Problem with text format and base64 inline images

Question

I am using Drupal 8.6.13 text field with Full HTML text format for a field where we want to have content with inline base64 images (due to the synchronization with Gather Content).

Synchronization works well and images content is being saved in a Drupal text field but "data:" part is somehow filtered out - most probably by the Text format filter.

Long text field's source content:

<img alt="null" src="data:image/png;base64,...." />

becomes

<img alt="null" src="image/png;base64,...." />

after saving.

Limit allowed HTML tags and correct faulty HTML is active for Full HTML text format. We need this to limit heading types. If I disable "Limit allowed HTML tags" option then it works as expected.

Allowed tags are: <a href hreflang> <em> <strong> <cite> <blockquote cite> <code> <ul type class> <ol start type> <li class> <dl> <dt> <dd> <h4 id> <s> <sup> <sub> <img src data alt data-entity-type data-entity-uuid data-align data-caption> <table> <caption> <tbody> <thead> <tfoot> <th> <td> <tr> <hr> <p> <button>

Any idea how to prevent data: from being filtered out of the src attribute of an image tag and keep "Limit allowed HTML tags" option active?

Answer 1

I believe I tracked this down. With the filter formatter you mentioned, it calls Xss::filter() on the text. Xss::filter() looks at the src attribute and will strip any protocol that have not been allowed. It sees anything XYZ: as a protocol, in this case data:. I added - data to my docroot/sites/default/services.yml filter_protocols value and stopped the data: from being stripped. I don't know if this opens any other security concerns or not.