Problem/Motivation
Hi all
I'm trying to use Drupal 8 + angular and I've got a trouble.
I have html like this
<section class="actions-menu-inner" ng-style="{ 'max-height': maxPanelHeight }" ed-pretty-scrollbar ed-scroll-axis="y" ed-scroll-theme="light"></section>
Here is special attribute for angular - ng-style.
When I've tried to render it, I found that attribute ng-style wasn't rendered correctly. It was cropped like this:
ng-style=" maxPanelHeight }"
It happens in Xss::attributes in this line
$thisval = $skip_protocol_filtering ? $match[1] : UrlHelper::filterBadProtocol($match[1]);
The only way to avoid it is this piece of code (it's in method attributes too):
$skip_protocol_filtering = substr($attribute_name, 0, 5) === 'data-' || in_array($attribute_name, array(
'title',
'alt',
));
What the best way to add my own exception for attributes beginning from "ng-". Seems it's not possible right now?
Any help will be appreciated.
Steps to reproduce
Proposed resolution
Remaining tasks
User interface changes
API changes
Data model changes
Release notes snippet
Comment | File | Size | Author |
---|---|---|---|
#40 | reroll_diff_25-40.txt | 1.22 KB | ravi.shankar |
#40 | 2635632-test-only-FAIL-40.patch | 5.85 KB | ravi.shankar |
#25 | 2635632-test-only-FAIL-25.patch | 5.83 KB | jhodgdon |
#13 | 2635632-13.patch | 2.29 KB | Pavan B S |
Comments
Comment #2
eugene.ilyin CreditAttribution: eugene.ilyin as a volunteer and at DrupalJedi commentedComment #3
alexpottDoes this suggest that we should turn the logic around and instead of listing which attributes to skip - list which attributes we should protocol filter?
Comment #4
alexpottLike couldn't we just to protocol filtering if the attribute is one of:
From: https://wiki.whatwg.org/wiki/Sanitization_rules#Attributes_whose_value_i...
Comment #5
alexpottMy list is incomplete... http://stackoverflow.com/questions/2725156/complete-list-of-html-tag-att...
Comment #6
chx CreditAttribution: chx commentedThis is extremely iffy -- HTML tag soup is still largely supported. So my recommendation would be: keep the current one but provide a setting where you can switch to a blacklist approach and then someone needs to write a little script to parse the attributes out of http://stackoverflow.com/a/2725168/308851 and use that as the blacklist. I do NOT want to ship the blacklist as default. But, it's just me. I am neither a maintainer nor a security team member :)
Comment #7
bzrudi71 CreditAttribution: bzrudi71 commentedI was just going to open a new issue when I found this one. I discovered a similar problem when trying to create responsive images by a controller response. The problem is that the XSS filter crops any property containing a colon.
Example:
<source srcset="image.jpg 1x" media="all and (min-width: 560px) and (max-width: 850px)" type="image/jpeg"/>
becomes:
<source srcset="image.jpg 1x" media=" 850px)" type="image/jpeg"/>
and as a result the responsive images don't work as expected.
Comment #8
alexpotti thought that maybe we could add { and space to the list of characters in a protocol to say if it contains these then it is not a valid protocol but at the moment we're missing test coverage - see #1210798: In PHP 5.4+, html_entity_decode() doesn't decode invalid numeric entities - so I added { and [ but that still didn't fix the Angular case because it just calling
UrlHelper::filterBadProtocol()
mangles text.Therefore after thinking about it I think we should just do the simple thing and add ng- and media to list of things we skip and be prepared to add to this list for the time being.
Comment #12
catchComment #13
Pavan B S CreditAttribution: Pavan B S at Valuebound commentedrerolled the patch
Comment #15
Eric_A CreditAttribution: Eric_A commented@catch marked #2372127: Prevent Xss::filter from stripping a token at the beginning of an html attribute a duplicate of this issue, but then this needs real work (apart from fixing the broken reroll in #13) and won't be simple anymore...
Comment #16
Jaypan CreditAttribution: Jaypan at Jaypan commentedAs requested in https://www.drupal.org/node/2105841#comment-12016390, I'm posting an issue I've found with stripping of properties
I've got a field on my account, named bio. In this field, I'm manually adding the following:
However, the resulting HTML is as follows:
So schema: is being stripped from the 'typeof' property.
I found that #69 in https://www.drupal.org/node/2544110 fixed the problem, even though one hunk of the patch failed.
Comment #17
Eric_A CreditAttribution: Eric_A commentedThanks for mentioning #2544110: XSS attribute filtering is inconsistent and strips valid attributes!
Comment #20
jhodgdonThere are quite a few related issues here, all reporting problems that boil down to the Xss::attributes() method being too aggressive about colons, leading to mangled attributes:
(a) This issue.
Token-related:
(b) #2372127: Prevent Xss::filter from stripping a token at the beginning of an html attribute -- was reported a while back, and was already closed by @catch as a duplicate of this issue.
(c) #2944173: CKEditor mangles tokens in URLs, due to bug in Xss::attributes() -- was reported recently as a CKEditor bug, but it turned out to be due to Xss::attributes. It has a small test-only patch that illustrates the problem. EDIT: added note -- (c) is currently marked as Critical, because it leads to data loss merely by re-editing and saving a node with a token in an attribute in the body (such as href on an a tag), if the site uses CKEditor for editing that body.
Other valid attribute data being mangled:
(d) #2105841: Xss filter() mangles image captions and title/alt/data attributes
(e) #2544110: XSS attribute filtering is inconsistent and strips valid attributes
I believe that (d) and (e) are direct duplicates of each other (and just commented on the two of them to that effect). They are both asking for certain attributes containing colons to be left alone. Both have patches and tests. I have tested the latest patch in (e) and it doesn't solve (c); neither seems to be trying to address tokens.
Invalid attributes being mangled instead of stripped:
(f) #2552837: XSS::filter and filter_xss can create malformed attributes when you would expect them to be stripped
This issue is asking for certain invalid attributes to be stripped out instead of mangled, so it is a bit different from the others.
So... The problem seems to be fairly varied and widespread. I don't know if we want to try to solve it all here or in several interrelated issues or what?
Comment #21
jhodgdonI've made a test-only patch, with the test additions that were on the patch from #13 here, plus some new cases involving tokens. I ran the test locally, and it failed in the right way to illustrate the problems that I think this issue is trying to solve, assuming that it incorporates both the examples in the current issue summary, and the other issue(s) about tokens (one of which was already marked as a duplicate of this issue).
I don't have a good idea how to resolve this issue, but I don't think a configuration option or blacklist/whitelist will help, since these problematic attributes could be in any tag, in any attribute. Xss::attributes, in my opinion, just needs to be less aggressive and more careful about : characters in tokens.
Comment #22
jhodgdonAnd in case the scope is widened to include #2544110: XSS attribute filtering is inconsistent and strips valid attributes and/or #2105841: Xss filter() mangles image captions and title/alt/data attributes, here is a bigger test-only patch that includes examples from those issues as well (just basically copied from those two issues; I am not sure they are all valid...). And an interdiff from the previous test-only patch in #21.
Comment #25
jhodgdon@alexpott and/or @catch -- If you would like to make a decision about which (if any) of the issues mentioned in comment #20 you would like to consider as duplicates (i.e., part of this issue), I will volunteer to:
a) Update the issue summary here to define the scope and/or examples that should be covered.
b) Update the test-only patch to cover only those examples, as needed.
c) Mark the other issues as duplicates of this one.
d) Make a list of people who worked on those other issues that should be credited on this one.
Meanwhile, a few extra lines got into the end of that last patch. Here's a fix. Just deleted the lines like
Comment #27
jhodgdonMy mistake: item (d) in comment #20 was an 8.0.x issue that was fixed, then it was moved to 7.x, but now there is a separate 7.x issue and so the 8.x one is closed, that's #2105841: Xss filter() mangles image captions and title/alt/data attributes. The others in #20 remain at large...
Comment #31
firewaller CreditAttribution: firewaller commented+1
Comment #36
Chalk CreditAttribution: Chalk at DrupalSquad commentedI've described my case with Tailwind CSS here: #3252587: Extend the $skip_protocol_filtering list of attributes to use Tailwind CSS classes with prefix ":". Seems it's a bit related.
Comment #38
smustgrave CreditAttribution: smustgrave at Mobomo commentedClosing as a duplicate of https://www.drupal.org/project/drupal/issues/3252587. From the description appears ":" was being stripped.
If you feel the issue is still there please reopen with the steps you are using.
Comment #39
smustgrave CreditAttribution: smustgrave at Mobomo commentedReopening to include the tests from this ticket.
Comment #40
ravi.shankar CreditAttribution: ravi.shankar at OpenSense Labs commentedAdded reroll of patch #40 on Drupal 9.5.x., still needs work for #39.
Comment #41
quietone CreditAttribution: quietone commentedReading the last few comments I was about to change this to a task. Then I looked at the failing tests and it is failing on the tests being added here. So it appears that there are other changes to make as well, so leaving as a bug report.
Added issue summary template and tagging for an update.
Comment #42
quietone CreditAttribution: quietone commentedOr does it make sense to move this work into #2544110: XSS attribute filtering is inconsistent and strips valid attributes and make this a duplicate of that?
Comment #43
smustgrave CreditAttribution: smustgrave at Mobomo commented@quietone personally I prefer to consolidate. There are a number of tickets open about updating the filter.
Comment #44
smustgrave CreditAttribution: smustgrave at Mobomo commented@quietone following up on #42
Comment #46
smustgrave CreditAttribution: smustgrave at Mobomo commentedClosing out as work is being focused on #2544110: XSS attribute filtering is inconsistent and strips valid attributes which I believe covers this ticket. Will move over credit.
If anyone feel this is a separate ticket and wants to address the IS update please reopen.