Problem/Motivation

I get this issue during usage of Tailwind CSS framework. This framework allows to use classes with prefixes like md:mx-auto, lg:text-red-100. But Xss::filter() removes such values from the "class" attribute because process them as a protocol. I found a couple of existing issues, but all of them are not about how to add the "class" attributes to a whitelist.

Steps to reproduce

  1. configure Basic HTML filter /admin/config/content/formats/manage/basic_html: add <div class=""> to the Allowed HTML tags
  2. create any node with HTML like that: <div class="md:mx-auto lg:text-red-100"> (Body with selected Basic HTML filter)
  3. see that the md prefix is filtered and doesn't exist in page's HTML source

Proposed resolution

In the Drupal\Component\Utility\XSS::attributes() exists next code:

            $skip_protocol_filtering = substr($attribute_name, 0, 5) === 'data-' || in_array($attribute_name, [
              'title',
              'alt',
              'rel',
              'property',
            ]);

I guess the "class" attribute doesn't affect on a site's security (correct me if I'm wrong). So the 1st option is to add 'class' attributes to the list. The 2nd option is to allow to expand this list - for example, like it's implemented for the filter_protocols in the default.services.yml.

Known workaround

According this comment (link) it's possible to add Tailwind CSS md, lg class prefixes as allowed protocols. And your class attribute value MUST start from the prefixed class to pass a protocol filtering. Because the class="m-0 md:text-red-100" is read by Drupal as a value with m-0 md: protocol instead of whitelisted md:.

Remaining tasks

tbd

User interface changes

n/a

API changes

n/a

Data model changes

tbd

Release notes snippet

tbd

CommentFileSizeAuthor
#6 3252587-6.patch1.35 KBlongwave
#6 3252587-6-test-only.patch934 byteslongwave

Comments

Chalk created an issue. See original summary.

cilefen’s picture

cilefen commented
Issue tags: +Bug Smash Initiative

Is this the same as #3050007: CSS identifiers created via `Html::cleanCssIdentifier` shouldn't strip colons?

larowlan’s picture

larowlan
Location 🇦🇺🏝.au GMT+10
commented
Category: Bug report » Feature request
chalk’s picture

chalk commented
Related issues: +#3050007: CSS identifiers created via `Html::cleanCssIdentifier` shouldn't strip colons

@cilefen it looks pretty similar, but I'm not sure that the Html::cleanCssIdentifier was in my call stack. In my case the root cause is XSS::attributes().

smustgrave’s picture

smustgrave commented

This is also causing issues with the uswds library which is being pushed on U.S. sites.

longwave’s picture

longwave
he/him
Primary language English
Location UK
commented
Title: Allow to extend the $skip_protocol_filtering list of attributes to use Tailwind CSS classes with prefix ":" » Extend the $skip_protocol_filtering list of attributes to use Tailwind CSS classes with prefix ":"
Version: 9.2.x-dev » 9.4.x-dev
Category: Feature request » Task
Status: Active » Needs review
StatusFileSize
new 3252587-6-test-only.patch934 bytes
new 3252587-6.patch1.35 KB

The last submitted patch, 6: 3252587-6-test-only.patch, failed testing. View results

smustgrave’s picture

smustgrave commented

Are there any security implications to whitelisting the entire class attribute?

longwave’s picture

longwave
he/him
Primary language English
Location UK
commented

I don't think so, the security issues are around URLs (that could contain code such as the javascript: URL scheme) and as far as I know the class attribute is never parsed as if it were a URL. If this were extended to other attributes we would have to consider them individually but adding just class is safe.

smustgrave’s picture

smustgrave commented

So following the code it does appear it sends the class through UrlHelper::filterBadProtocol which splits along ":" and see the left side as invalid protocal.

I believe you're right about safe to whitelist class I just don't know XSS stuff well enough to know for sure.

Your patch does work.

smustgrave’s picture

smustgrave commented
Status: Needs review » Reviewed & tested by the community

Actually I take my previous statement back because all you are doing is ignoring class for protocol checking. So I don't see any issue.

Status: Reviewed & tested by the community » Needs work

The last submitted patch, 6: 3252587-6.patch, failed testing. View results

longwave’s picture

longwave
he/him
Primary language English
Location UK
commented
Status: Needs work » Reviewed & tested by the community

Unrelated fails, see #3267124: Temporarily skip failing tests

Back to RTBC.

Status: Reviewed & tested by the community » Needs work

The last submitted patch, 6: 3252587-6.patch, failed testing. View results

longwave’s picture

longwave
he/him
Primary language English
Location UK
commented
Status: Needs work » Reviewed & tested by the community

More unrelated fails, back to RTBC.

lauriii’s picture

lauriii
he/him
Primary language Finnish
Location Finland
commented
Status: Reviewed & tested by the community » Needs review
Issue tags: +Needs change record

The class attribute cannot contain URI, meaning it should be fine to skip it from XSS perspective. I guess there's the very unlikely scenario that this could have an impact on someones custom JavaScript, meaning we should probably add a change record for this.

Version: 9.4.x-dev » 9.5.x-dev

Drupal 9.4.0-alpha1 was released on May 6, 2022, which means new developments and disruptive changes should now be targeted for the 9.5.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

smustgrave’s picture

smustgrave commented

I’ll work on the change record.

smustgrave’s picture

smustgrave commented
Issue tags: -Needs change record

Added a change request here https://www.drupal.org/node/3292741

borisson_’s picture

borisson_
Primary language Dutch
Location Mechelen, 🇧🇪
commented

Change record looks to be complete, I have one nitpick about this sentence, would it be clearer to say that colons are allowed in class names (because as far as I can read the issue, this is only changed for classes?)
> This change will mark colons as allowed markup allowing such libraries to be used inside the ckeditor.

longwave’s picture

longwave
he/him
Primary language English
Location UK
commented
Status: Needs review » Reviewed & tested by the community

Thanks for the CR. Agree with @borisson_ - I updated the CR a little to make it clearer that this affects classes only.

smustgrave’s picture

smustgrave commented

This is big for those that have to use uswds so thank you!

  • lauriii committed b6217bd on 10.1.x 
    Issue #3252587 by longwave, smustgrave, Chalk, borisson_, alexpott:...

  • lauriii committed 39faf57 on 10.0.x 
    Issue #3252587 by longwave, smustgrave, Chalk, borisson_, alexpott:...

  • lauriii committed c977065 on 9.5.x 
    Issue #3252587 by longwave, smustgrave, Chalk, borisson_, alexpott:...

lauriii credited alexpott.

lauriii’s picture

lauriii
he/him
Primary language Finnish
Location Finland
commented
Status: Reviewed & tested by the community » Fixed

Asked for another set of review from @alexpott. He confirmed he checked https://html5sec.org/ and didn't find anything worrying.

Committed b6217bd and pushed to 10.1.x. Cherry-picked to 10.0.x and 9.5.x. Thanks!

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.