Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.Problem/Motivation
Discovered in #3270734: Update Editor + CKEditor 5 module to not use CKEditor 4 in tests there is an edge case that causes HTMLRestrictions::mergeAllowedElementsLevel() to fail when presented with a minimal test case of <ol type="1"> being merged into itself.
This was previously discovered and considered fixed in #3274648: HTMLRestrictions::merge() and ::toGeneralHtmlSupportConfig() fail on allowed attribute values that can be interpreted as integers but that only covers the case of <ol type="1"> being merged into something different; when both sides of the merge contain the "1" then the bug occurs.
This method is recursive. Eventually this gets recursed down into:
$array1['1'] = TRUE;
$array2['1'] = TRUE;
When called with these arguments, the method incorrectly returns [1, TRUE]. This is because array_keys($array1) casts the string key 1 to int!
php > var_dump(array_keys(['1' => TRUE]));
array(1) {
[0]=>
int(1)
}
And when we have a numeric key, array_merge() appends instead of overwriting keys, and so a corrupted array is produced.
Steps to reproduce
See test case.
Proposed resolution
Manually merge the arrays instead of using array_merge(), as it cannot be convinced to overwrite when numeric keys are present (even if they were once strings).
Remaining tasks
User interface changes
API changes
Data model changes
Release notes snippet
| Comment | File | Size | Author |
|---|---|---|---|
| #2 | 3305621-2.patch | 1.62 KB | longwave |
| #2 | 3305621-2-test-only.patch | 897 bytes | longwave |
Comments
Comment #2
longwaveComment #3
longwaveComment #5
wim leers👏
Comment #9
lauriiiCommitted 1921b1b and pushed to 10.1.x. Also cherry-picked to 10.0.x, 9.5.x, and 9.4.x. Thanks!