opdavies/drupalcampbristol
Archived
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Update to Drupal 8.0.0 beta 14. For more information, see https://drupal.org/node/2544542

Browse source
This commit is contained in:
Pantheon Automation 2015-08-27 12:03:05 -07:00 committed by Greg Anderson
parent 3b2511d96d
commit 81ccda77eb
2155 changed files with 54307 additions and 46870 deletions
Download patch file Download diff file Expand all files Collapse all files

6
core/lib/Drupal/Component/Utility/Crypt.php
View file

@ -106,7 +106,7 @@ class Crypt {
$hmac = base64_encode(hash_hmac('sha256', $data, $key, TRUE));
// Modify the hmac so it's safe to use in URLs.
return strtr($hmac, array('+' => '-', '/' => '_', '=' => ''));
return str_replace(['+', '/', '='], ['-', '_', ''], $hmac);
}
/**
@ -122,7 +122,7 @@ class Crypt {
public static function hashBase64($data) {
$hash = base64_encode(hash('sha256', $data, TRUE));
// Modify the hash so it's safe to use in URLs.
return strtr($hash, array('+' => '-', '/' => '_', '=' => ''));
return str_replace(['+', '/', '='], ['-', '_', ''], $hash);
}
/**
@ -137,7 +137,7 @@ class Crypt {
* @see \Drupal\Component\Utility\Crypt::randomBytes()
*/
public static function randomBytesBase64($count = 32) {
return strtr(base64_encode(static::randomBytes($count)), array('+' => '-', '/' => '_', '=' => ''));
return str_replace(['+', '/', '='], ['-', '_', ''], base64_encode(static::randomBytes($count)));
}
}

2
core/lib/Drupal/Component/Utility/Html.php
View file

@ -187,7 +187,7 @@ class Html {
* @see self::getUniqueId()
*/
public static function getId($id) {
$id = strtr(Unicode::strtolower($id), array(' ' => '-', '_' => '-', '[' => '-', ']' => ''));
$id = str_replace([' ', '_', '[', ']'], ['-', '-', '-', ''], Unicode::strtolower($id));
// As defined in http://www.w3.org/TR/html4/types.html#type-name, HTML IDs can
// only contain letters, digits ([0-9]), hyphens ("-"), underscores ("_"),

80
core/lib/Drupal/Component/Utility/SafeMarkup.php
View file

@ -15,9 +15,9 @@ namespace Drupal\Component\Utility;
* provides a store for known safe strings and methods to manage them
* throughout the page request.
*
* Strings sanitized by self::checkPlain() or Xss::filter() are automatically
* marked safe, as are markup strings created from render arrays via
* drupal_render().
* Strings sanitized by self::checkPlain() and self::escape() or
* self::xssFilter() are automatically marked safe, as are markup strings
* created from @link theme_render render arrays @endlink via drupal_render().
*
* This class should be limited to internal use only. Module developers should
* instead use the appropriate
@ -141,17 +141,79 @@ class SafeMarkup {
/**
* Applies a very permissive XSS/HTML filter for admin-only use.
*
* @param string $string
* A string.
* Note: This method only filters if $string is not marked safe already.
*
* @return string
* The escaped string. If $string was already set as safe with
* self::set(), it won't be escaped again.
* @deprecated as of Drupal 8.0.x, will be removed before Drupal 8.0.0. If the
* string used as part of a @link theme_render render array @endlink use
* #markup to allow the render system to filter automatically. If the result
* is not being used directly in the rendering system (for example, when its
* result is being combined with other strings before rendering), use
* Xss::filterAdmin(). Otherwise, use SafeMarkup::xssFilter() and the tag
* list provided by Xss::getAdminTagList() instead. In the rare instance
* that the caller does not want to filter strings that are marked safe
* already, it needs to check SafeMarkup::isSafe() itself.
*
* @see \Drupal\Component\Utility\SafeMarkup::xssFilter()
* @see \Drupal\Component\Utility\SafeMarkup::isSafe()
* @see \Drupal\Component\Utility\Xss::filterAdmin()
* @see \Drupal\Component\Utility\Xss::getAdminTagList()
*/
public static function checkAdminXss($string) {
return static::isSafe($string) ? $string : Xss::filterAdmin($string);
return static::isSafe($string) ? $string : static::xssFilter($string, Xss::getAdminTagList());
}
/**
* Filters HTML for XSS vulnerabilities and marks the result as safe.
*
* Calling this method unnecessarily will result in bloating the safe string
* list and increases the chance of unintended side effects.
*
* If Twig receives a value that is not marked as safe then it will
* automatically encode special characters in a plain-text string for display
* as HTML. Therefore, SafeMarkup::xssFilter() should only be used when the
* string might contain HTML that needs to be rendered properly by the
* browser.
*
* If you need to filter for admin use, like Xss::filterAdmin(), then:
* - If the string is used as part of a @link theme_render render array @endlink,
* use #markup to allow the render system to filter by the admin tag list
* automatically.
* - Otherwise, use the SafeMarkup::xssFilter() with tag list provided by
* Xss::getAdminTagList() instead.
*
* This method should only be used instead of Xss::filter() when the result is
* being added to a render array that is constructed before rendering begins.
*
* In the rare instance that the caller does not want to filter strings that
* are marked safe already, it needs to check SafeMarkup::isSafe() itself.
*
* @param $string
* The string with raw HTML in it. It will be stripped of everything that
* can cause an XSS attack. The string provided will always be escaped
* regardless of whether the string is already marked as safe.
* @param array $html_tags
* (optional) An array of HTML tags. If omitted, it uses the default tag
* list defined by \Drupal\Component\Utility\Xss::filter().
*
* @return string
* An XSS-safe version of $string, or an empty string if $string is not
* valid UTF-8. The string is marked as safe.
*
* @ingroup sanitization
*
* @see \Drupal\Component\Utility\Xss::filter()
* @see \Drupal\Component\Utility\Xss::filterAdmin()
* @see \Drupal\Component\Utility\Xss::getAdminTagList()
* @see \Drupal\Component\Utility\SafeMarkup::isSafe()
*/
public static function xssFilter($string, $html_tags = NULL) {
if (is_null($html_tags)) {
$string = Xss::filter($string);
}
else {
$string = Xss::filter($string, $html_tags);
}
return static::set($string);
}
/**

2
core/lib/Drupal/Component/Utility/UrlHelper.php
View file

@ -244,7 +244,7 @@ class UrlHelper {
$base_parts = parse_url($base_url);
if (empty($base_parts['host']) || empty($url_parts['host'])) {
throw new \InvalidArgumentException(SafeMarkup::format('A path was passed when a fully qualified domain was expected.'));
throw new \InvalidArgumentException('A path was passed when a fully qualified domain was expected.');
}
if (!isset($url_parts['path']) || !isset($base_parts['path'])) {

40
core/lib/Drupal/Component/Utility/Xss.php
View file

@ -29,14 +29,19 @@ class Xss {
* Based on kses by Ulf Harnhammar, see http://sourceforge.net/projects/kses.
* For examples of various XSS attacks, see: http://ha.ckers.org/xss.html.
*
* This code does five things:
* This method is preferred to
* \Drupal\Component\Utility\SafeMarkup::xssFilter() when the result is not
* being used directly in the rendering system (for example, when its result
* is being combined with other strings before rendering). This avoids
* bloating the safe string list with partial strings if the whole result will
* be marked safe.
*
* This code does four things:
* - Removes characters and constructs that can trick browsers.
* - Makes sure all HTML entities are well-formed.
* - Makes sure all HTML tags and attributes are well-formed.
* - Makes sure no HTML tags contain URLs with a disallowed protocol (e.g.
* javascript:).
* - Marks the sanitized, XSS-safe version of $string as safe markup for
* rendering.
*
* @param $string
* The string with raw HTML in it. It will be stripped of everything that
@ -49,7 +54,7 @@ class Xss {
* valid UTF-8.
*
* @see \Drupal\Component\Utility\Unicode::validateUtf8()
* @see \Drupal\Component\Utility\SafeMarkup
* @see \Drupal\Component\Utility\SafeMarkup::xssFilter()
*
* @ingroup sanitization
*/
@ -83,7 +88,7 @@ class Xss {
// for output. All other known XSS vectors have been filtered out by this
// point and any HTML tags remaining will have been deliberately allowed, so
// it is acceptable to call SafeMarkup::set() on the resultant string.
return SafeMarkup::set(preg_replace_callback('%
return preg_replace_callback('%
(
<(?=[^a-zA-Z!/]) # a lone <
| # or
@ -92,7 +97,7 @@ class Xss {
<[^>]*(>|$) # a string that starts with a <, up until the > or the end of the string
| # or
> # just a >
)%x', $splitter, $string));
)%x', $splitter, $string);
}
/**
@ -103,6 +108,13 @@ class Xss {
* is desired (so \Drupal\Component\Utility\SafeMarkup::checkPlain() is
* not acceptable).
*
* This method is preferred to
* \Drupal\Component\Utility\SafeMarkup::xssFilter() when the result is
* not being used directly in the rendering system (for example, when its
* result is being combined with other strings before rendering). This avoids
* bloating the safe string list with partial strings if the whole result will
* be marked safe.
*
* Allows all tags that can be used inside an HTML body, save
* for scripts and styles.
*
@ -111,6 +123,12 @@ class Xss {
*
* @return string
* The filtered string.
*
* @ingroup sanitization
*
* @see \Drupal\Component\Utility\SafeMarkup::xssFilter()
* @see \Drupal\Component\Utility\Xss::getAdminTagList()
*
*/
public static function filterAdmin($string) {
return static::filter($string, static::$adminTags);
@ -319,4 +337,14 @@ class Xss {
return !isset($html_tags[strtolower($elem)]);
}
/**
* Gets the list of html tags allowed by Xss::filterAdmin().
*
* @return array
* The list of html tags allowed by filterAdmin().
*/
public static function getAdminTagList() {
return static::$adminTags;
}
}

2
core/lib/Drupal/Component/Utility/composer.json
View file

@ -5,7 +5,7 @@
"homepage": "https://www.drupal.org/project/drupal",
"license": "GPL-2.0+",
"require": {
"php": ">=5.3.10"
"php": ">=5.5.9"
},
"autoload": {
"psr-0": {