Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
This module filters out urls like background-image: url(http://example.com/image.jpg) no matter what you put in the "allowed URLs" box, because it tosses out anything with a non-standard protocol, and url(http isn't an allowed protocol. Since this module has it's own xss protocol filter, I patched this bug by allowing the protocols 'url(http', 'url("http', 'url(https', and 'url("https'.
Comment | File | Size | Author |
---|---|---|---|
#1 | wysiwyg_filter-363284-1.patch | 1.59 KB | markus_petrux |
fix_url_removed_by_xss_bad_protocol.patch | 1.14 KB | jamuraa | |
Comments
Comment #1
markus_petrux CreditAttribution: markus_petrux commentedWould you mind trying this one?
Function wysiwyg_filter_xss_bad_protocol() is not altered, but the caller is fixed instead.
Comment #2
jamuraa CreditAttribution: jamuraa commentedThis patch tests fine for me as well, and is the correct way to solve this issue, I should have done it this way.
Comment #3
markus_petrux CreditAttribution: markus_petrux commentedI'll commit this as soon as possible. Thanks
Comment #4
markus_petrux CreditAttribution: markus_petrux commentedFixed in CVS.
Comment #5
markus_petrux CreditAttribution: markus_petrux commented