core/modules/editor/editor.module | 4 +- .../lib/Drupal/editor/EditorXssFilter/Standard.php | 113 ++++- .../lib/Drupal/editor/EditorXssFilterInterface.php | 10 + .../lib/Drupal/editor/Tests/EditorSecurityTest.php | 104 ++++- .../editor/Tests}/EditorXssFilter/StandardTest.php | 465 ++++++++++++++++++++ 5 files changed, 675 insertions(+), 21 deletions(-) diff --git a/core/modules/editor/editor.module b/core/modules/editor/editor.module index 0caeadb..5e1a602 100644 --- a/core/modules/editor/editor.module +++ b/core/modules/editor/editor.module @@ -438,7 +438,7 @@ function editor_filter_xss($html, FilterFormatInterface $format, FilterFormatInt // e.g.: an admin user creates content in Full HTML and then edits it, no text // format switching happens; in this case, no text editor XSS filtering is // desirable, because it would strip style attributes, amongst others. - $current_filter_types = filter_get_filter_types_by_format($format->id()); + $current_filter_types = $format->getFilterTypes(); if (!in_array(FILTER_TYPE_HTML_RESTRICTOR, $current_filter_types, TRUE)) { if ($original_format === NULL) { return FALSE; @@ -451,7 +451,7 @@ function editor_filter_xss($html, FilterFormatInterface $format, FilterFormatInt // used), and switches to Full HTML (for which a text editor is used). Then // we must apply XSS filtering to protect the admin user. else { - $original_filter_types = filter_get_filter_types_by_format($original_format->id()); + $original_filter_types = $original_format->getFilterTypes(); if (!in_array(FILTER_TYPE_HTML_RESTRICTOR, $original_filter_types, TRUE)) { return FALSE; } diff --git a/core/modules/editor/lib/Drupal/editor/EditorXssFilter/Standard.php b/core/modules/editor/lib/Drupal/editor/EditorXssFilter/Standard.php index d632ccf..3f93863 100644 --- a/core/modules/editor/lib/Drupal/editor/EditorXssFilter/Standard.php +++ b/core/modules/editor/lib/Drupal/editor/EditorXssFilter/Standard.php @@ -20,8 +20,117 @@ class Standard implements EditorXssFilterInterface { * {@inheritdoc} */ public static function filterXss($html, FilterFormatInterface $format, FilterFormatInterface $original_format = NULL) { - // Apply XSS filtering, but only blacklist the '; + protected static $sampleContent = '
Hello, Dumbo Octopus!
'; /** - * The secured sample content to use in all tests. + * The secured sample content to use in most tests. * * @var string */ protected static $sampleContentSecured = 'Hello, Dumbo Octopus!
alert(0)'; /** + * The secured sample content to use in tests when the