core/modules/filter/filter.module | 75 ++++---------------- .../lib/Drupal/filter/Tests/FilterAPITest.php | 14 ++-- .../lib/Drupal/filter/Tests/FilterSecurityTest.php | 6 +- 3 files changed, 22 insertions(+), 73 deletions(-) diff --git a/core/modules/filter/filter.module b/core/modules/filter/filter.module index e83ad1c..c6e0ac8 100644 --- a/core/modules/filter/filter.module +++ b/core/modules/filter/filter.module @@ -7,78 +7,27 @@ use Drupal\Core\Cache\CacheBackendInterface; use Drupal\Core\Template\Attribute; - - - /** * HTML generator filters -- MUST generate HTML. - * - * Formats using filters of this type may not be able to use WYSIWYG editors. - * - * WYSIWYG use case: ability to detect non-HTML formats, such as Markdown, where - * no WYSIWYG editor should be used because it would be impossible to go back to - * the original text format. */ const FILTER_TYPE_HTML_GENERATOR = 0; /** - * Security filters -- strip HTML tags that the user MAY NOT use. - * - * WYSIWYG use case: all filters of this type MUST be applied, the user MAY NOT - * be presented processed text without all filters of this type. Security - * exploits might otherwise occur. + * HTML tag restricting filters. */ -const FILTER_TYPE_SECURITY = 1; +const FILTER_TYPE_HTML_TAG_RESTRICTOR = 1; /** - * DOM transformation filters -- DOM-based, reliably reversible transformations. - * - * Filters SHOULD NOT use regular expressions when they can use DOM manipulation - * instead. This makes filters as robust as possible. - * - * WYSIWYG use case: these filters MUST NOT be applied when feeding a piece of - * text into the WYSIWYG editor. Instead, they MAY be re-implemented in - * JavaScript for each supported WYSIWYG editor. - * E.g. `` may be (reversibly!) transformed to - * `
Druplicon
`. + * Reversible transformation filters. */ -const FILTER_TYPE_TRANSFORM_DOM = 2; +const FILTER_TYPE_TRANSFORM_REVERSIBLE = 2; /** - * Text transformation filters -- text-based, irreversible transformations. - * - * WYSIWYG use case: these filters MUST NOT be applied when feeding a piece of - * text into the WYSIWYG editor. Furthermore, they MUST NOT be re-implemented - * in JavaScript. - * E.g.: the Typogrify filter would transform `WYSIWYG` and `I said "foo"!` into - * `WYSIWYG` and `I said “foo”!`, respectively. Text - * link ad systems would transform `fancy car` into something like - * `fancy car`. Neither of those text-based - * transformations make sense when doing WYSIWYG editing, nor is it possible to - * reliably reverse them. + * Irreversible transformation filters. */ const FILTER_TYPE_TRANSFORM_TEXT = 3; /** - * All of the above implies: - * - if a format uses >=1 filters of type FILTER_TYPE_HTML_GENERATOR, no WYSIWYG - * editor can be used. - * - if a format uses >=1 filters of type FILTER_TYPE_SECURITY, and a user saves - * modified text through his WYSIWYG editor, any disallowed tags will be lost. - * This seems like a minor annoyance and appears acceptable. - * - if a format uses >=1 filters of type FILTER_TYPE_TRANSFORM_TEXT, these - * transformations will not be visible while editing, but will be visible when - * viewing. - * - if a format uses >=1 filters of type FILTER_TYPE_TRANSFORM_DOM, these - * transformations may not be visible while editing (it is up to the filter to - * implement support for the WYSIWYG editor, by re-implementing the filtering - * in JavaScript), but will be visible when viewing. - */ - - - - -/** * Implements hook_cache_flush(). */ function filter_cache_flush() { @@ -916,8 +865,8 @@ function filter_list_format($format_id) { * @param array $filter_types_to_skip * An array of filter types to skip, or the empty array (default) to skip no * filter types. All of the format's filters will be applied, except for - * filters of the types that are marked to be skipped. FILTER_TYPE_SECURITY is - * the only type that cannot be skipped. + * filters of the types that are marked to be skipped. + * FILTER_TYPE_HTML_TAG_RESTRICTOR is the only type that cannot be skipped. * * @return * The filtered text. @@ -934,9 +883,9 @@ function check_markup($text, $format_id = NULL, $langcode = '', $cache = FALSE, return ''; } - // Prevent FILTER_TYPE_SECURITY from being skipped. - if (in_array(FILTER_TYPE_SECURITY, $filter_types_to_skip)) { - $filter_types_to_skip = array_diff($filter_types_to_skip, array(FILTER_TYPE_SECURITY)); + // Prevent FILTER_TYPE_HTML_TAG_RESTRICTOR from being skipped. + if (in_array(FILTER_TYPE_HTML_TAG_RESTRICTOR, $filter_types_to_skip)) { + $filter_types_to_skip = array_diff($filter_types_to_skip, array(FILTER_TYPE_HTML_TAG_RESTRICTOR)); } // When certain filters should be skipped, don't perform caching. @@ -1402,7 +1351,7 @@ function theme_filter_guidelines($variables) { function filter_filter_info() { $filters['filter_html'] = array( 'title' => t('Limit allowed HTML tags'), - 'type' => FILTER_TYPE_SECURITY, + 'type' => FILTER_TYPE_HTML_TAG_RESTRICTOR, 'process callback' => '_filter_html', 'settings callback' => '_filter_html_settings', 'allowed tags callback' => '_filter_html_allowed_tags', @@ -1432,7 +1381,7 @@ function filter_filter_info() { ); $filters['filter_htmlcorrector'] = array( 'title' => t('Correct faulty and chopped off HTML'), - 'type' => FILTER_TYPE_SECURITY, + 'type' => FILTER_TYPE_HTML_TAG_RESTRICTOR, 'process callback' => '_filter_htmlcorrector', 'weight' => 10, ); diff --git a/core/modules/filter/lib/Drupal/filter/Tests/FilterAPITest.php b/core/modules/filter/lib/Drupal/filter/Tests/FilterAPITest.php index 1d005a7..9eac9be 100644 --- a/core/modules/filter/lib/Drupal/filter/Tests/FilterAPITest.php +++ b/core/modules/filter/lib/Drupal/filter/Tests/FilterAPITest.php @@ -34,7 +34,7 @@ function setUp() { 'weight' => -1, 'status' => 1, ), - // Note that the filter_html filter is of the type FILTER_TYPE_SECURITY. + // Note that the filter_html filter is of the type FILTER_TYPE_HTML_TAG_RESTRICTOR. 'filter_html' => array( 'status' => 1, ), @@ -82,9 +82,9 @@ function testCheckMarkup() { // Drupal core only ships with these two types of filters, so this is the // most extensive test possible. $this->assertIdentical( - check_markup($text, 'filtered_html', '', FALSE, array(FILTER_TYPE_SECURITY, FILTER_TYPE_HTML_GENERATOR)), + check_markup($text, 'filtered_html', '', FALSE, array(FILTER_TYPE_HTML_TAG_RESTRICTOR, FILTER_TYPE_HTML_GENERATOR)), $expected_filter_text_without_html_generators, - t('Expected filter result when skipping FILTER_TYPE_HTML_GENERATOR filters, even when trying to disable filters of the FILTER_TYPE_SECURITY type.') + t('Expected filter result when skipping FILTER_TYPE_HTML_GENERATOR filters, even when trying to disable filters of the FILTER_TYPE_HTML_TAG_RESTRICTOR type.') ); } @@ -97,7 +97,7 @@ function testFilterFormatAPI() { ); $this->assertEqual( filter_get_filter_types_by_format('filtered_html'), - array(FILTER_TYPE_SECURITY, FILTER_TYPE_HTML_GENERATOR), + array(FILTER_TYPE_HTML_TAG_RESTRICTOR, FILTER_TYPE_HTML_GENERATOR), t('filter_get_filter_types_by_format() works as expected for the filtered_html format.') ); @@ -109,7 +109,7 @@ function testFilterFormatAPI() { ); $this->assertEqual( filter_get_filter_types_by_format('full_html'), - array(FILTER_TYPE_SECURITY), + array(FILTER_TYPE_HTML_TAG_RESTRICTOR), t('filter_get_filter_types_by_format() works as expected for the full_html format.') ); @@ -118,7 +118,7 @@ function testFilterFormatAPI() { 'format' => 'stupid_filtered_html', 'name' => 'Stupid Filtered HTML', 'filters' => array( - // Note that the filter_html filter is of the type FILTER_TYPE_SECURITY. + // Note that the filter_html filter is of the type FILTER_TYPE_HTML_TAG_RESTRICTOR. 'filter_html' => array( 'status' => 1, 'settings' => array( @@ -136,7 +136,7 @@ function testFilterFormatAPI() { ); $this->assertEqual( filter_get_filter_types_by_format('stupid_filtered_html'), - array(FILTER_TYPE_SECURITY), + array(FILTER_TYPE_HTML_TAG_RESTRICTOR), t('filter_get_filter_types_by_format() works as expected for the stupid_filtered_html format.') ); } diff --git a/core/modules/filter/lib/Drupal/filter/Tests/FilterSecurityTest.php b/core/modules/filter/lib/Drupal/filter/Tests/FilterSecurityTest.php index bb9099a..f4fc4d3 100644 --- a/core/modules/filter/lib/Drupal/filter/Tests/FilterSecurityTest.php +++ b/core/modules/filter/lib/Drupal/filter/Tests/FilterSecurityTest.php @@ -24,7 +24,7 @@ class FilterSecurityTest extends WebTestBase { public static function getInfo() { return array( 'name' => 'Security', - 'description' => 'Test the behavior of check_markup() when a filter or text format vanishes, or when check_markup() is called in such a way that it is instructed to skip all filters of the "FILTER_TYPE_SECURITY" type.', + 'description' => 'Test the behavior of check_markup() when a filter or text format vanishes, or when check_markup() is called in such a way that it is instructed to skip all filters of the "FILTER_TYPE_HTML_TAG_RESTRICTOR" type.', 'group' => 'Filter', ); } @@ -40,7 +40,7 @@ function setUp() { 'format' => 'filtered_html', 'name' => 'Filtered HTML', 'filters' => array( - // Note that the filter_html filter is of the type FILTER_TYPE_SECURITY. + // Note that the filter_html filter is of the type FILTER_TYPE_HTML_TAG_RESTRICTOR. 'filter_html' => array( 'status' => 1, ), @@ -97,6 +97,6 @@ function testSkipSecurityFilters() { $text = "Text with some disallowed tags: