Merge branch '5.2' into 5

src/Forms/HTMLEditor/HTMLEditorSanitiser.php

@@ -343,7 +343,7 @@ class HTMLEditorSanitiser
                 }
 
                 // Matches "javascript:" with any arbitrary linebreaks inbetween the characters.
-                $regex = '/^\s*' . implode('\s*', str_split('javascript:')) . '/i';
+                $regex = '#^\s*(' . implode('\s*', str_split('javascript:')) . '|' . implode('\s*', str_split('data:text/html;')) . ')#i';
                 // Strip out javascript execution in href or src attributes.
                 foreach (['src', 'href', 'data'] as $dangerAttribute) {
                     if ($el->hasAttribute($dangerAttribute)) {

src/Forms/HTMLEditor/TinyMCEConfig.php

@@ -322,7 +322,8 @@ class TinyMCEConfig extends HTMLEditorConfig implements i18nEntityProvider
         . "-div[id|dir|class|align|style],-span[class|align|style],-pre[class|align],address[class|align],"
         . "-h1[id|dir|class|align|style],-h2[id|dir|class|align|style],-h3[id|dir|class|align|style],"
         . "-h4[id|dir|class|align|style],-h5[id|dir|class|align|style],-h6[id|dir|class|align|style],hr[class],"
-        . "dd[id|class|title|dir],dl[id|class|title|dir],dt[id|class|title|dir],"
+        . "dd[id|class|title|dir],dl[id|class|title|dir],dt[id|class|title|dir],",
+        'convert_unsafe_embeds' => true, // SS-2024-001
     ];
 
     protected $settings = [];

tests/php/Forms/HTMLEditor/HTMLEditorSanitiserTest.php

@@ -120,7 +120,31 @@ class HTMLEditorSanitiserTest extends FunctionalTest
                 'object[data]',
                 '<object data=javascript:alert()>',
                 '<object></object>',
-                'Object with dangerous content in data attribute is completely removed'
+                'Object with dangerous javascript content in data attribute is completely removed'
+            ],
+            [
+                'object[data]',
+                '<object data="javascript:alert()">',
+                '<object></object>',
+                'Object with dangerous javascript content in data attribute with quotes is completely removed'
+            ],
+            [
+                'object[data]',
+                '<object data="data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5sb2NhdGlvbik8L3NjcmlwdD4=">',
+                '<object></object>',
+                'Object with dangerous html content in data attribute is completely removed'
+            ],
+            [
+                'object[data]',
+                '<object data="' . implode("\n", str_split(' DATA:TEXT/HTML;')) . 'base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5sb2NhdGlvbik8L3NjcmlwdD4=">',
+                '<object></object>',
+                'Object with split upper-case dangerous html content in data attribute is completely removed'
+            ],
+            [
+                'object[data]',
+                '<object data="data:text/xml;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5sb2NhdGlvbik8L3NjcmlwdD4=">',
+                '<object data="data:text/xml;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5sb2NhdGlvbik8L3NjcmlwdD4="></object>',
+                'Object with safe xml content in data attribute is retained'
             ],
             [
                 'img[src]',