Problem/Motivation
⚠️ Discovered while reviewing #3312442: [PP-1] Make ready for CKEditor 5, which is updating the ckeditor_bidi
module to support CKEditor 5 and provide an automatic upgrade path.
<p lang> <* lang>
should get simplified to
<p> <* lang>
Steps to reproduce
See unit test, or alternatively create a dummy CKEditor 5 plugin with
elements:
- <p dir="ltr rtl">
You'll notice that filter_html
gets configured to not allow just <p>
, but <p dir="ltr rtl">
, even though that's already implied by that filter (see \Drupal\filter\Plugin\Filter\FilterHtml::getHTMLRestrictions()
).
Proposed resolution
Automatically resolve global attributes. This is something we didn't notice in #3231334: Global attributes (<* lang> and <* dir="ltr rtl">): validation + support (fix data loss).
Remaining tasks
Test coverage.- Reviews
User interface changes
No more nonsensical additions to filter_html
.
API changes
None.
Data model changes
None.
Release notes snippet
N/A
Comment | File | Size | Author |
---|---|---|---|
#36 | 3314478-36.patch | 20.36 KB | Wim Leers |
| |||
#36 | interdiff.txt | 8.44 KB | Wim Leers |
#33 | reroll_diff_28-33.txt | 6.82 KB | pooja saraah |
#33 | 3314478-33.patch | 19.82 KB | pooja saraah |
#28 | 3314478-28.patch | 20.17 KB | Wim Leers |
|
Comments
Comment #2
Wim LeersComment #3
Wim LeersComment #4
Wim LeersComment #6
Wim LeersComment #7
Wim LeersExpand test coverage more: let's make sure that we really did not miss any edge case this time around! 🤓
This is adding test coverage for attribute restrictions on a tag being a superset of the restrictions on the global attributes
<*>
tag.This (and the dozens of subsequent test cases) is adding test coverage for wildcard tags — the test coverage up to this point only dealt with concrete tags.
Comment #8
Wim LeersFix.
Comment #11
Wim LeersThat had some unintended consequences. Fixing…
Comment #12
Wim LeersDocs + clean-up.
Comment #13
Wim LeersRun all tests again.
Comment #14
smustgrave CreditAttribution: smustgrave at Mobomo commentedI tried testing this with the ckeditor_bidi module
This is what I allow. With the patch I noticed that no element is getting the "dir" attribute now. Is that expected?
Comment #15
Wim LeersYes, it is! And for clarity: by "no element is getting […]", you mean
filter_html
'sallowed_html
setting.Because the
<dir>
attribute gets special treatment fromfilter_html
:and
Comment #16
smustgrave CreditAttribution: smustgrave at Mobomo commentedIn that case testing patch #13 can confirm ckeditor_bidi still works.
Comment #17
alexpottDo we have test coverage of the impact of allowing something and disallowing something else.
Like what happen if I allow
* foo
but disallow* bar
but also configure to allowp foo bar
?I looked for test coverage of this situation. But could not find it. Note that that does not mean it does not exist :).
Comment #18
Wim LeersVery interesting question! 🤓
filter_html
does not allow configuring<* bar>
. One can configurefilter_html
to allow<p style>
, but<* style>
will still be applied anyway.It's only for security reasons that HTML restrictions are able to specify globally disallowed attributes. It does not make sense to override it, at all, ever, because
filter_html
will simply ignore it. That's why it never even crossed my mind to test this! 🤓But you're of course right that if we're explicitly testing the behavior for the "collision with globally allowed attributes" case, that we should also do the same for the "collision with globally disallowed attributes" case.
ℹ️ In fact, this is very closely related to #3312807: Harden CKEditor 5 against self-XSS through source editing, where we will be improving the UX to explicitly fail validation when that occurs. Documented this explicitly at #3312807-4: Harden CKEditor 5 against self-XSS through source editing.
Conclusion: it's important to provide explicit DX when a user/developer tries to override globally disallowed attributes to become allowed. We need test coverage for this. I'm happy to split this off into a separate issue if you prefer, but I'm equally fine with doing it here. For now, getting it going here, because it is the other side of the same aspect. Attached patch adds unit test coverage with expected failures.
Tricky: Unfortunately, like many other aspects of the Filter module, there is no validation logic in
\Drupal\filter\Plugin\Filter\FilterHtml
at all. This means that it's totally possible there are sites out there that have<p style>
configured as theirallowed_html
… and that configuration is treated as valid, but 100% certainly ignored. So we need to handle that gracefully. I'll do that in a next patch iteration.Comment #19
Wim LeersComment #20
Wim LeersFix.
Comment #23
Wim LeersThis was addressed by #18 (tests) and #20 (fix).
Next up:
Here's the test coverage. And … the new test failure in #20 actually reveals that this would've been caught anyway! 🤓 So this is just adding explicit test coverage.
Comment #24
Wim LeersThis should fix all tests … except one.
Comment #25
Wim Leers😶
Comment #27
Wim LeersHah, that last failure is actually correct. It is not something you would ever see in the UI, because as described at #3312807: Harden CKEditor 5 against self-XSS through source editing, n thanks to #3228691: Restrict allowed additional attributes to prevent self XSS the UI will warn you:
The additional expectation added in this interdiff is for the validation error thrown by
FundamentalCompatibilityConstraintValidator
. And it is accurate, because it validates an existing text editor config entity that DOES have theSourceEditing
plugin configured to allow e.g.<p onhover>
, whichfilter_html
indeed does not allow, so it is indeed a fundamental compatibility problem. You'll just never be able to create such an invalid text editor config through the UI, only by manipulating config by hand and forcefully importing it.Hence this interdiff is actually just confirming that the changes in #24 are correct! 🥳
Comment #28
Wim LeersGreen! Time to run all tests again 🤓
Comment #29
smustgrave CreditAttribution: smustgrave at Mobomo commentedQueued #28 regardless. I think the core branch is still having javascript errors. Lets see what happens.
Comment #30
smustgrave CreditAttribution: smustgrave at Mobomo commentedThink it's another random failure.
Comment #31
catchCode looks pretty good to me but I find the error message hard to read - here's an attempt at a reword, may or may not actually be better:
'The global ("*") attribute restrictions are disallowing the following attributes "%s" which are allowed by the attribute restrictions in "%s". This must be resolved so that the same attribute is not both allowed and disallowed'.
Could this be 'The attribute restrictions in "%s" are allowing attributes "%s" that are disallowed by the special "*" global attribute restrictions.
Comment #32
lauriiiThis makes the goals of this issue crystal clear 💯
For consistency, should we reference these using
HTMLRestrictions
?Woah, this is smart 🤯
I feel like "clean up" could potentially could be replaced with something more elaborate.
This first caught my attention since it is not common to disallow attributes for a tag. After reviewing this, it totally makes sense. This explicitly disallows any attributes if all of the attributes were removed as part of the clean up. 👍
The word "automatically" feels redundant in here 😅
Should there be "is" between attribute and present?
Comment #33
pooja saraah CreditAttribution: pooja saraah at Srijan | A Material+ Company for Drupal India Association commentedAddressed the comment #31 #32 point-7
need to be addressed the comment #32 point-2,4,5,6
Attached patch against Drupal 10.1.x
Comment #34
pooja saraah CreditAttribution: pooja saraah at Srijan | A Material+ Company for Drupal India Association commentedComment #35
Wim LeersComment #36
Wim Leers#31: Thank you, I was struggling with the wording 😅
#32:
self
elsewhere, I just keep forgetting about it 🙈 — now consistently usingself
👍Comment #38
Wim LeersUnrelated random fail; re-testing.
Comment #40
Wim Leers…
Comment #41
lauriii#36 addresses all of my feedback. I think this is ready to go 👍
Comment #42
catchCommitted/pushed to 10.1.x, cherry-picked back through to 9.4.x thanks!
Comment #44
catch