Early Bird Registration for DrupalCon Portland 2024 is open! Register by 23:59 PST on 31 March 2024, to get $100 off your ticket.
This issue is for backporting #2609928: Xss::attributes() mangles valid attribute names containing numbers to Drupal 7.
Comments
Comment #2
Jill LI've ported the patch to D7, and added the test to filter.test.
Not sure about the placement/description of the test, but it seems to function fine.
Comment #3
poker10 CreditAttribution: poker10 at ActivIT s.r.o. commentedThanks for the patch. I have reviewed it and have one question - why in D10 we have this:
And in D7 patch this?
It seems to me that the plus sign should not be there. The same applies for the second change in the patch.
The patch also does not apply anymore, so the reroll is needed. Please check the problem mentioned above while doing rerolls.
Comment #4
poker10 CreditAttribution: poker10 at ActivIT s.r.o. commentedI am uploading a new patch - reroll & removed the plus signs not present in the D10.
Now the patch should be equal to the current D10 code: https://git.drupalcode.org/project/drupal/-/blob/11.x/core/lib/Drupal/Component/Utility/Xss.php#L216
Adding also test only patch to see that the attrbutes are malformed in the current state.
Comment #6
poker10 CreditAttribution: poker10 at ActivIT s.r.o. commentedAdding a tag for the review from another D7 maintainer before commit.
Comment #8
mcdruidThanks; great that we added a test.