Adding any of the following to the 'Allowed HTML tags' produces a JS error and breaks functionality:

<thead>, <tr>, <tbody>, <td>, <tfoot>

This is due to the following in /core/modules/filter/filter.filter_html.admin.js:

sandbox.innerHTML = allowedTags[t];
node = sandbox.firstChild;

Any of these tags return null instead of a Dom element.

CommentFileSizeAuthor
#12 2865842-parse-tags-12.patch3.05 KBb_sharpe
#6 2865842-JS_error.png135.08 KBb_sharpe

Comments

b_sharpe created an issue. See original summary.

b_sharpe’s picture

b_sharpe commented

Forgot to add <caption> to the list

I actually can't find any documentation as to why this is, and why only table elements, here is a simple example.

I've marked this as major as without these elements in the list, you cannot add a table using the WYSIWYG, but with them you cannot rely on the admin page JS functions (i.e. Custom styles won't auto populate)

phenaproxima’s picture

phenaproxima
he/him
Primary language English
Location Massachusetts
commented

What is the JS error you get?

b_sharpe’s picture

b_sharpe commented

Basically both just due to calling tagName on null:

Chrome - Uncaught TypeError: Cannot read property 'tagName' of null

FF - TypeError: node is null

phenaproxima’s picture

phenaproxima
he/him
Primary language English
Location Massachusetts
commented
Status: Active » Postponed (maintainer needs more info)

I think this needs explicit steps to reproduce...

b_sharpe’s picture

b_sharpe commented
Status: Postponed (maintainer needs more info) » Active
StatusFileSize
new 2865842-JS_error.png135.08 KB

Steps to reproduce:

  • Navigate to text formats - /admin/config/content/formats
  • Manage Any format
  • Make sure the "Limit allowed HTML tags and correct faulty HTML" is enabled under filters
  • Delete everything in the "Allowed HTML tags" under "Filter Settings"
  • Open a browser inspector console
  • Put in any of the aforementioned tags (i.e. <tr>)
  • Remove focus from that field and note the error in the console

If you save that field, it will also now error anytime you manage that field. Screenshot also attached.

wim leers’s picture

wim leers
Location Ghent 🇧🇪🇪🇺
commented
Priority: Major » Normal

Patches welcome :)

maxocub’s picture

maxocub commented

I don't know how to solve this yet, but I did some digging and I think I found the reason.

var allowedTags = setting.match(/(<[^>]+>)/g);
var sandbox = document.createElement('div');
var rules = {};
for (var t = 0; t < allowedTags.length; t++) {
  sandbox.innerHTML = allowedTags[t];
  node = sandbox.firstChild;
  tag = node.tagName.toLowerCase();
  ...
}

If we take <tbody> as an example, the code above is trying to set the <tbody> as the inner HTML of a <div>, which is not valid, so the node variable is then null.

I'm no JavaScript expert, but one way to avoid this error for table elements would be to have the sandbox be set as a <table> for table elements, but there must be a better way to avoid this kind of conditional treatment.

wim leers’s picture

wim leers
Location Ghent 🇧🇪🇪🇺
commented

#8: interesting! Good find — that seems plausible. I wrote that code, and @nod_ reviewed/RTBC'd it, but apparently there are edge cases where this fails. So… we'll need to come up with a different way to achieve what that part of the code does, since it apparently doesn't work in all cases.

Although I wonder if this is something that is browser-specific?

wim leers’s picture

wim leers
Location Ghent 🇧🇪🇪🇺
commented
Title: Allowed HTML tags Breaks with table elements » Parsing of allowed HTML tags (for integration with Text Editor configuration) throws JS error when adding <tbody> element
Issue tags: +JavaScript, +Needs JavaScript testing
b_sharpe’s picture

b_sharpe commented

@wim it's not browser specific, check out my fiddle from the #2. That's why I hadn't patched yet, I haven't been able to come up with a way short of a rewrite as you suggest.

I did test omitting them and just leaving <table> and can confirm this disallows tables, so ckeditor does need the tags to work.

b_sharpe’s picture

b_sharpe commented
StatusFileSize
new 2865842-parse-tags-12.patch3.05 KB

For reference, here is every tag that will fail based off of the list here:

"<!DOCTYPE>",
"<body>",
"<caption>",
"<col>",
"<colgroup>",
"<frame>",
"<frameset>",
"<head>",
"<html>",
"<tbody>",
"<td>",
"<tfoot>",
"<th>",
"<thead>",
"<tr>",

So the question is do we want to create a list of exceptions for tables and create them as children of a table node, then omit the non-table elements (is there a reason to allow frame/frameset?) or should it be rewritten to support all tags?

A simple work-around is to create the element itself, rather than create a div and then use the firstChild, but since we're dealing with only a few of many, it may not warrant creating a new DOM node for every tag rather than re-using the original div, so maybe something like the attached patch would suffice.

wim leers’s picture

wim leers
Location Ghent 🇧🇪🇪🇺
commented

Well… <!DOCTYPE>, <body>, <head>, <html> cannot possibly ever make sense in a text format. And I'd argue the same is true for <frame> and <frameset>.

So that then pretty much just leaves <table>-related elements. Which… maybe means we can special-case just those elements? We could make the parent <table> instead of <div> for those :)

droplet’s picture

droplet commented

It's a Public Security issue involved these functions: #2725255: Unfiltered data in "Allowed HTML tags".

b_sharpe’s picture

b_sharpe commented
Status: Active » Postponed
Related issues: +#2725255: Unfiltered data in "Allowed HTML tags"

Adding related issue and postponing as this issue may not be relevant once the related issue is fixed.

Version: 8.3.x-dev » 8.4.x-dev

Drupal 8.3.6 was released on August 2, 2017 and is the final full bugfix release for the Drupal 8.3.x series. Drupal 8.3.x will not receive any further development aside from critical and security fixes. Sites should prepare to update to 8.4.0 on October 4, 2017. (Drupal 8.4.0-alpha1 is available for testing.)

Bug reports should be targeted against the 8.4.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.5.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.4.x-dev » 8.5.x-dev

Drupal 8.4.4 was released on January 3, 2018 and is the final full bugfix release for the Drupal 8.4.x series. Drupal 8.4.x will not receive any further development aside from critical and security fixes. Sites should prepare to update to 8.5.0 on March 7, 2018. (Drupal 8.5.0-alpha1 is available for testing.)

Bug reports should be targeted against the 8.5.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.6.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.5.x-dev » 8.6.x-dev

Drupal 8.5.6 was released on August 1, 2018 and is the final bugfix release for the Drupal 8.5.x series. Drupal 8.5.x will not receive any further development aside from security fixes. Sites should prepare to update to 8.6.0 on September 5, 2018. (Drupal 8.6.0-rc1 is available for testing.)

Bug reports should be targeted against the 8.6.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.7.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

tom.moffett’s picture

tom.moffett commented

Is this something that is still being worked on? I ran into this issue, and it's breaking the "CKEditor plugin settings" section. The JS code that runs to hide/show the vertical tabs doesn't get to execute correctly, and all but the last tab is shown, however, more tabs should be showing. I can go into dev tools and manually change elements to show so I can edit, but it's obviously not ideal and not good for non-dev users who might configure a text editor.

Version: 8.6.x-dev » 8.8.x-dev

Drupal 8.6.x will not receive any further development aside from security fixes. Bug reports should be targeted against the 8.8.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.9.x-dev branch. For more information see the Drupal 8 and 9 minor version schedule and the Allowed changes during the Drupal 8 and 9 release cycles.

rromore’s picture

rromore commented
Issue tags: -JavaScript +JavaScript

I've rerolled the patch in 2725255 and can confirm that resolves this issue as well.

Version: 8.8.x-dev » 8.9.x-dev

Drupal 8.8.7 was released on June 3, 2020 and is the final full bugfix release for the Drupal 8.8.x series. Drupal 8.8.x will not receive any further development aside from security fixes. Sites should prepare to update to Drupal 8.9.0 or Drupal 9.0.0 for ongoing support.

Bug reports should be targeted against the 8.9.x-dev branch from now on, and new development or disruptive changes should be targeted against the 9.1.x-dev branch. For more information see the Drupal 8 and 9 minor version schedule and the Allowed changes during the Drupal 8 and 9 release cycles.

Version: 8.9.x-dev » 9.2.x-dev

Drupal 8 is end-of-life as of November 17, 2021. There will not be further changes made to Drupal 8. Bugfixes are now made to the 9.3.x and higher branches only. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

nod_’s picture

nod_
Primary language French
Location Lille
commented

Probably solved by #2556069: JS error with elements in "allowed HTML tags" that can't be direct descendants of a div

Version: 9.2.x-dev » 9.3.x-dev

Version: 9.3.x-dev » 9.4.x-dev

Drupal 9.3.15 was released on June 1st, 2022 and is the final full bugfix release for the Drupal 9.3.x series. Drupal 9.3.x will not receive any further development aside from security fixes. Drupal 9 bug reports should be targeted for the 9.4.x-dev branch from now on, and new development or disruptive changes should be targeted for the 9.5.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 9.4.x-dev » 9.5.x-dev

Drupal 9.4.9 was released on December 7, 2022 and is the final full bugfix release for the Drupal 9.4.x series. Drupal 9.4.x will not receive any further development aside from security fixes. Drupal 9 bug reports should be targeted for the 9.5.x-dev branch from now on, and new development or disruptive changes should be targeted for the 10.1.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

quietone’s picture

quietone commented
Status: Postponed » Closed (outdated)
Issue tags: +Bug Smash Initiative

I tested this on Drupal 10.1.x, standard install. I used the steps given in #6. I was not able to reproduce the problem. In #15 a maintainer suggested that this has been fixed, and my testing confirms that. There also, hasn't been any reports of this on a supported version of Drupal.

Therefore, closing as outdate If you are experiencing this problem on a supported version of Drupal reopen the issue, by setting the status to 'Active', and provide complete steps to reproduce the issue (starting from "Install Drupal core").

Thanks!