3 namespace Drupal\editor\EditorXssFilter;
5 use Drupal\Component\Utility\Html;
6 use Drupal\Component\Utility\Xss;
7 use Drupal\filter\FilterFormatInterface;
8 use Drupal\editor\EditorXssFilterInterface;
11 * Defines the standard text editor XSS filter.
13 class Standard extends Xss implements EditorXssFilterInterface {
18 public static function filterXss($html, FilterFormatInterface $format, FilterFormatInterface $original_format = NULL) {
19 // Apply XSS filtering, but blacklist the <script>, <style>, <link>, <embed>
21 // The <script> and <style> tags are blacklisted because their contents
22 // can be malicious (and therefor they are inherently unsafe), whereas for
23 // all other tags, only their attributes can make them malicious. Since
24 // \Drupal\Component\Utility\Xss::filter() protects against malicious
25 // attributes, we take no blacklisting action.
26 // The exceptions to the above rule are <link>, <embed> and <object>:
27 // - <link> because the href attribute allows the attacker to import CSS
28 // using the HTTP(S) protocols which Xss::filter() considers safe by
29 // default. The imported remote CSS is applied to the main document, thus
30 // allowing for the same XSS attacks as a regular <style> tag.
31 // - <embed> and <object> because these tags allow non-HTML applications or
32 // content to be embedded using the src or data attributes, respectively.
33 // This is safe in the case of HTML documents, but not in the case of
34 // Flash objects for example, that may access/modify the main document
36 // <iframe> is considered safe because it only allows HTML content to be
37 // embedded, hence ensuring the same origin policy always applies.
38 $dangerous_tags = ['script', 'style', 'link', 'embed', 'object'];
40 // Simply blacklisting these five dangerous tags would bring safety, but
41 // also user frustration: what if a text format is configured to allow
42 // <embed>, for example? Then we would strip that tag, even though it is
43 // allowed, thereby causing data loss!
44 // Therefor, we want to be smarter still. We want to take into account which
45 // HTML tags are allowed and forbidden by the text format we're filtering
46 // for, and if we're switching from another text format, we want to take
47 // that format's allowed and forbidden tags into account as well.
48 // In other words: we only expect markup allowed in both the original and
49 // the new format to continue to exist.
50 $format_restrictions = $format->getHtmlRestrictions();
51 if ($original_format !== NULL) {
52 $original_format_restrictions = $original_format->getHtmlRestrictions();
55 // Any tags that are explicitly blacklisted by the text format must be
56 // appended to the list of default dangerous tags: if they're explicitly
57 // forbidden, then we must respect that configuration.
58 // When switching from another text format, we must use the union of
59 // forbidden tags: if either text format is more restrictive, then the
60 // safety expectations of *both* text formats apply.
61 $forbidden_tags = self::getForbiddenTags($format_restrictions);
62 if ($original_format !== NULL) {
63 $forbidden_tags = array_merge($forbidden_tags, self::getForbiddenTags($original_format_restrictions));
66 // Any tags that are explicitly whitelisted by the text format must be
67 // removed from the list of default dangerous tags: if they're explicitly
68 // allowed, then we must respect that configuration.
69 // When switching from another format, we must use the intersection of
70 // allowed tags: if either format is more restrictive, then the safety
71 // expectations of *both* formats apply.
72 $allowed_tags = self::getAllowedTags($format_restrictions);
73 if ($original_format !== NULL) {
74 $allowed_tags = array_intersect($allowed_tags, self::getAllowedTags($original_format_restrictions));
77 // Don't blacklist dangerous tags that are explicitly allowed in both text
79 $blacklisted_tags = array_diff($dangerous_tags, $allowed_tags);
81 // Also blacklist tags that are explicitly forbidden in either text format.
82 $blacklisted_tags = array_merge($blacklisted_tags, $forbidden_tags);
84 $output = static::filter($html, $blacklisted_tags);
86 // Since data-attributes can contain encoded HTML markup that could be
87 // decoded and interpreted by editors, we need to apply XSS filtering to
89 return static::filterXssDataAttributes($output);
93 * Applies a very permissive XSS/HTML filter to data-attributes.
96 * The string to apply the data-attributes filtering to.
99 * The filtered string.
101 protected static function filterXssDataAttributes($html) {
102 if (stristr($html, 'data-') !== FALSE) {
103 $dom = Html::load($html);
104 $xpath = new \DOMXPath($dom);
105 foreach ($xpath->query('//@*[starts-with(name(.), "data-")]') as $node) {
106 // The data-attributes contain an HTML-encoded value, so we need to
107 // decode the value, apply XSS filtering and then re-save as encoded
108 // value. There is no need to explicitly decode $node->value, since the
109 // DOMAttr::value getter returns the decoded value.
110 $value = Xss::filterAdmin($node->value);
111 $node->value = Html::escape($value);
113 $html = Html::serialize($dom);
121 * Get all allowed tags from a restrictions data structure.
123 * @param array|false $restrictions
124 * Restrictions as returned by FilterInterface::getHTMLRestrictions().
127 * An array of allowed HTML tags.
129 * @see \Drupal\filter\Plugin\Filter\FilterInterface::getHTMLRestrictions()
131 protected static function getAllowedTags($restrictions) {
132 if ($restrictions === FALSE || !isset($restrictions['allowed'])) {
136 $allowed_tags = array_keys($restrictions['allowed']);
137 // Exclude the wildcard tag, which is used to set attribute restrictions on
138 // all tags simultaneously.
139 $allowed_tags = array_diff($allowed_tags, ['*']);
141 return $allowed_tags;
145 * Get all forbidden tags from a restrictions data structure.
147 * @param array|false $restrictions
148 * Restrictions as returned by FilterInterface::getHTMLRestrictions().
151 * An array of forbidden HTML tags.
153 * @see \Drupal\filter\Plugin\Filter\FilterInterface::getHTMLRestrictions()
155 protected static function getForbiddenTags($restrictions) {
156 if ($restrictions === FALSE || !isset($restrictions['forbidden_tags'])) {
160 return $restrictions['forbidden_tags'];
167 protected static function needsRemoval($html_tags, $elem) {
168 // See static::filterXss() about how this class uses blacklisting instead
169 // of the normal whitelisting.
170 return !parent::needsRemoval($html_tags, $elem);