Problem/Motivation

Webform currently allows for the STYLE attribute within the custom HTML editors markup.

The STYLE attribute can be used for click-jacking
@see https://stackoverflow.com/questions/4546591/xss-attacks-and-style-attrib....

Proposed resolution

Remove support for STYLE attribute in HTML editor markup.

Remaining tasks

  • Convert color swatch STYLE attribute to FONT tags
  • Fix broken tests.

Notes

  • The STYLE attribute within HTML email can be supported by using custom templates.
  • Allowing form builders to use Twig to create email would also allow for the style attribute.

References

CommentFileSizeAuthor
#11 2921424-block-html-editor-style-11.patch10.45 KBjrockowitz
#7 webform_html_editor-2921424-7.patch11.68 KBjrockowitz
#5 webform_html_editor-2921424-5.patch10.59 KBjrockowitz
#2 2921424-2.patch7.76 KBjrockowitz
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

jrockowitz created an issue. See original summary.

jrockowitz’s picture

jrockowitz CreditAttribution: jrockowitz as a volunteer and at The Big Blue House commented
Issue summary: View changes
Status: Active » Needs review
FileSize
2921424-2.patch7.76 KB
jrockowitz’s picture

jrockowitz CreditAttribution: jrockowitz as a volunteer and at The Big Blue House commented
Title: \Drupal\webform\Element\WebformHtmlEditor::checkMarkup should return SafeMarkup without style attribute. » Webform HTML Editor must block STYLE attribute from being entered.
Issue summary: View changes
jrockowitz’s picture

jrockowitz CreditAttribution: jrockowitz as a volunteer and at The Big Blue House commented
Title: Webform HTML Editor must block STYLE attribute from being entered. » Webform HTML Editor must block STYLE attribute from being supported.
jrockowitz’s picture

jrockowitz CreditAttribution: jrockowitz as a volunteer and at The Big Blue House commented
FileSize
webform_html_editor-2921424-5.patch10.59 KB

Status: Needs review » Needs work

The last submitted patch, 5: webform_html_editor-2921424-5.patch, failed testing. View results
- codesniffer_fixes.patch Interdiff of automated coding standards fixes only.

jrockowitz’s picture

jrockowitz CreditAttribution: jrockowitz as a volunteer and at The Big Blue House commented
Status: Needs work » Needs review
FileSize
webform_html_editor-2921424-7.patch11.68 KB

Status: Needs review » Needs work

The last submitted patch, 7: webform_html_editor-2921424-7.patch, failed testing. View results
- codesniffer_fixes.patch Interdiff of automated coding standards fixes only.

  • jrockowitz committed 842a559 on 2921424-block-html-editor-style 
    Issue #2921424 by jrockowitz: Webform HTML Editor must block STYLE...

  • jrockowitz committed 7772e1f on 2921424-block-html-editor-style 
    Issue #2921424 by jrockowitz: Webform HTML Editor must block STYLE...
jrockowitz’s picture

jrockowitz CreditAttribution: jrockowitz as a volunteer and at The Big Blue House commented
Status: Needs work » Needs review
FileSize
2921424-block-html-editor-style-11.patch10.45 KB

  • jrockowitz committed 551384e on 8.x-5.x 
    Issue #2921424 by jrockowitz: Webform HTML Editor must block STYLE...
jrockowitz’s picture

jrockowitz CreditAttribution: jrockowitz as a volunteer and at The Big Blue House commented
Status: Needs review » Fixed

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.