XSS content check for 'invalid_protocols' can trigger false-positives

[w00fz]

If in your content you have a legitimate text that includes a protocol, it gets flagged as false-positive. Example:

Pre-publication image data: management and processing

This triggers invalid_protocols, caused by the default data protocol value

One solution is to ensure the protocol is followed by at least one non-space character. If there is a space, it should be ignored.

[mahagr]

But you can have space for example in javascript:.. Also, the method removes all the space characters for some reason.

It may be better if we improved the detection to find HTML tags and only look into the attributes...

[mahagr]

Related to #3175.

I think we need to change the regexps so that there's regexp that just finds the tags and calls a callback method for determining the details. In most cases, we need to find only the opening tag -- with the exception of some special ones such as code block and script/style tag.

[rhukster]

I did add the whitespace check but it doesn't fully resolve the problem. It just allows a way around the issue of a false positive.

Checking inside HTML tags is not trivial as it will basically require the use of a parser to accurately determine the scope of the tags. The other downside is that it will be MUCH slower than the regex alone.

[rwam]

Any updates here? I stumbled across a similar problem and after some try and search I found the root of the issue: the following line on the content:

Here comes some metadata: foo, bar, baz

A space between the word and the colon doesn't help:

Here comes some metadata : foo, bar, baz

I have to avoid the colon to hide the XSS warning:

Here comes some metadata – foo, bar, baz

This is strange behavior and should be fixed. It took me a while, but our editors were really at a loss.