outerSource is a special property, and its only purpose is to revert a tag to its previous, unparsed state after being parsed, as if it had not been recognized.

Thus, technically, the "source" applies only to the opening and closing elements. The content is still filtered and rendered.

Unfortunately, now that the tag options and attributes bypass all filters, this means the outerSource is a concatenation of unprocessed text (the opening tag) and processed text (the content). This is bad, because if a tag plugin ever disappears, then the fallback plugin will happily print out [missing_tag=<script>console.log("Ha ha! Mine is an evil laugh!");</script>]...[/missing_tag].

CommentFileSizeAuthor
#3 0001-Issue-2634224-safe-content-and-outerSource.patch2.24 KBcburschka

Comments

cburschka created an issue. See original summary.

cburschka’s picture

cburschka
they
commented

(Actually, the whole thing is much more broken than that right now - content() itself is no longer marked as safe by the Element class, which means nested tags are broken.)

cburschka’s picture

cburschka
they
commented
Status: Active » Needs review
StatusFileSize
new 0001-Issue-2634224-safe-content-and-outerSource.patch2.24 KB

w.r.t the above, for some reason this bug doesn't have symptoms. Even when $tag->content() and $tag->option() are both strings, the markup in $tag->content() is passed through and the markup in $tag->option() is escaped.

Despite this, it's clearly incorrect not to mark content() as safe.

  • cburschka committed d1893a9 on 8.x-3.x 
    Issue #2634224: safe content() and outerSource().

- content() contains...
cburschka’s picture

cburschka
they
commented
Status: Needs review » Fixed

  • cburschka committed 2a5b65c on 8.x-3.x 
    Issue #2634224: Document tag.outerSource variable.

The tag.outerSource...

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.