diff --git a/core/modules/editor/src/EditorXssFilter/Standard.php b/core/modules/editor/src/EditorXssFilter/Standard.php index c746dd3..e79ca19 100644 --- a/core/modules/editor/src/EditorXssFilter/Standard.php +++ b/core/modules/editor/src/EditorXssFilter/Standard.php @@ -105,9 +105,9 @@ protected static function filterXssDataAttributes($html) { $dom = Html::load($html); $xpath = new \DOMXPath($dom); foreach ($xpath->query('//@*[starts-with(name(.), "data-")]') as $node) { - // Decode, filter, encode. - $value = String::decodeEntities($node->value); - $value = Xss::filterAdmin($value); + // Decode, filter, encode. There is no need to explicitly decode + // $node->value, since DOMAttr holds the decoded value. + $value = Xss::filterAdmin($node->value); $node->value = SafeMarkup::checkPlain($value); } $html = Html::serialize($dom); diff --git a/core/modules/editor/tests/src/Unit/EditorXssFilter/StandardTest.php b/core/modules/editor/tests/src/Unit/EditorXssFilter/StandardTest.php index 07aac20..a379c6f 100644 --- a/core/modules/editor/tests/src/Unit/EditorXssFilter/StandardTest.php +++ b/core/modules/editor/tests/src/Unit/EditorXssFilter/StandardTest.php @@ -515,7 +515,7 @@ public function providerTestFilterXss() { // Test XSS filtering on data-attributes. // @see \Drupal\editor\EditorXssFilter::filterXssDataAttributes() $data[] = array('', ''); - $data[] = array('', ''); + $data[] = array('', ''); $data[] = array('', ''); return $data;