commit 0cddc100441d1171557d8b2249c73c347a4ab273 Author: Lee Rowlands Date: Tue May 26 07:47:18 2015 +1000 p248 diff --git a/core/lib/Drupal/Core/Render/Element/HtmlTag.php b/core/lib/Drupal/Core/Render/Element/HtmlTag.php index 7af553b..709339b 100644 --- a/core/lib/Drupal/Core/Render/Element/HtmlTag.php +++ b/core/lib/Drupal/Core/Render/Element/HtmlTag.php @@ -49,9 +49,9 @@ public function getInfo() { * This callback does not perform sanitization. Despite the result of this * pre-render callback being a #markup element, it is not passed through * \Drupal\Component\Utility\Xss::filterAdmin(). This is because it is marked - * safe here, which causes \Drupal\Component\Utility\SafeMarkup::checkAdminXss() - * to regard it as safe and bypass the call to - * \Drupal\Component\Utility\Xss::filterAdmin(). + * safe here, which causes + * \Drupal\Component\Utility\SafeMarkup::checkAdminXss() to regard it as safe + * and bypass the call to \Drupal\Component\Utility\Xss::filterAdmin(). * * @param array $element * An associative array containing: diff --git a/core/modules/filter/src/Element/ProcessedText.php b/core/modules/filter/src/Element/ProcessedText.php index 51c8b83..4f75f41 100644 --- a/core/modules/filter/src/Element/ProcessedText.php +++ b/core/modules/filter/src/Element/ProcessedText.php @@ -111,19 +111,35 @@ public static function preRenderText($element) { // Perform filtering. $metadata = BubbleableMetadata::createFromRenderArray($element); + // Track if any of the filters apply HTML restrictions. + $html_restricted = FALSE; foreach ($filters as $filter) { if ($filter_must_be_applied($filter)) { $result = $filter->process($text, $langcode); + // Keep track if HTML restrictions have been applied. + $html_restricted = $html_restricted || (bool) $filter->getHTMLRestrictions(); $metadata = $metadata->merge($result); $text = $result->getProcessedText(); } } // Filtering and sanitizing have been done in - // \Drupal\filter\Plugin\FilterInterface. Store the content in #markup, + // \Drupal\filter\Plugin\FilterInterface::process(). Each applicable filter + // has been applied in turn. Store the content in #markup, // set the updated bubbleable rendering metadata, and set the text format's - // cache tag. - $element['#markup'] = SafeMarkup::set($text); + // cache tag, but only mark the result as safe if at least one of the + // filters have applied HTML restrictions. + if ($html_restricted) { + $element['#markup'] = SafeMarkup::set($text); + } + else { + // None of the filters applied to the text indicated that HTML + // restrictions have been applied. To prevent marking an unsafe string as + // safe, we err on the side of caution - the renderer will run the given + // text through \Drupal\Component\Utility\Xss::filterAdmin() and strip + // dangerous tags. + $element['#markup'] = $text; + } $metadata->applyTo($element); $element['#cache']['tags'] = Cache::mergeTags($element['#cache']['tags'], $format->getCacheTags()); diff --git a/core/modules/views/src/Tests/Handler/AreaTest.php b/core/modules/views/src/Tests/Handler/AreaTest.php index b19dba2..cc9de83 100644 --- a/core/modules/views/src/Tests/Handler/AreaTest.php +++ b/core/modules/views/src/Tests/Handler/AreaTest.php @@ -112,6 +112,7 @@ public function testRenderArea() { $this->assertTrue(strpos($output, Xss::filterAdmin($header_string)) !== FALSE, 'Views header exists in the output and is sanitized'); $this->assertTrue(strpos($output, Xss::filterAdmin($footer_string)) !== FALSE, 'Views footer exists in the output and is sanitized'); $this->assertTrue(strpos($output, Xss::filterAdmin($empty_string)) !== FALSE, 'Views empty exists in the output and is sanitized'); + $this->assertTrue(strpos($output, '