Problem/Motivation

Replace use of whitelist/blacklist in \Drupal\Component\Utility\Xss and its test and core/lib/Drupal/Core/Render/theme.api.php

They are:

  • An historic bad labelling of people
  • Provide no context: "what is listed in them"?

Proposed resolution

TBD

Remaining tasks

User interface changes

None

API changes

@todo

Data model changes

@todo

Release notes snippet

@todo

CommentFileSizeAuthor
#6 3151091.4_6.interdiff.txt2.4 KBdww
#6 3151091-6.patch2.63 KBdww
#4 3151091-4.patch2.24 KBrik-dev

Comments

alexpott created an issue. See original summary.

alexpott’s picture

alexpott
he/they
Primary language English
Location 🇪🇺🌍
commented
Issue summary: View changes
rik-dev’s picture

rik-dev commented
Assigned: Unassigned » rik-dev
rik-dev’s picture

rik-dev commented
Status: Active » Needs review
StatusFileSize
new 3151091-4.patch2.24 KB
alexpott’s picture

alexpott
he/they
Primary language English
Location 🇪🇺🌍
commented
Status: Needs review » Needs work 
  1. +++ b/core/lib/Drupal/Component/Utility/Xss.php
@@ -70,7 +70,7 @@ public static function filter($string, array $html_tags = NULL) {
-    // Change back only well-formed entities in our whitelist:
+    // Change back only well-formed entities in our allowed_extensions:

    Change back only well-formed entities in our list of allowed html tags: 

  2. +++ b/core/lib/Drupal/Component/Utility/Xss.php
@@ -83,7 +83,7 @@ public static function filter($string, array $html_tags = NULL) {
-    // Strip any tags that are not in the whitelist.
+    // Strip any tags that are not in the allowed_list.

    Strip any tags that are not in the list of allowed html tags. 

  3. +++ b/core/lib/Drupal/Component/Utility/Xss.php
@@ -161,7 +161,7 @@ protected static function split($string, $html_tags, $class) {
-    // When in whitelist mode, an element is disallowed when not listed.
+    // When in allowed_extensions mode, an element is disallowed when not listed.

    This whitelist mode does not exist. This code exists so that \Drupal\Component\Utility\Xss and \Drupal\editor\EditorXssFilter\Standard can behave different. I.e. treat the list of html tags as list of allowed tags or a list of tags to remove. So something like Defer to the ::needsRemoval() method to decide if the element is to be removed. This allows the list of tags to be treated as either a list of allowed tags or a list of denied tags. 

  4. +++ b/core/lib/Drupal/Core/Render/theme.api.php
@@ -274,7 +274,7 @@
- *   your markup needs any of the tags not in this whitelist, then you can
+ *   your markup needs any of the tags not in this allowed_extensions, then you can

    This comment needs fixing an should be re-flowed to be 

     *   \Drupal\Component\Utility\Xss::$adminTags for the list of allowed tags. If
 *   your markup needs any of the tags not in this list, then you can implement
 *   a theme hook and/or an asset library. Alternatively, you can use the key
 *   #allowed_tags to alter which tags are filtered.
dww’s picture

dww
we/he/they
commented
Status: Needs work » Needs review
StatusFileSize
new 3151091-6.patch2.63 KB
new 3151091.4_6.interdiff.txt2.4 KB

Fixes all of #5. I don't see anything else to improve, but I'll let someone else RTBC. ;)

Thanks,
-Derek

matroskeen’s picture

matroskeen
Primary language Ukrainian
Location 🇺🇦 Ukraine, Lutsk
commented
Assigned: rik-dev » Unassigned
Status: Needs review » Reviewed & tested by the community

I believe it's good to go

alexpott’s picture

alexpott
he/they
Primary language English
Location 🇪🇺🌍
commented
Version: 9.1.x-dev » 8.9.x-dev
Status: Reviewed & tested by the community » Fixed

Committed and pushed 7430b47266 to 9.1.x and 49bdb09e7a to 9.0.x and d448b54d86 to 8.9.x. Thanks!

Backported to 8.9.x as this change is only comments.

  • alexpott committed 7430b47 on 9.1.x 
    Issue #3151091 by dww, rik-dev, alexpott: Replace use of whitelist/...

  • alexpott committed 49bdb09 on 9.0.x 
    Issue #3151091 by dww, rik-dev, alexpott: Replace use of whitelist/...

  • alexpott committed d448b54 on 8.9.x 
    Issue #3151091 by dww, rik-dev, alexpott: Replace use of whitelist/...

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.