core/modules/filter/filter.module | 31 ++++++++++++--------
.../lib/Drupal/filter/Tests/FilterAPITest.php | 2 +-
.../lib/Drupal/filter/Tests/FilterSecurityTest.php | 2 +-
3 files changed, 20 insertions(+), 15 deletions(-)
diff --git a/core/modules/filter/filter.module b/core/modules/filter/filter.module
index a0a265d..a73e67b 100644
--- a/core/modules/filter/filter.module
+++ b/core/modules/filter/filter.module
@@ -631,7 +631,7 @@ function filter_get_filter_types_by_format($format_id) {
// Ignore filters that are disabled.
$filters = array_filter($filters, function($filter) {
- return $filter->status == 1;
+ return $filter->status;
});
$filters_metadata = filter_get_filters();
@@ -668,7 +668,7 @@ function filter_get_allowed_tags_by_format($format_id) {
// Ignore filters that are disabled or don't have an "allowed tags" setting.
$filters = array_filter($filters, function($filter) {
- if ($filter->status == 0) {
+ if (!$filter->status) {
return FALSE;
}
@@ -682,6 +682,9 @@ function filter_get_allowed_tags_by_format($format_id) {
return TRUE;
}
else {
+ // From the set of remaining filters (they were filtered by array_filter()
+ // above), collect the list of tags that is allowed by *all* filters, i.e.
+ // the intersection of all allowed tags.
$allowed_tags = array_reduce($filters, function($result, $filter) {
$allowed_tags = array();
$filters_metadata = filter_get_filters();
@@ -689,9 +692,14 @@ function filter_get_allowed_tags_by_format($format_id) {
$setting_name = $filters_metadata[$filter->name]['allowed tags setting'];
$allowed_tags = preg_split('/\s+|<|>/', $filter->settings[$setting_name], -1, PREG_SPLIT_NO_EMPTY);
- if (is_null($result)) {
+ // The first filter with an "allowed tags" setting provides the initial
+ // set.
+ if (!isset($result)) {
return $allowed_tags;
}
+ // Subsequent filters with an "allowed tags" setting must be intersected
+ // with the existing set, to ensure we only end up with the tags that are
+ // allowed by *all* filters with an "allowed tags" setting.
else {
return array_intersect($result, $allowed_tags);
}
@@ -911,18 +919,18 @@ function filter_list_format($format_id) {
* Boolean whether to cache the filtered output in the {cache_filter} table.
* The caller may set this to FALSE when the output is already cached
* elsewhere to avoid duplicate cache lookups and storage.
- * @param array|FALSE $filter_types_to_skip
- * An array of filter types to skip, or FALSE (default) to skip no filter
- * types. All of the format's filters will be applied, except for filters of
- * the types that are marked to be skipped. FILTER_TYPE_SECURITY is the only
- * type that cannot be skipped.
+ * @param array $filter_types_to_skip
+ * An array of filter types to skip, or the empty array (default) to skip no
+ * filter types. All of the format's filters will be applied, except for
+ * filters of the types that are marked to be skipped. FILTER_TYPE_SECURITY is
+ * the only type that cannot be skipped.
*
* @return
* The filtered text.
*
* @ingroup sanitization
*/
-function check_markup($text, $format_id = NULL, $langcode = '', $cache = FALSE, $filter_types_to_skip = FALSE) {
+function check_markup($text, $format_id = NULL, $langcode = '', $cache = FALSE, $filter_types_to_skip = array()) {
if (!isset($format_id)) {
$format_id = filter_fallback_format();
}
@@ -933,11 +941,8 @@ function check_markup($text, $format_id = NULL, $langcode = '', $cache = FALSE,
}
// Prevent FILTER_TYPE_SECURITY from being skipped.
- if ($filter_types_to_skip && in_array(FILTER_TYPE_SECURITY, $filter_types_to_skip)) {
+ if (in_array(FILTER_TYPE_SECURITY, $filter_types_to_skip)) {
$filter_types_to_skip = array_diff($filter_types_to_skip, array(FILTER_TYPE_SECURITY));
- if (empty($filter_types_to_skip)) {
- $filter_types_to_skip = FALSE;
- }
}
// When certain filters should be skipped, don't perform caching.
diff --git a/core/modules/filter/lib/Drupal/filter/Tests/FilterAPITest.php b/core/modules/filter/lib/Drupal/filter/Tests/FilterAPITest.php
index 7af2180..8101410 100644
--- a/core/modules/filter/lib/Drupal/filter/Tests/FilterAPITest.php
+++ b/core/modules/filter/lib/Drupal/filter/Tests/FilterAPITest.php
@@ -68,7 +68,7 @@ class FilterAPITest extends WebTestBase {
$expected_filter_text_without_html_generators = "Text with evil content and a URL: http://drupal.org!";
$this->assertIdentical(
- check_markup($text, 'filtered_html', '', FALSE, FALSE),
+ check_markup($text, 'filtered_html', '', FALSE, array()),
$expected_filtered_text,
t('Expected filter result.')
);
diff --git a/core/modules/filter/lib/Drupal/filter/Tests/FilterSecurityTest.php b/core/modules/filter/lib/Drupal/filter/Tests/FilterSecurityTest.php
index bdf3de7..4f5252d 100644
--- a/core/modules/filter/lib/Drupal/filter/Tests/FilterSecurityTest.php
+++ b/core/modules/filter/lib/Drupal/filter/Tests/FilterSecurityTest.php
@@ -93,7 +93,7 @@ class FilterSecurityTest extends WebTestBase {
function testSkipSecurityFilters() {
$text = "Text with some disallowed tags: , ,
.";
$expected_filtered_text = "Text with some disallowed tags: , unicorn, .";
- $this->assertEqual(check_markup($text, 'filtered_html', '', FALSE, FALSE), $expected_filtered_text, t('Expected filter result.'));
+ $this->assertEqual(check_markup($text, 'filtered_html', '', FALSE, array()), $expected_filtered_text, t('Expected filter result.'));
$this->assertEqual(check_markup($text, 'filtered_html', '', FALSE, array(FILTER_TYPE_SECURITY)), $expected_filtered_text, t('Expected filter result, even when trying to disable filters of the FILTER_TYPE_SECURITY type.'));
}
}