opdavies/drupalcampbristol
Archived
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Update to Drupal 8.0.2. For more information, see https://www.drupal.org/drupal-8.0.2-release-notes

Browse source
This commit is contained in:
Pantheon Automation 2016-01-06 16:31:26 -08:00 committed by Greg Anderson
parent 1a0e9d9fac
commit a6b049dd05
538 changed files with 5247 additions and 1594 deletions
Download patch file Download diff file Expand all files Collapse all files

25
core/modules/locale/locale.module
View file

@ -1035,6 +1035,31 @@ function locale_translation_use_remote_source() {
* layout issues (div) or a possible attack vector (img).
*/
function locale_string_is_safe($string) {
// Some strings have tokens in them. For tokens in the first part of href or
// src HTML attributes, \Drupal\Component\Utility\Xss::filter() removes part
// of the token, the part before the first colon.
// \Drupal\Component\Utility\Xss::filter() assumes it could be an attempt to
// inject javascript. When \Drupal\Component\Utility\Xss::filter() removes
// part of tokens, it causes the string to not be translatable when it should
// be translatable.
// @see \Drupal\locale\Tests\LocaleStringIsSafeTest::testLocaleStringIsSafe()
//
// We can recognize tokens since they are wrapped with brackets and are only
// composed of alphanumeric characters, colon, underscore, and dashes. We can
// be sure these strings are safe to strip out before the string is checked in
// \Drupal\Component\Utility\Xss::filter() because no dangerous javascript
// will match that pattern.
//
// Strings with tokens should not be assumed to be dangerous because even if
// we evaluate them to be safe here, later replacing the token inside the
// string will automatically mark it as unsafe as it is not the same string
// anymore.
//
// @todo Do not strip out the token. Fix
// \Drupal\Component\Utility\Xss::filter() to not incorrectly alter the
// string. https://www.drupal.org/node/2372127
$string = preg_replace('/\[[a-z0-9_-]+(:[a-z0-9_-]+)+\]/i', '', $string);
return Html::decodeEntities($string) == Html::decodeEntities(Xss::filter($string, array('a', 'abbr', 'acronym', 'address', 'b', 'bdo', 'big', 'blockquote', 'br', 'caption', 'cite', 'code', 'col', 'colgroup', 'dd', 'del', 'dfn', 'dl', 'dt', 'em', 'h1', 'h2', 'h3', 'h4', 'h5', 'h6', 'hr', 'i', 'ins', 'kbd', 'li', 'ol', 'p', 'pre', 'q', 'samp', 'small', 'span', 'strong', 'sub', 'sup', 'table', 'tbody', 'td', 'tfoot', 'th', 'thead', 'tr', 'tt', 'ul', 'var')));
}