Issue #2564283 by alexpott, stefan.r, joelpittet: Remove use of SafeMarkup::checkPlain() from adminSummary() and adminLabel() in views plugins

core/modules/views/src/Plugin/views/HandlerBase.php

@@ -181,8 +181,7 @@ abstract class HandlerBase extends PluginBase implements ViewsHandlerInterface {
    */
   public function adminLabel($short = FALSE) {
     if (!empty($this->options['admin_label'])) {
-      $title = SafeMarkup::checkPlain($this->options['admin_label']);
-      return $title;
+      return $this->options['admin_label'];
     }
     $title = ($short && isset($this->definition['title short'])) ? $this->definition['title short'] : $this->definition['title'];
     return $this->t('!group: !title', array('!group' => $this->definition['group'], '!title' => $title));

core/modules/views/src/Plugin/views/filter/FilterPluginBase.php

@@ -14,7 +14,6 @@ use Drupal\user\RoleInterface;
 use Drupal\views\Plugin\CacheablePluginInterface;
 use Drupal\views\Plugin\views\HandlerBase;
 use Drupal\Component\Utility\Html;
-use Drupal\Component\Utility\SafeMarkup;
 use Drupal\views\Plugin\views\display\DisplayPluginBase;
 use Drupal\views\ViewExecutable;
 
@@ -172,7 +171,7 @@ abstract class FilterPluginBase extends HandlerBase implements CacheablePluginIn
    * Display the filter on the administrative summary
    */
   public function adminSummary() {
-    return SafeMarkup::checkPlain((string) $this->operator) . ' ' . SafeMarkup::checkPlain((string) $this->value);
+    return $this->operator . ' ' . $this->value;
   }
 
   /**

core/modules/views/src/Plugin/views/filter/InOperator.php

@@ -7,7 +7,6 @@
 
 namespace Drupal\views\Plugin\views\filter;
 
-use Drupal\Component\Utility\SafeMarkup;
 use Drupal\Component\Utility\Unicode;
 use Drupal\Core\Form\FormStateInterface;
 use Drupal\views\Plugin\views\display\DisplayPluginBase;
@@ -337,7 +336,7 @@ class InOperator extends FilterPluginBase {
       return;
     }
 
-    $operator = SafeMarkup::checkPlain($info[$this->operator]['short']);
+    $operator = $info[$this->operator]['short'];
     $values = '';
     if (in_array($this->operator, $this->operatorValues(1))) {
       // Remove every element which is not known.
@@ -353,13 +352,13 @@ class InOperator extends FilterPluginBase {
       else if (count($this->value) == 1) {
         // If any, use the 'single' short name of the operator instead.
         if (isset($info[$this->operator]['short_single'])) {
-          $operator = SafeMarkup::checkPlain($info[$this->operator]['short_single']);
+          $operator = $info[$this->operator]['short_single'];
         }
 
         $keys = $this->value;
         $value = array_shift($keys);
         if (isset($flat_options[$value])) {
-          $values = SafeMarkup::checkPlain($flat_options[$value]);
+          $values = $flat_options[$value];
         }
         else {
           $values = '';
@@ -375,7 +374,7 @@ class InOperator extends FilterPluginBase {
             break;
           }
           if (isset($flat_options[$value])) {
-            $values .= SafeMarkup::checkPlain($flat_options[$value]);
+            $values .= $flat_options[$value];
           }
         }
       }

core/modules/views/src/Plugin/views/filter/NumericFilter.php

@@ -7,7 +7,6 @@
 
 namespace Drupal\views\Plugin\views\filter;
 
-use Drupal\Component\Utility\SafeMarkup;
 use Drupal\Core\Database\Database;
 use Drupal\Core\Form\FormStateInterface;
 
@@ -292,12 +291,12 @@ class NumericFilter extends FilterPluginBase {
     }
 
     $options = $this->operatorOptions('short');
-    $output = SafeMarkup::checkPlain($options[$this->operator]);
+    $output = $options[$this->operator];
     if (in_array($this->operator, $this->operatorValues(2))) {
       $output .= ' ' . $this->t('@min and @max', array('@min' => $this->value['min'], '@max' => $this->value['max']));
     }
     elseif (in_array($this->operator, $this->operatorValues(1))) {
-      $output .= ' ' . SafeMarkup::checkPlain($this->value['value']);
+      $output .= ' ' . $this->value['value'];
     }
     return $output;
   }

core/modules/views/src/Plugin/views/filter/StringFilter.php

@@ -7,7 +7,6 @@
 
 namespace Drupal\views\Plugin\views\filter;
 
-use Drupal\Component\Utility\SafeMarkup;
 use Drupal\Core\Database\Database;
 use Drupal\Core\Form\FormStateInterface;
 
@@ -162,10 +161,10 @@ class StringFilter extends FilterPluginBase {
     $options = $this->operatorOptions('short');
     $output = '';
     if (!empty($options[$this->operator])) {
-      $output = SafeMarkup::checkPlain($options[$this->operator]);
+      $output = $options[$this->operator];
     }
     if (in_array($this->operator, $this->operatorValues(1))) {
-      $output .= ' ' . SafeMarkup::checkPlain($this->value);
+      $output .= ' ' . $this->value;
     }
     return $output;
   }

core/modules/views/src/Plugin/views/row/EntityRow.php

@@ -7,7 +7,6 @@
 
 namespace Drupal\views\Plugin\views\row;
 
-use Drupal\Component\Utility\SafeMarkup;
 use Drupal\Core\Entity\EntityManagerInterface;
 use Drupal\Core\Form\FormStateInterface;
 use Drupal\Core\Language\LanguageManagerInterface;
@@ -160,7 +159,7 @@ class EntityRow extends RowPluginBase {
   public function summaryTitle() {
     $options = \Drupal::entityManager()->getViewModeOptions($this->entityTypeId);
     if (isset($options[$this->options['view_mode']])) {
-      return SafeMarkup::checkPlain($options[$this->options['view_mode']]);
+      return $options[$this->options['view_mode']];
     }
     else {
       return $this->t('No view mode selected');

core/modules/views_ui/src/Tests/RowUITest.php

@@ -7,6 +7,7 @@
 
 namespace Drupal\views_ui\Tests;
 
+use Drupal\Core\Entity\Entity\EntityViewMode;
 use Drupal\views\Views;
 
 /**
@@ -87,6 +88,13 @@ class RowUITest extends UITestBase {
     $this->drupalPostForm(NULL, ['row[type]' => 'entity:node'], t('Apply'));
     $this->assertUrl($row_options_url);
     $this->assertFieldByName('row_options[view_mode]', 'teaser');
+
+    // Change the teaser label to have markup so we can test escaping.
+    $teaser = EntityViewMode::load('node.teaser');
+    $teaser->set('label', 'Teaser <em>markup</em>');
+    $teaser->save();
+    $this->drupalGet('admin/structure/views/view/frontpage/edit/default');
+    $this->assertEscaped('Teaser <em>markup</em>');
   }
 
 }

core/modules/views_ui/src/Tests/XssTest.php

@@ -29,8 +29,22 @@ class XssTest extends UITestBase {
     $this->assertEscaped('<marquee>test</marquee>', 'Field admin label is properly escaped.');
 
     $this->drupalGet('admin/structure/views/nojs/handler/sa_contrib_2013_035/page_1/header/area');
-    $this->assertRaw('{{ title }} == &amp;lt;marquee&amp;gt;test&amp;lt;/marquee&amp;gt;', 'Token label is properly escaped.');
-    $this->assertRaw('{{ title_1 }} == &amp;lt;script&amp;gt;alert(&amp;quot;XSS&amp;quot;)&amp;lt;/script&amp;gt;', 'Token label is properly escaped.');
+    $this->assertEscaped('{{ title }} == <marquee>test</marquee>', 'Token label is properly escaped.');
+    $this->assertEscaped('{{ title_1 }} == <script>alert("XSS")</script>', 'Token label is properly escaped.');
+  }
+
+  /**
+   * Checks the admin UI for double escaping.
+   */
+  public function testNoDoubleEscaping() {
+    $this->drupalGet('admin/structure/views');
+    $this->assertNoEscaped('&lt;');
+
+    $this->drupalGet('admin/structure/views/view/sa_contrib_2013_035');
+    $this->assertNoEscaped('&lt;');
+
+    $this->drupalGet('admin/structure/views/nojs/handler/sa_contrib_2013_035/page_1/header/area');
+    $this->assertNoEscaped('&lt;');
   }
 
 }