SA-CORE-2021-002 by Jasu_M, effulgentsia, alexpott, mlhess, Wim Leers, Heine,...

SA-CORE-2021-002 by Jasu_M, effulgentsia, alexpott, mlhess, Wim Leers, Heine, pwolanin, xjm, samuel.mortenson, nwellnhof, larowlan, phenaproxima, mcrdruid

SA-CORE-2021-002 by Jasu_M, effulgentsia, alexpott, mlhess, Wim Leers, Heine,...
0d8712d8 · Jess · 00659b27 · 0d8712d8
Commit 0d8712d8 authored 3 years ago by Jess
--- a/core/lib/Drupal/Component/Utility/Xss.php
+++ b/core/lib/Drupal/Component/Utility/Xss.php
@@ -215,7 +215,14 @@ protected static function attributes($attributes) {
          // Attribute name, href for instance.
          if (preg_match('/^([-a-zA-Z][-a-zA-Z0-9]*)/', $attributes, $match)) {
            $attribute_name = strtolower($match[1]);
-            $skip = ($attribute_name == 'style' || substr($attribute_name, 0, 2) == 'on');
+            $skip = (
+              $attribute_name == 'style' ||
+              substr($attribute_name, 0, 2) == 'on' ||
+              substr($attribute_name, 0, 1) == '-' ||
+              // Ignore long attributes to avoid unnecessary processing
+              // overhead.
+              strlen($attribute_name) > 96
+            );

            // Values for attributes of type URI should be filtered for
            // potentially malicious protocols (for example, an href-attribute