Problem/Motivation

I get this issue during usage of Tailwind CSS framework. This framework allows to use classes with prefixes like md:mx-auto, lg:text-red-100. But Xss::filter() removes such values from the "class" attribute because process them as a protocol. I found a couple of existing issues, but all of them are not about how to add the "class" attributes to a whitelist.

Steps to reproduce

  1. configure Basic HTML filter /admin/config/content/formats/manage/basic_html: add <div class=""> to the Allowed HTML tags
  2. create any node with HTML like that: <div class="md:mx-auto lg:text-red-100"> (Body with selected Basic HTML filter)
  3. see that the md prefix is filtered and doesn't exist in page's HTML source

Proposed resolution

In the Drupal\Component\Utility\XSS::attributes() exists next code:

            $skip_protocol_filtering = substr($attribute_name, 0, 5) === 'data-' || in_array($attribute_name, [
              'title',
              'alt',
              'rel',
              'property',
            ]);

I guess the "class" attribute doesn't affect on a site's security (correct me if I'm wrong). So the 1st option is to add 'class' attributes to the list. The 2nd option is to allow to expand this list - for example, like it's implemented for the filter_protocols in the default.services.yml.

Known workaround

According this comment (link) it's possible to add Tailwind CSS md, lg class prefixes as allowed protocols. And your class attribute value MUST start from the prefixed class to pass a protocol filtering. Because the class="m-0 md:text-red-100" is read by Drupal as a value with m-0 md: protocol instead of whitelisted md:.

Remaining tasks

tbd

User interface changes

n/a

API changes

n/a

Data model changes

tbd

Release notes snippet

tbd

CommentFileSizeAuthor
#6 3252587-6.patch1.35 KBlongwave
#6 3252587-6-test-only.patch934 byteslongwave
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

Chalk created an issue. See original summary.

cilefen’s picture

cilefen CreditAttribution: cilefen commented
Issue tags: +Bug Smash Initiative

Is this the same as #3050007: CSS identifiers created via `Html::cleanCssIdentifier` shouldn't strip colons?

larowlan’s picture

larowlan
Location 🇦🇺🏝.au GMT+10
CreditAttribution: larowlan at PreviousNext commented
Category: Bug report » Feature request
Chalk’s picture

Chalk CreditAttribution: Chalk at DrupalSquad commented
Related issues: +#3050007: CSS identifiers created via `Html::cleanCssIdentifier` shouldn't strip colons

@cilefen it looks pretty similar, but I'm not sure that the Html::cleanCssIdentifier was in my call stack. In my case the root cause is XSS::attributes().

smustgrave’s picture

smustgrave CreditAttribution: smustgrave at Mobomo commented

This is also causing issues with the uswds library which is being pushed on U.S. sites.

longwave’s picture

longwave
he/him
Primary language English
Location UK
CreditAttribution: longwave at Full Fat Things commented
Title: Allow to extend the $skip_protocol_filtering list of attributes to use Tailwind CSS classes with prefix ":" » Extend the $skip_protocol_filtering list of attributes to use Tailwind CSS classes with prefix ":"
Version: 9.2.x-dev » 9.4.x-dev
Category: Feature request » Task
Status: Active » Needs review
FileSize
3252587-6-test-only.patch934 bytes
3252587-6.patch1.35 KB

The last submitted patch, 6: 3252587-6-test-only.patch, failed testing. View results

smustgrave’s picture

smustgrave CreditAttribution: smustgrave at Mobomo commented

Are there any security implications to whitelisting the entire class attribute?

longwave’s picture

longwave
he/him
Primary language English
Location UK
CreditAttribution: longwave at Full Fat Things commented

I don't think so, the security issues are around URLs (that could contain code such as the javascript: URL scheme) and as far as I know the class attribute is never parsed as if it were a URL. If this were extended to other attributes we would have to consider them individually but adding just class is safe.

smustgrave’s picture

smustgrave CreditAttribution: smustgrave at Mobomo commented

So following the code it does appear it sends the class through UrlHelper::filterBadProtocol which splits along ":" and see the left side as invalid protocal.

I believe you're right about safe to whitelist class I just don't know XSS stuff well enough to know for sure.

Your patch does work.

smustgrave’s picture

smustgrave CreditAttribution: smustgrave at Mobomo commented
Status: Needs review » Reviewed & tested by the community

Actually I take my previous statement back because all you are doing is ignoring class for protocol checking. So I don't see any issue.

Status: Reviewed & tested by the community » Needs work

The last submitted patch, 6: 3252587-6.patch, failed testing. View results

longwave’s picture

longwave
he/him
Primary language English
Location UK
CreditAttribution: longwave at Full Fat Things commented
Status: Needs work » Reviewed & tested by the community

Unrelated fails, see #3267124: Temporarily skip failing tests

Back to RTBC.

Status: Reviewed & tested by the community » Needs work

The last submitted patch, 6: 3252587-6.patch, failed testing. View results

longwave’s picture

longwave
he/him
Primary language English
Location UK
CreditAttribution: longwave at Full Fat Things commented
Status: Needs work » Reviewed & tested by the community

More unrelated fails, back to RTBC.

lauriii’s picture

lauriii
he/him
Primary language Finnish
Location Finland
CreditAttribution: lauriii at Acquia commented
Status: Reviewed & tested by the community » Needs review
Issue tags: +Needs change record

The class attribute cannot contain URI, meaning it should be fine to skip it from XSS perspective. I guess there's the very unlikely scenario that this could have an impact on someones custom JavaScript, meaning we should probably add a change record for this.

Version: 9.4.x-dev » 9.5.x-dev

Drupal 9.4.0-alpha1 was released on May 6, 2022, which means new developments and disruptive changes should now be targeted for the 9.5.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

smustgrave’s picture

smustgrave CreditAttribution: smustgrave at Mobomo commented

I’ll work on the change record.

smustgrave’s picture

smustgrave CreditAttribution: smustgrave at Mobomo commented
Issue tags: -Needs change record

Added a change request here https://www.drupal.org/node/3292741

borisson_’s picture

borisson_
Primary language Dutch
Location Mechelen, 🇧🇪
CreditAttribution: borisson_ at Calibrate commented

Change record looks to be complete, I have one nitpick about this sentence, would it be clearer to say that colons are allowed in class names (because as far as I can read the issue, this is only changed for classes?)
> This change will mark colons as allowed markup allowing such libraries to be used inside the ckeditor.

longwave’s picture

longwave
he/him
Primary language English
Location UK
CreditAttribution: longwave at Full Fat Things commented
Status: Needs review » Reviewed & tested by the community

Thanks for the CR. Agree with @borisson_ - I updated the CR a little to make it clearer that this affects classes only.

smustgrave’s picture

smustgrave CreditAttribution: smustgrave at Mobomo commented

This is big for those that have to use uswds so thank you!

  • lauriii committed b6217bd on 10.1.x 
    Issue #3252587 by longwave, smustgrave, Chalk, borisson_, alexpott:...

  • lauriii committed 39faf57 on 10.0.x 
    Issue #3252587 by longwave, smustgrave, Chalk, borisson_, alexpott:...

  • lauriii committed c977065 on 9.5.x 
    Issue #3252587 by longwave, smustgrave, Chalk, borisson_, alexpott:...

lauriii credited alexpott.

lauriii’s picture

lauriii
he/him
Primary language Finnish
Location Finland
CreditAttribution: lauriii at Acquia commented
Status: Reviewed & tested by the community » Fixed

Asked for another set of review from @alexpott. He confirmed he checked https://html5sec.org/ and didn't find anything worrying.

Committed b6217bd and pushed to 10.1.x. Cherry-picked to 10.0.x and 9.5.x. Thanks!

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.