diff --git a/core/lib/Drupal/Component/Utility/Xss.php b/core/lib/Drupal/Component/Utility/Xss.php index dabc66674c..e15a13e5c9 100644 --- a/core/lib/Drupal/Component/Utility/Xss.php +++ b/core/lib/Drupal/Component/Utility/Xss.php @@ -2,6 +2,8 @@ namespace Drupal\Component\Utility; +// cspell:ignore ckers kses harnhammar + /** * Provides helper to filter for cross-site scripting. * @@ -154,7 +156,7 @@ protected static function split($string, $html_tags, $class) { } $slash = trim($matches[1]); $elem = &$matches[2]; - $attrlist = &$matches[3]; + $attributes = &$matches[3]; $comment = &$matches[4]; if ($comment) { @@ -177,11 +179,11 @@ protected static function split($string, $html_tags, $class) { } // Is there a closing XHTML slash at the end of the attributes? - $attrlist = preg_replace('%(\s?)/\s*$%', '\1', $attrlist, -1, $count); + $attributes = preg_replace('%(\s?)/\s*$%', '\1', $attributes, -1, $count); $xhtml_slash = $count ? ' /' : ''; // Clean up attributes. - $attr2 = implode(' ', $class::attributes($attrlist)); + $attr2 = implode(' ', $class::attributes($attributes)); $attr2 = preg_replace('/[<>]/', '', $attr2); $attr2 = strlen($attr2) ? ' ' . $attr2 : ''; @@ -255,10 +257,10 @@ protected static function attributes($attributes) { case 2: // Attribute value, a URL after href= for instance. if (preg_match('/^"([^"]*)"(\s+|$)/', $attributes, $match)) { - $thisval = $skip_protocol_filtering ? $match[1] : UrlHelper::filterBadProtocol($match[1]); + $value = $skip_protocol_filtering ? $match[1] : UrlHelper::filterBadProtocol($match[1]); if (!$skip) { - $attributes_array[] = "$attribute_name=\"$thisval\""; + $attributes_array[] = "$attribute_name=\"$value\""; } $working = 1; $mode = 0; @@ -267,10 +269,10 @@ protected static function attributes($attributes) { } if (preg_match("/^'([^']*)'(\s+|$)/", $attributes, $match)) { - $thisval = $skip_protocol_filtering ? $match[1] : UrlHelper::filterBadProtocol($match[1]); + $value = $skip_protocol_filtering ? $match[1] : UrlHelper::filterBadProtocol($match[1]); if (!$skip) { - $attributes_array[] = "$attribute_name='$thisval'"; + $attributes_array[] = "$attribute_name='$value'"; } $working = 1; $mode = 0; $attributes = preg_replace("/^'[^']*'(\s+|$)/", '', $attributes); @@ -278,10 +280,10 @@ protected static function attributes($attributes) { } if (preg_match("%^([^\s\"']+)(\s+|$)%", $attributes, $match)) { - $thisval = $skip_protocol_filtering ? $match[1] : UrlHelper::filterBadProtocol($match[1]); + $value = $skip_protocol_filtering ? $match[1] : UrlHelper::filterBadProtocol($match[1]); if (!$skip) { - $attributes_array[] = "$attribute_name=\"$thisval\""; + $attributes_array[] = "$attribute_name=\"$value\""; } $working = 1; $mode = 0; $attributes = preg_replace("%^[^\s\"']+(\s+|$)%", '', $attributes); diff --git a/core/lib/Drupal/Core/Render/Element.php b/core/lib/Drupal/Core/Render/Element.php index f27304cde8..e509bd9170 100644 --- a/core/lib/Drupal/Core/Render/Element.php +++ b/core/lib/Drupal/Core/Render/Element.php @@ -166,9 +166,9 @@ public static function isVisibleElement($element) { * @param array $map * An associative array whose keys are element property names and whose * values are the HTML attribute names to set on the corresponding - * property; e.g., array('#propertyname' => 'attributename'). If both names - * are identical except for the leading '#', then an attribute name value is - * sufficient and no property name needs to be specified. + * property; e.g., array('#property_name' => 'attribute_name'). If both + * names are identical except for the leading '#', then an attribute name + * value is sufficient and no property name needs to be specified. */ public static function setAttributes(array &$element, array $map) { foreach ($map as $property => $attribute) { diff --git a/core/misc/cspell/dictionary.txt b/core/misc/cspell/dictionary.txt index e736c74219..d2c8b457f1 100644 --- a/core/misc/cspell/dictionary.txt +++ b/core/misc/cspell/dictionary.txt @@ -71,7 +71,6 @@ arrowstop arrowthick arrowthickstop arrr -ascript asdf asdrsad assertable @@ -86,8 +85,6 @@ attname attnum attrdef attrelid -attributename -attrlist attrval attrvals atttypid @@ -139,7 +136,6 @@ backtraces bakeware bangpow barbar -barbaz barchart barfoo barmm @@ -168,7 +164,6 @@ berne bgblue bgcolor bgred -bgsound bigpipe bigserial bikeshed @@ -209,7 +204,6 @@ browserkit browsertest browsertestbase brûlée -bscript bubbleable buildable buildinfo @@ -280,7 +274,6 @@ cillum circlesmall cjds ckeditor -ckers claro's classloader classmap @@ -515,7 +508,6 @@ dublincoreentry dublincorefeed dublincorerendererentry dublincorerendererfeed -dynsrc défaut détruire eacute @@ -566,7 +558,6 @@ errrf eslintignore eslinting espagnol -ession estraven etag etags @@ -652,7 +643,6 @@ foobaz foofoo foomm foos -fooÿñ formatless formattable formatter's @@ -725,7 +715,6 @@ hardcode hardcodes hardcoding harkonnen -harnhammar hasdata hasher hashmarks @@ -874,7 +863,6 @@ kolkata kontex kpresenter kristiaan -kses kspread kthxbai kword @@ -914,7 +902,6 @@ linkification linksby lisu litererally -livescript llamaids llamasarelame llame @@ -978,7 +965,6 @@ membersonly menulist merhaba messagekey -metacharacters metainformation metapackage metapackages @@ -1028,7 +1014,6 @@ mostrar moutons moyenne mple -msgbox msgctxt msgid msgstr @@ -1102,7 +1087,6 @@ nbchoices nblocks ncck ncontent -ncript ndash ndelay ndocs @@ -1119,14 +1103,11 @@ newnode newstr newterm nextval -nfocus nids nightlies nightwatch nightwatchjs -nmedi nmenu -nmouseover nmsgid nmsgstr nntp @@ -1164,9 +1145,7 @@ nosniff nostart nosuchcolumn nosuchindex -nosuchscheme nosuchtable -nosuchtag notag notawordenglish notawordgerman @@ -1175,7 +1154,6 @@ nothere notnull notsimpletest nourriture -noxss nplurals npoll nprofile @@ -1204,7 +1182,6 @@ onecol oneplusfourgrid onetwo onewidgetfield -onmediaerror onoff opendocument openid @@ -1350,14 +1327,12 @@ presave presentationml presetid presetname -pression pretransaction preuninstall processlist projecta projectb proname -propertyname prophesize prophesized prophesizing @@ -1473,7 +1448,6 @@ revisioning revlog revpub ribisi -ript ritchie robloach robo @@ -1514,12 +1488,10 @@ schipulcon scorewords screenreader screenreaders -scri scriptable scriptlet scrollable scrollbars -scrscriptipt sdeeeee searchdirs searchfield @@ -1706,7 +1678,6 @@ takeshita tappable targetdir tarz -tascript taskless tatou tbodies @@ -1783,7 +1754,6 @@ theseer theseparator thingie thirdcolumn -thisval threadentry threadingrendererentry threecol @@ -1884,7 +1854,6 @@ ungroupable ungrouped unhashed unhide -unicoded unidecode unidecoder unindented @@ -1979,7 +1948,6 @@ vals vampirize vancode varchar -vbscript veeeery vendored veniam diff --git a/core/modules/editor/tests/src/Unit/EditorXssFilter/StandardTest.php b/core/modules/editor/tests/src/Unit/EditorXssFilter/StandardTest.php index 3744012f24..59ea5446fb 100644 --- a/core/modules/editor/tests/src/Unit/EditorXssFilter/StandardTest.php +++ b/core/modules/editor/tests/src/Unit/EditorXssFilter/StandardTest.php @@ -6,6 +6,10 @@ use Drupal\Tests\UnitTestCase; use Drupal\filter\Plugin\FilterInterface; +// cspell:ignore ascript attributename bgsound bscript ckers cript datafld +// cspell:ignore dataformatas datasrc dynsrc ession livescript msgbox nmouseover +// cspell:ignore noxss pression ript scri scriptlet unicoded vbscript + /** * @coversDefaultClass \Drupal\editor\EditorXssFilter\Standard * @group editor @@ -464,6 +468,7 @@ public function providerTestFilterXss() { // You can EMBED SVG which can contain your XSS vector. // @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#You_can_EMBED_SVG_which_can_contain_your_XSS_vector + // cspell:disable-next-line $data[] = ['', '']; // XML data island with CDATA obfuscation. diff --git a/core/tests/Drupal/Tests/Component/Render/HtmlEscapedTextTest.php b/core/tests/Drupal/Tests/Component/Render/HtmlEscapedTextTest.php index 920189e91c..e7dc72e5b7 100644 --- a/core/tests/Drupal/Tests/Component/Render/HtmlEscapedTextTest.php +++ b/core/tests/Drupal/Tests/Component/Render/HtmlEscapedTextTest.php @@ -33,9 +33,9 @@ public function testToString($text, $expected, $message) { */ public function providerToString() { // Checks that invalid multi-byte sequences are escaped. - $tests[] = ["Foo\xC0barbaz", 'Foo�barbaz', 'Escapes invalid sequence "Foo\xC0barbaz"']; + $tests[] = ["Foo\xC0bar", 'Foo�bar', 'Escapes invalid sequence "Foo\xC0bar"']; $tests[] = ["\xc2\"", '�"', 'Escapes invalid sequence "\xc2\""']; - $tests[] = ["Fooÿñ", "Fooÿñ", 'Does not escape valid sequence "Fooÿñ"']; + $tests[] = ["Foo ÿñ", "Foo ÿñ", 'Does not escape valid sequence "Foo ÿñ"']; // Checks that special characters are escaped. $script_tag = $this->prophesize(MarkupInterface::class); diff --git a/core/tests/Drupal/Tests/Component/Utility/XssTest.php b/core/tests/Drupal/Tests/Component/Utility/XssTest.php index f3bc181387..eed215c898 100644 --- a/core/tests/Drupal/Tests/Component/Utility/XssTest.php +++ b/core/tests/Drupal/Tests/Component/Utility/XssTest.php @@ -7,6 +7,10 @@ use Drupal\Component\Utility\Xss; use PHPUnit\Framework\TestCase; +// cspell:ignore ascript barbaz ckers cript CVEs dynsrc fooÿñ metacharacters +// cspell:ignore msgbox ncript nfocus nmedi nosuchscheme nosuchtag onmediaerror +// cspell:ignore scrscriptipt tascript vbscript + /** * XSS Filtering tests. *