Issue #2506485 by justAChris, akalata, subhojit777: Test that Header label + customized label wrapper of a Views table display is not double escaped

core/modules/views/src/Tests/ViewsEscapingTest.php

@@ -19,7 +19,7 @@ class ViewsEscapingTest extends ViewTestBase {
    *
    * @var array
    */
-  public static $testViews = array('test_page_display');
+  public static $testViews = array('test_page_display', 'test_field_header');
 
   /**
    * Used by WebTestBase::setup()
@@ -69,4 +69,21 @@ class ViewsEscapingTest extends ViewTestBase {
     $this->assertNoEscaped('<');
   }
 
+  /**
+   * Tests for incorrectly escaped markup in a header label on a display table.
+   */
+  public function testViewsFieldHeaderEscaping() {
+    // Test with a field header label having an html element wrapper.
+    $this->drupalGet('test_field_header');
+
+    // Assert that there are no escaped '<'s characters.
+    $this->assertNoEscaped('<');
+
+    // Test with a field header label having a XSS test as a wrapper.
+    $this->drupalGet('test_field_header_xss');
+
+    // Assert that XSS test is escaped.
+    $this->assertNoRaw('<script>alert("XSS")</script>', 'Harmful tags are escaped in header label.');
+  }
+
 }

core/modules/views/tests/modules/views_test_config/test_views/views.view.test_field_header.yml

@@ -0,0 +1,71 @@
+langcode: en
+status: true
+dependencies: {  }
+id: test_field_header
+label: null
+module: views
+description: ''
+tag: ''
+base_table: views_test_data
+base_field: nid
+core: '8'
+display:
+  default:
+    display_options:
+      fields:
+        name:
+          id: name
+          table: views_test_data
+          field: name
+          plugin_id: string
+          element_label_type: h2
+      style:
+        type: table
+      display_extenders: {  }
+    display_plugin: default
+    display_title: Master
+    id: default
+    position: 0
+    cache_metadata:
+      max-age: 0
+      contexts:
+        - 'languages:language_interface'
+        - url.query_args
+      tags: {  }
+  page_1:
+    display_options:
+      path: test_field_header
+      display_extenders: {  }
+    display_plugin: page
+    display_title: Page
+    id: page_1
+    position: 1
+    cache_metadata:
+      max-age: 0
+      contexts:
+        - 'languages:language_interface'
+        - url.query_args
+      tags: {  }
+  page_2:
+    display_options:
+      path: test_field_header_xss
+      defaults:
+        fields: false
+      fields:
+        name:
+          id: name
+          table: views_test_data
+          field: name
+          plugin_id: string
+          element_label_type: 'script>alert("XSS")</script'
+      display_extenders: {  }
+    display_plugin: page
+    display_title: 'Page 2'
+    id: page_2
+    position: 2
+    cache_metadata:
+      max-age: 0
+      contexts:
+        - 'languages:language_interface'
+        - url.query_args
+      tags: {  }