tags to allow for a given filter operation. + * + * @var array + * + * @see \Drupal\Component\Utility\Xss::split() + */ + protected static $allowedTags = array('a', 'em', 'strong', 'cite', 'blockquote', 'code', 'ul', 'ol', 'li', 'dl', 'dt', 'dd'); + + /** * Filters HTML to prevent cross-site-scripting (XSS) vulnerabilities. * * Based on kses by Ulf Harnhammar, see http://sourceforge.net/projects/kses. @@ -55,7 +64,7 @@ public static function filter($string, $allowed_tags = array('a', 'em', 'strong' return ''; } // Store the text format. - static::split($allowed_tags, TRUE); + static::$allowedTags = $allowed_tags; // Remove NULL characters (ignored by some browsers). $string = str_replace(chr(0), '', $string); // Remove Netscape 4 JS entities. @@ -107,26 +116,14 @@ public static function filterAdmin($string) { * Processes an HTML tag. * * @param array $matches - * An array with various meaning depending on the value of $store. - * If $store is TRUE then the array contains the allowed tags. - * If $store is FALSE then the array has one element, the HTML tag to process. - * @param bool $store - * Whether to store $m. + * An array containing a single HTML tag to process. * * @return string * If the element isn't allowed, an empty string. Otherwise, the cleaned up * version of the HTML element. */ - protected static function split($matches, $store = FALSE) { - static $allowed_html; - - if ($store) { - $allowed_html = array_flip($matches); - return; - } - - $string = $matches[1]; - + protected static function split(array $matches) { + $string = $matches[0]; if (substr($string, 0, 1) != '<') { // We matched a lone ">" character. return '>'; @@ -150,7 +147,7 @@ protected static function split($matches, $store = FALSE) { $elem = '!--'; } - if (!isset($allowed_html[strtolower($elem)])) { + if (!isset(static::$allowedTags[strtolower($elem)])) { // Disallowed HTML element. return ''; }