Attribute value encoding not compatible with Xss::filter()

For example, if I wanted to add alt="</em> a strange alt text" attribute to an img element, CKEditor 5 would happily allow us to do that through the UI.

But this is not a case where we need to support it: we only need to support it for data-caption. For all other attributes, we can strip away all HTML, can't we? Even if CKEditor 5 does not do that by default.

Re #3222808-20: Follow-up for #3201646: markup in image captions is lost, HEAD's Html::normalize() function already converts < and > inside of attribute values to < and >.

So a possible solution here is to make sure Html::normalize() is called before Xss:filter(). The question is where? I think the best option would be to call Html::normalize() when saving. Not sure where the best place to do that would be if the goal is to only do it when saving a textarea that was edited by CKE5.

Not sure where the best place to do that would be if the goal is to only do it when saving a textarea that was edited by CKE5.

We can't do that, at all.

We should not be processing the HTML generated by CKE5 after it's done its job and before it gets saved. That'd be violating the abstraction layer provided by the Text Editor module.

Another approach is to change FilterHtml::process() to call Html::normalize() before calling Xss::filter(). It already normalizes the HTML after calling that, via filterAttributes(), so given that, I don't think that normalizing before as well would regress anything. But if we're going to take this approach, let's do it as a separate core issue, since then that's not scoped to ckeditor5 module.

That's my point exactly: either we need to modify Drupal core (and that has huge risks, not in the least in terms of timeline), or we need to tweak CKEditor 5. We previously concluded we needed to tweak CKEditor 5. We got the infrastructure we needed to be able to do that. But … it appears to be inadequate, I just don't understand why yet. See #3222808-26: Follow-up for #3201646: markup in image captions is lost, where I'm asking @lauriii for clarifications — because I definitely feel lost right now 😳.

Epic work here, @lauriii!

Add Nightwatch tests for DrupalHtmlBuilder 😅

🚀

Oops! Something went wrong! :(

ESLint: 7.32.0

ESLint couldn't find the plugin "eslint-plugin-prettier".

(The package "eslint-plugin-prettier" was not found when loaded as a Node module from the directory "/var/www/html".)

It's likely that the plugin isn't installed correctly. Try reinstalling by running the following:

    npm install eslint-plugin-prettier@latest --save-dev

The plugin "eslint-plugin-prettier" was referenced from the config file in "../.eslintrc.json » ./core/.eslintrc.json".

If you still can't figure out the problem, please stop by https://eslint.org/chat/help to chat with the team.

Any idea what could cause this? 😳

This looks great, no further remarks, just the single failure left to be addressed! 🥳

EPIC work!