Problem/Motivation

There are a number of spelling errors in the dictionary that only exist because they are used in XSS tests or related code:

  1. ascript
  2. attributename
  3. attrlist
  4. barbaz
  5. bgsound
  6. bscript
  7. ckers
  8. dynsrc
  9. ession
  10. fooÿñ
  11. harnhammar
  12. kses
  13. livescript
  14. metacharacters
  15. msgbox
  16. ncript
  17. nfocus
  18. nmedi
  19. nmouseover
  20. nosuchscheme
  21. nosuchtag
  22. noxss
  23. onmediaerror
  24. pression
  25. propertyname
  26. ript
  27. scri
  28. scrscriptipt
  29. tascript
  30. thisval
  31. unicoded
  32. vbscript

Proposed resolution

Rename variables where we can, explicitly ignore words that are used for testing in the relevant file only.

Remaining tasks

User interface changes

API changes

Data model changes

Release notes snippet

Support from Acquia helps fund testing for Drupal Acquia logo

Comments

longwave created an issue. See original summary.

longwave’s picture

jungle’s picture

Status: Needs review » Reviewed & tested by the community

Thanks @longwave!

  1. --- a/core/lib/Drupal/Component/Utility/Xss.php
    +++ b/core/lib/Drupal/Component/Utility/Xss.php
    

    Renamed variable only in Xss

  2. +++ b/core/lib/Drupal/Component/Utility/Xss.php
    @@ -278,10 +280,10 @@ protected static function attributes($attributes) {
    diff --git a/core/lib/Drupal/Core/Render/Element.php b/core/lib/Drupal/Core/Render/Element.php
    
    +++ b/core/lib/Drupal/Core/Render/Element.php
    @@ -166,9 +166,9 @@ public static function isVisibleElement($element) {
    -   *   property; e.g., array('#propertyname' => 'attributename'). If both names
    -   *   are identical except for the leading '#', then an attribute name value is
    -   *   sufficient and no property name needs to be specified.
    +   *   property; e.g., array('#property_name' => 'attribute_name'). If both
    +   *   names are identical except for the leading '#', then an attribute name
    +   *   value is sufficient and no property name needs to be specified.
    

    Rewritten comment only in Element.

  3. +++ b/core/modules/editor/tests/src/Unit/EditorXssFilter/StandardTest.php
    @@ -464,6 +468,7 @@ public function providerTestFilterXss() {
    diff --git a/core/tests/Drupal/Tests/Component/Render/HtmlEscapedTextTest.php b/core/tests/Drupal/Tests/Component/Render/HtmlEscapedTextTest.php
    
    +++ b/core/tests/Drupal/Tests/Component/Render/HtmlEscapedTextTest.php
    @@ -33,9 +33,9 @@ public function testToString($text, $expected, $message) {
    diff --git a/core/tests/Drupal/Tests/Component/Utility/XssTest.php b/core/tests/Drupal/Tests/Component/Utility/XssTest.php
    

    cspell:ignore added/renaming made to tests in StandardTest, HtmlEscapedTextTest and XssTest

  4. $ yarn spellcheck:core
    yarn run v1.22.4
    $ cspell "**/*" "../composer/**/*" "../composer.json"
    CSpell: Files checked: 14640, Issues found: 0 in 0 files
    ✨  Done in 247.57s.
    

All good to me.

catch’s picture

Status: Reviewed & tested by the community » Needs work
Issue tags: +Needs reroll

#2 no longer applies.

jungle’s picture

Status: Needs work » Reviewed & tested by the community
Issue tags: -Needs reroll
FileSize
2.4 KB
10.38 KB

Thanks @catch!

  1. $ cat misc/cspell/dictionary.txt.rej
    diff a/core/misc/cspell/dictionary.txt b/core/misc/cspell/dictionary.txt        (rejected hunks)
    @@ -350,7 +343,6 @@ createkey
     createrole
     createuser
     crema
    -cript
     crudui
     crypted
     cscript
    @@ -370,17 +362,13 @@ currenttime
     currentuser
     customly
     customrequest
    -cves
     cweagans
     data's
     databasefilename
     databasename
    -datafld
    -dataformatas
     datapoint
     dataprovider
     datas
    -datasrc
     datatypes
     datefield
     dateformatter
    
  2. Leftovers/fixed: misrendered, scriptlet, wxuczpzdmc, but not in scope here to remove them.

Assuming testing passes, and setting back to RTBC.

jungle’s picture

Title: Fix or ignore 37 words used in XSS tests and related methods » Fix or ignore 32 words used in XSS tests and related methods
Issue summary: View changes

Updating the number in title and the list of removed words in IS.

longwave’s picture

FileSize
10.39 KB

Rerolled, staying RTBC.

  • catch committed edd570f on 9.1.x
    Issue #3162972 by longwave, jungle: Fix or ignore 32 words used in XSS...
catch’s picture

Status: Reviewed & tested by the community » Fixed

Committed edd570f and pushed to 9.1.x. Thanks!

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.