class Standard

Same name in this branch
  1. 8.9.x core/modules/views/src/Plugin/views/join/Standard.php \Drupal\views\Plugin\views\join\Standard
  2. 8.9.x core/modules/views/src/Plugin/views/sort/Standard.php \Drupal\views\Plugin\views\sort\Standard
  3. 8.9.x core/modules/views/src/Plugin/views/field/Standard.php \Drupal\views\Plugin\views\field\Standard
  4. 8.9.x core/modules/views/src/Plugin/views/relationship/Standard.php \Drupal\views\Plugin\views\relationship\Standard
  5. 8.9.x core/modules/views/src/Plugin/views/filter/Standard.php \Drupal\views\Plugin\views\filter\Standard
  6. 8.9.x core/modules/views/src/Plugin/views/wizard/Standard.php \Drupal\views\Plugin\views\wizard\Standard
  7. 8.9.x core/modules/views/src/Plugin/views/argument/Standard.php \Drupal\views\Plugin\views\argument\Standard
Same name in other branches
  1. 9 core/modules/views/src/Plugin/views/join/Standard.php \Drupal\views\Plugin\views\join\Standard
  2. 9 core/modules/views/src/Plugin/views/sort/Standard.php \Drupal\views\Plugin\views\sort\Standard
  3. 9 core/modules/views/src/Plugin/views/field/Standard.php \Drupal\views\Plugin\views\field\Standard
  4. 9 core/modules/views/src/Plugin/views/relationship/Standard.php \Drupal\views\Plugin\views\relationship\Standard
  5. 9 core/modules/views/src/Plugin/views/filter/Standard.php \Drupal\views\Plugin\views\filter\Standard
  6. 9 core/modules/views/src/Plugin/views/wizard/Standard.php \Drupal\views\Plugin\views\wizard\Standard
  7. 9 core/modules/views/src/Plugin/views/argument/Standard.php \Drupal\views\Plugin\views\argument\Standard
  8. 9 core/modules/editor/src/EditorXssFilter/Standard.php \Drupal\editor\EditorXssFilter\Standard
  9. 10 core/modules/views/src/Plugin/views/join/Standard.php \Drupal\views\Plugin\views\join\Standard
  10. 10 core/modules/views/src/Plugin/views/sort/Standard.php \Drupal\views\Plugin\views\sort\Standard
  11. 10 core/modules/views/src/Plugin/views/field/Standard.php \Drupal\views\Plugin\views\field\Standard
  12. 10 core/modules/views/src/Plugin/views/relationship/Standard.php \Drupal\views\Plugin\views\relationship\Standard
  13. 10 core/modules/views/src/Plugin/views/filter/Standard.php \Drupal\views\Plugin\views\filter\Standard
  14. 10 core/modules/views/src/Plugin/views/wizard/Standard.php \Drupal\views\Plugin\views\wizard\Standard
  15. 10 core/modules/views/src/Plugin/views/argument/Standard.php \Drupal\views\Plugin\views\argument\Standard
  16. 10 core/modules/editor/src/EditorXssFilter/Standard.php \Drupal\editor\EditorXssFilter\Standard
  17. 11.x core/modules/views/src/Plugin/views/join/Standard.php \Drupal\views\Plugin\views\join\Standard
  18. 11.x core/modules/views/src/Plugin/views/sort/Standard.php \Drupal\views\Plugin\views\sort\Standard
  19. 11.x core/modules/views/src/Plugin/views/field/Standard.php \Drupal\views\Plugin\views\field\Standard
  20. 11.x core/modules/views/src/Plugin/views/relationship/Standard.php \Drupal\views\Plugin\views\relationship\Standard
  21. 11.x core/modules/views/src/Plugin/views/filter/Standard.php \Drupal\views\Plugin\views\filter\Standard
  22. 11.x core/modules/views/src/Plugin/views/wizard/Standard.php \Drupal\views\Plugin\views\wizard\Standard
  23. 11.x core/modules/views/src/Plugin/views/argument/Standard.php \Drupal\views\Plugin\views\argument\Standard
  24. 11.x core/modules/editor/src/EditorXssFilter/Standard.php \Drupal\editor\EditorXssFilter\Standard

Defines the standard text editor XSS filter.

Hierarchy

Expanded class hierarchy of Standard

2 files declare their use of Standard
FilterKernelTest.php in core/modules/filter/tests/src/Kernel/FilterKernelTest.php
StandardTest.php in core/modules/editor/tests/src/Unit/EditorXssFilter/StandardTest.php
239 string references to 'Standard'
AggregatorTestBase::setUp in core/modules/aggregator/src/Tests/AggregatorTestBase.php
Sets up a Drupal site for running functional and integration tests.
AggregatorTestBase::setUp in core/modules/aggregator/tests/src/Functional/AggregatorTestBase.php
BaseFieldAccessTest::setUp in core/modules/views/tests/src/Functional/Entity/BaseFieldAccessTest.php
BlockContentViewsData::getViewsData in core/modules/block_content/src/BlockContentViewsData.php
Returns views data for the entity type.
book_views_data in core/modules/book/book.views.inc
Implements hook_views_data().

... See full list

File

core/modules/editor/src/EditorXssFilter/Standard.php, line 13

Namespace

Drupal\editor\EditorXssFilter
View source
class Standard extends Xss implements EditorXssFilterInterface {
    
    /**
     * {@inheritdoc}
     */
    public static function filterXss($html, FilterFormatInterface $format, FilterFormatInterface $original_format = NULL) {
        // Apply XSS filtering, but blacklist the <script>, <style>, <link>, <embed>
        // and <object> tags.
        // The <script> and <style> tags are blacklisted because their contents
        // can be malicious (and therefore they are inherently unsafe), whereas for
        // all other tags, only their attributes can make them malicious. Since
        // \Drupal\Component\Utility\Xss::filter() protects against malicious
        // attributes, we take no blacklisting action.
        // The exceptions to the above rule are <link>, <embed> and <object>:
        // - <link> because the href attribute allows the attacker to import CSS
        //   using the HTTP(S) protocols which Xss::filter() considers safe by
        //   default. The imported remote CSS is applied to the main document, thus
        //   allowing for the same XSS attacks as a regular <style> tag.
        // - <embed> and <object> because these tags allow non-HTML applications or
        //   content to be embedded using the src or data attributes, respectively.
        //   This is safe in the case of HTML documents, but not in the case of
        //   Flash objects for example, that may access/modify the main document
        //   directly.
        // <iframe> is considered safe because it only allows HTML content to be
        // embedded, hence ensuring the same origin policy always applies.
        $dangerous_tags = [
            'script',
            'style',
            'link',
            'embed',
            'object',
        ];
        // Simply blacklisting these five dangerous tags would bring safety, but
        // also user frustration: what if a text format is configured to allow
        // <embed>, for example? Then we would strip that tag, even though it is
        // allowed, thereby causing data loss!
        // Therefore, we want to be smarter still. We want to take into account
        // which HTML tags are allowed and forbidden by the text format we're
        // filtering for, and if we're switching from another text format, we want
        // to take that format's allowed and forbidden tags into account as well.
        // In other words: we only expect markup allowed in both the original and
        // the new format to continue to exist.
        $format_restrictions = $format->getHtmlRestrictions();
        if ($original_format !== NULL) {
            $original_format_restrictions = $original_format->getHtmlRestrictions();
        }
        // Any tags that are explicitly blacklisted by the text format must be
        // appended to the list of default dangerous tags: if they're explicitly
        // forbidden, then we must respect that configuration.
        // When switching from another text format, we must use the union of
        // forbidden tags: if either text format is more restrictive, then the
        // safety expectations of *both* text formats apply.
        $forbidden_tags = self::getForbiddenTags($format_restrictions);
        if ($original_format !== NULL) {
            $forbidden_tags = array_merge($forbidden_tags, self::getForbiddenTags($original_format_restrictions));
        }
        // Any tags that are explicitly whitelisted by the text format must be
        // removed from the list of default dangerous tags: if they're explicitly
        // allowed, then we must respect that configuration.
        // When switching from another format, we must use the intersection of
        // allowed tags: if either format is more restrictive, then the safety
        // expectations of *both* formats apply.
        $allowed_tags = self::getAllowedTags($format_restrictions);
        if ($original_format !== NULL) {
            $allowed_tags = array_intersect($allowed_tags, self::getAllowedTags($original_format_restrictions));
        }
        // Don't blacklist dangerous tags that are explicitly allowed in both text
        // formats.
        $blacklisted_tags = array_diff($dangerous_tags, $allowed_tags);
        // Also blacklist tags that are explicitly forbidden in either text format.
        $blacklisted_tags = array_merge($blacklisted_tags, $forbidden_tags);
        $output = static::filter($html, $blacklisted_tags);
        // Since data-attributes can contain encoded HTML markup that could be
        // decoded and interpreted by editors, we need to apply XSS filtering to
        // their contents.
        return static::filterXssDataAttributes($output);
    }
    
    /**
     * Applies a very permissive XSS/HTML filter to data-attributes.
     *
     * @param string $html
     *   The string to apply the data-attributes filtering to.
     *
     * @return string
     *   The filtered string.
     */
    protected static function filterXssDataAttributes($html) {
        if (stristr($html, 'data-') !== FALSE) {
            $dom = Html::load($html);
            $xpath = new \DOMXPath($dom);
            foreach ($xpath->query('//@*[starts-with(name(.), "data-")]') as $node) {
                // The data-attributes contain an HTML-encoded value, so we need to
                // decode the value, apply XSS filtering and then re-save as encoded
                // value. There is no need to explicitly decode $node->value, since the
                // DOMAttr::value getter returns the decoded value.
                $value = Xss::filterAdmin($node->value);
                $node->value = Html::escape($value);
            }
            $html = Html::serialize($dom);
        }
        return $html;
    }
    
    /**
     * Get all allowed tags from a restrictions data structure.
     *
     * @param array|false $restrictions
     *   Restrictions as returned by FilterInterface::getHTMLRestrictions().
     *
     * @return array
     *   An array of allowed HTML tags.
     *
     * @see \Drupal\filter\Plugin\Filter\FilterInterface::getHTMLRestrictions()
     */
    protected static function getAllowedTags($restrictions) {
        if ($restrictions === FALSE || !isset($restrictions['allowed'])) {
            return [];
        }
        $allowed_tags = array_keys($restrictions['allowed']);
        // Exclude the wildcard tag, which is used to set attribute restrictions on
        // all tags simultaneously.
        $allowed_tags = array_diff($allowed_tags, [
            '*',
        ]);
        return $allowed_tags;
    }
    
    /**
     * Get all forbidden tags from a restrictions data structure.
     *
     * @param array|false $restrictions
     *   Restrictions as returned by FilterInterface::getHTMLRestrictions().
     *
     * @return array
     *   An array of forbidden HTML tags.
     *
     * @see \Drupal\filter\Plugin\Filter\FilterInterface::getHTMLRestrictions()
     */
    protected static function getForbiddenTags($restrictions) {
        if ($restrictions === FALSE || !isset($restrictions['forbidden_tags'])) {
            return [];
        }
        else {
            return $restrictions['forbidden_tags'];
        }
    }
    
    /**
     * {@inheritdoc}
     */
    protected static function needsRemoval($html_tags, $elem) {
        // See static::filterXss() about how this class uses blacklisting instead
        // of the normal whitelisting.
        return !parent::needsRemoval($html_tags, $elem);
    }

}

Members

Title Sort descending Modifiers Object type Summary Overriden Title
Standard::filterXss public static function Filters HTML to prevent XSS attacks when a user edits it in a text editor. Overrides EditorXssFilterInterface::filterXss
Standard::filterXssDataAttributes protected static function Applies a very permissive XSS/HTML filter to data-attributes.
Standard::getAllowedTags protected static function Get all allowed tags from a restrictions data structure.
Standard::getForbiddenTags protected static function Get all forbidden tags from a restrictions data structure.
Standard::needsRemoval protected static function Whether this element needs to be removed altogether. Overrides Xss::needsRemoval
Xss::$adminTags protected static property The list of HTML tags allowed by filterAdmin().
Xss::$htmlTags protected static property The default list of HTML tags allowed by filter().
Xss::attributes protected static function Processes a string of HTML attributes.
Xss::filter public static function Filters HTML to prevent cross-site-scripting (XSS) vulnerabilities.
Xss::filterAdmin public static function Applies a very permissive XSS/HTML filter for admin-only use.
Xss::getAdminTagList public static function Gets the list of HTML tags allowed by Xss::filterAdmin().
Xss::getHtmlTagList public static function Gets the standard list of HTML tags allowed by Xss::filter().
Xss::split protected static function Processes an HTML tag.

Buggy or inaccurate documentation? Please file an issue. Need support? Need help programming? Connect with the Drupal community.