Replace use of whitelist/blacklist in Filter module [#3151101]

Problem/Motivation

Lets remove usage of "blacklist" and "whitelist" in Filter module.

They are:

An historic bad labelling of people
Provide no context: "what is listed in them"?

Proposed resolution

core/modules/filter/src/Element/TextFormat: s/$blacklist/$keys_not_to_copy/
Otherwise, it's all comments. Generally replace "whitelist" with "allowed" and "blacklist" with "denied".

Remaining tasks

~~Come up with replacement names.~~
~~Decide what needs BC + deprecation and what can be changed directly.~~ Everything are comments and local variables. No BC, deprecations or CR needed.
~~Fix everything:~~
- ~~core/modules/filter/tests/src/Kernel/FilterKernelTest.php~~
- ~~core/modules/filter/src/Entity/FilterFormat.php~~
- ~~core/modules/filter/src/Plugin/Filter/FilterHtml.php~~
- ~~core/modules/filter/src/Element/TextFormat.php~~
- ~~core/modules/filter/src/FilterFormatInterface.php~~
~~Reviews / improvements.~~
RTBC.
Commit.

User interface changes

None

API changes

N/A

Data model changes

N/A

Release notes snippet

N/A

Comment	File	Size	Author
#20	3151101.16_20.interdiff.txt	903 bytes	dww
#20	3151101-20.patch	12.17 KB	dww
#20	9.1.x: PHP 7.4 & MySQL 5.7 Patch Failed to Apply 9.0.x: PHP 7.4 & SQLite 3.27 27,382 pass
#16	interdiff_14-16.txt	1.46 KB	ravi.shankar
#16	3151101-16.patch	12.18 KB	ravi.shankar
#16	9.1.x: PHP 7.4 & MySQL 5.7 27,459 pass
#14	interdiff_10-14.txt	3.86 KB	Deepak Goyal
#14	3151101-14.patch	12.17 KB	Deepak Goyal
#14	9.1.x: PHP 7.4 & MySQL 5.7 27,376 pass
#10	interdiff_6-10.txt	10.1 KB	Deepak Goyal
#10	3151101-10.patch	11.95 KB	Deepak Goyal
#10	9.1.x: PHP 7.4 & MySQL 5.7 27,373 pass
#6	d9whiteblacklist-3151101-6.patch	11.37 KB	shetpooja04
#6	9.1.x: PHP 7.4 & MySQL 5.7 27,372 pass

Support from Acquia helps fund testing for Drupal Acquia logo

Comments

Comment #1

12 June 2020 at 08:20

alexpott created an issue. See original summary.

Comment #2

ashishdalvi

English

Mumbai

CreditAttribution: ashishdalvi at QED42 for Drupal India Association commented 12 June 2020 at 08:37

Assigned:

Unassigned

» ashishdalvi

I will be picking this issue today.

Comment #3

dww

we/he/they

CreditAttribution: dww as a volunteer commented 13 June 2020 at 04:33

Issue summary:

View changes

Flesh out Remaining tasks.

Comment #4

ashishdalvi

English

Mumbai

CreditAttribution: ashishdalvi at QED42 for Drupal India Association commented 22 June 2020 at 13:25

Assigned:

ashishdalvi

» Unassigned

Comment #5

shetpooja04 CreditAttribution: shetpooja04 at QED42 commented 22 June 2020 at 18:04

Assigned:

Unassigned

» shetpooja04

Comment #6

shetpooja04 CreditAttribution: shetpooja04 at QED42 commented 23 June 2020 at 04:19

Assigned:	shetpooja04	» Unassigned
Status:	Active	» Needs review

File	Size
d9whiteblacklist-3151101-6.patch	11.37 KB
9.1.x: PHP 7.4 & MySQL 5.7 27,372 pass

I have worked on issue as per the issue description

Comment #7

23 June 2020 at 05:15

Status:

Needs review

» Needs work

The last submitted patch, 6: d9whiteblacklist-3151101-6.patch, failed testing. View results

Comment #9

Deepak Goyal CreditAttribution: Deepak Goyal at Srijan | A Material+ Company for Drupal India Association commented 23 June 2020 at 07:01

Assigned:

Unassigned

» Deepak Goyal

Comment #10

Deepak Goyal CreditAttribution: Deepak Goyal at Srijan | A Material+ Company for Drupal India Association commented 23 June 2020 at 07:25

File	Size
3151101-10.patch	11.95 KB
9.1.x: PHP 7.4 & MySQL 5.7 27,373 pass
interdiff_6-10.txt	10.1 KB

Hi @alexpott
Made changes as you suggested please review.
And #8.16 is pending I am not getting this.

Comment #11

Deepak Goyal CreditAttribution: Deepak Goyal at Srijan | A Material+ Company for Drupal India Association commented 23 June 2020 at 07:26

Assigned:	Deepak Goyal	» Unassigned
Status:	Needs work	» Needs review

Comment #13

Deepak Goyal CreditAttribution: Deepak Goyal at Srijan | A Material+ Company for Drupal India Association commented 23 June 2020 at 17:35

Assigned:

Unassigned

» Deepak Goyal

Comment #14

Deepak Goyal CreditAttribution: Deepak Goyal at Srijan | A Material+ Company for Drupal India Association commented 23 June 2020 at 17:48

Assigned:

Deepak Goyal

» Unassigned

File	Size
3151101-14.patch	12.17 KB
9.1.x: PHP 7.4 & MySQL 5.7 27,376 pass
interdiff_10-14.txt	3.86 KB

Hi @alexpott
Made changes as you suggested please review.
For #12.5 "case" is not fits on the preceding line.

Comment #15

dww

we/he/they

CreditAttribution: dww as a volunteer commented 4 August 2020 at 02:02

Status:

Needs review

» Needs work

Almost there, thanks! Just a few lingering things, then this is RTBC:

+++ b/core/modules/filter/src/Entity/FilterFormat.php
@@ -388,9 +388,9 @@ public function getHtmlRestrictions() {
+      // (which contains attribute restrictions that apply to all tags),
+      // and there are no forbidden tags, the effectively nothing is allowed.

A) 80 char flow: "and" can move up to the previous line.

B) s/the/then/ effectively...

+++ b/core/modules/filter/src/Plugin/Filter/FilterHtml.php
@@ -149,23 +149,23 @@ public function filterAttributes($text) {
-   * Filter attributes on an element by name and value according to a whitelist.
+   * Filter attributes on an element by name and value.

'Filters' needs an 's'. Also, I think it's still worth mentioning the allowed list. Something like:

"Filters attributes on an element according to an allow list." (or something).

But otherwise, we're done. Before:

 egrep -ir '(white|black)list' core/modules/filter | wc
      25     278    2980

After:

% git apply 3151101-14.patch
% egrep -ir '(white|black)list' core/modules/filter | wc
       0       0       0

(and for good measure):

% egrep -ir '(white|black)' core/modules/filter
core/modules/filter/tests/src/Kernel/FilterKernelTest.php:    $this->assertNormalized($f, 'rel="nofollow"', 'Spam deterrent evasion -- non whitespace character after tag name.');
core/modules/filter/filter.module:      // under certain strange conditions it could create a P of entirely whitespace

Comment #16

ravi.shankar CreditAttribution: ravi.shankar at OpenSense Labs commented 4 August 2020 at 07:55

Status:

Needs work

» Needs review

File	Size
3151101-16.patch	12.18 KB
9.1.x: PHP 7.4 & MySQL 5.7 27,459 pass
interdiff_14-16.txt	1.46 KB

Here I have addressed #15.1 and #15.2 points of comment #15.

Comment #17

dww

we/he/they

CreditAttribution: dww as a volunteer commented 4 August 2020 at 10:47

Status:

Needs review

» Reviewed & tested by the community

Excellent, thanks!

Comment #18

quietone CreditAttribution: quietone as a volunteer commented 4 August 2020 at 11:08

Status:	Reviewed & tested by the community	» Needs work
Issue tags:		+Needs issue summary update

I was curious to know what words whitelist and blacklist were being replaced with and found that the IS states 'TBD'. So I looked at the patch for answer and that raised questions.

+++ b/core/modules/filter/src/Plugin/Filter/FilterHtml.php
@@ -149,23 +149,23 @@ public function filterAttributes($text) {
+   * Filters attributes on an element according to an allow list.

Surely 'allow' is a verb and not an adjective. Instead of 'allow list' maybe 'listed of allowed values'?

+++ b/core/modules/filter/src/Plugin/Filter/FilterHtml.php
@@ -149,23 +149,23 @@ public function filterAttributes($text) {
+        // Check the allowed attribute value list.

Shouldn't this be 'Check the list of allowed of attribute values'?

For the IS the proposed resolution needs to be updated with the suggested replacements for whitelist/blacklist. The remaining tasks section shows that there are 5 tasks still to do. Is that one tasks queries the need for BC but there is nothing in the issue that addresses that point.

Sorry, back to NW.

Comment #19

dww

we/he/they

CreditAttribution: dww as a volunteer commented 4 August 2020 at 12:07

Issue summary:	View changes
Issue tags:	-Needs issue summary update

Thanks, @quietone! Right you are. I even bothered to make a good list of remaining tasks, then didn't check we got them all. Updated.

core/modules/filter/filter.module was a false positive, so I removed it. Everything else is indeed gone (per greps at the end of #15).

Re: specific review points in #18:

"a listed of allowed values"
"Check the list of allowed of attribute values."

otherwise, +1 to those improvements.

Thanks again,
-Derek

Comment #20

dww

we/he/they

CreditAttribution: dww as a volunteer commented 4 August 2020 at 13:26

Issue summary:	View changes
Status:	Needs work	» Needs review

File	Size
3151101-20.patch	12.17 KB
9.1.x: PHP 7.4 & MySQL 5.7 Patch Failed to Apply 9.0.x: PHP 7.4 & SQLite 3.27 27,382 pass
3151101.16_20.interdiff.txt	903 bytes

File

Size

3151101-20.patch

12.17 KB

9.1.x:
PHP 7.4 & MySQL 5.7 Patch Failed to Apply

9.0.x:
PHP 7.4 & SQLite 3.27 27,382 pass

3151101.16_20.interdiff.txt

903 bytes

4 files were hidden/shown/deleted

File	Size
3151101-14.patch	12.17 KB
9.1.x: PHP 7.4 & MySQL 5.7 27,376 pass
interdiff_10-14.txt	3.86 KB
3151101-16.patch	12.18 KB
9.1.x: PHP 7.4 & MySQL 5.7 27,459 pass
interdiff_14-16.txt	1.46 KB

Now it just needs RTBC. ;)

Comment #21

quietone CreditAttribution: quietone as a volunteer commented 4 August 2020 at 23:49

Status:

Needs review

» Reviewed & tested by the community

@derek, thanks for the changes.

I reviewed the interdiff and the suggested changes were agreed to and made. The IS has been updated. Yeah, I don't have to read the whole patch to learn the solution!

Back to RTBC

Comment #22

alexpott

he/they

English

🇪🇺🌍

CreditAttribution: alexpott at Acro Commerce, Thunder commented 5 August 2020 at 08:44

Title:	Replace use of whitelist/blacklist in Filter module	» [backport] Replace use of whitelist/blacklist in Filter module
Version:	9.1.x-dev	» 9.0.x-dev
Status:	Reviewed & tested by the community	» Fixed

Committed 1d44c8e and pushed to 9.1.x. Thanks!

Will backport once the release is out and the freeze is over.

Comment #23

5 August 2020 at 08:45

alexpott committed 1d44c8e on 9.1.x

Issue #3151101 by Deepak Goyal, dww, ravi.shankar, shetpooja04, alexpott...

Comment #24

alexpott

he/they

English

🇪🇺🌍

CreditAttribution: alexpott at Acro Commerce, Thunder commented 5 August 2020 at 09:05

Status:

Fixed

» Reviewed & tested by the community

Oops meant to leave this at RTBC

Comment #25

alexpott

he/they

English

🇪🇺🌍

CreditAttribution: alexpott at Acro Commerce, Thunder commented 7 August 2020 at 22:17

Version:	9.0.x-dev	» 8.9.x-dev
Status:	Reviewed & tested by the community	» Fixed

Committed and pushed aca70f2cd2 to 9.0.x and 7fafcd6952 to 8.9.x. Thanks!

Backported to 8.9.x as this is docs and internal variable names only.

Comment #26

7 August 2020 at 22:17

alexpott committed aca70f2 on 9.0.x

Issue #3151101 by Deepak Goyal, dww, ravi.shankar, shetpooja04, alexpott...

Comment #27

7 August 2020 at 22:17

alexpott committed 7fafcd6 on 8.9.x

Issue #3151101 by Deepak Goyal, dww, ravi.shankar, shetpooja04, alexpott...

Comment #28

alexpott

he/they

English

🇪🇺🌍

CreditAttribution: alexpott at Acro Commerce, Thunder commented 7 August 2020 at 23:40

Title:

[backport] Replace use of whitelist/blacklist in Filter module

» Replace use of whitelist/blacklist in Filter module

Comment #29

21 August 2020 at 23:44

Status:

Fixed

» Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.

Replace use of whitelist/blacklist in Filter module

Problem/Motivation

Proposed resolution

Remaining tasks

User interface changes

API changes

Data model changes

Release notes snippet

Comments

Parent issue