diff --git a/core/lib/Drupal/Component/Utility/Xss.php b/core/lib/Drupal/Component/Utility/Xss.php index 2078e4b..468b544 100644 --- a/core/lib/Drupal/Component/Utility/Xss.php +++ b/core/lib/Drupal/Component/Utility/Xss.php @@ -276,12 +276,7 @@ protected static function attributes($attributes) { case 2: // Attribute value, a URL after href= for instance. if (preg_match('/^"([^"]*)"(\s+|$)/', $attributes, $match)) { - if (in_array($attribute_name, static::$rdfaAttributes)) { - $thisval = ($skip_protocol_filtering || preg_match('/^[[:alnum:]]+\:[[:alnum:]]+$/', $match[1])) ? $match[1] : UrlHelper::filterBadProtocol($match[1]); - } - else { - $thisval = $skip_protocol_filtering ? $match[1] : UrlHelper::filterBadProtocol($match[1]); - } + $thisval = $skip_protocol_filtering ? $match[1] : static::filterProtocol($attribute_name, $match[1]); if (!$skip) { $attributes_array[] = "$attribute_name=\"$thisval\""; @@ -293,12 +288,7 @@ protected static function attributes($attributes) { } if (preg_match("/^'([^']*)'(\s+|$)/", $attributes, $match)) { - if (in_array($attribute_name, static::$rdfaAttributes)) { - $thisval = ($skip_protocol_filtering || preg_match('/^[[:alnum:]]+\:[[:alnum:]]+$/', $match[1])) ? $match[1] : UrlHelper::filterBadProtocol($match[1]); - } - else { - $thisval = $skip_protocol_filtering ? $match[1] : UrlHelper::filterBadProtocol($match[1]); - } + $thisval = $skip_protocol_filtering ? $match[1] : static::filterProtocol($attribute_name, $match[1]); if (!$skip) { $attributes_array[] = "$attribute_name='$thisval'"; @@ -309,12 +299,7 @@ protected static function attributes($attributes) { } if (preg_match("%^([^\s\"']+)(\s+|$)%", $attributes, $match)) { - if (in_array($attribute_name, static::$rdfaAttributes)) { - $thisval = ($skip_protocol_filtering || preg_match('/^[[:alnum:]]+\:[[:alnum:]]+$/', $match[1])) ? $match[1] : UrlHelper::filterBadProtocol($match[1]); - } - else { - $thisval = $skip_protocol_filtering ? $match[1] : UrlHelper::filterBadProtocol($match[1]); - } + $thisval = $skip_protocol_filtering ? $match[1] : static::filterProtocol($attribute_name, $match[1]); if (!$skip) { $attributes_array[] = "$attribute_name=\"$thisval\""; @@ -350,6 +335,28 @@ protected static function attributes($attributes) { } /** + * Strips bad protocols from attribute values. + * + * @param string $name + * The attribute name. + * @param string $value + * The attribute value. + * + * @return string + * The attribute value, stripped of any bad protocols. + */ + protected static function filterProtocol($name, $value) { + // If the value matches the typical namespace:value pattern used in RDFa, + // return it directly. Otherwise, filter it. + if (in_array($name, static::$rdfaAttributes)) { + return preg_match('/^[[:alnum:]]+\:[[:alnum:]]+$/', $value) ? $value : UrlHelper::filterBadProtocol($value); + } + else { + return UrlHelper::filterBadProtocol($value); + } + } + + /** * Whether this element needs to be removed altogether. * * @param $html_tags