Drupal
/
drupal
mirror of https://git.drupalcode.org/project/drupal.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Issue #2825683 by acbramley, ayushmishra206, NitinLama, mohit_aghera, Ramya Balasubramanian, ranjith_kumar_k_u, Abhijith S, Lendude, pameeela, alexpott, smustgrave: Use Xss::filter() for the view title to ensure that the preview matches the actual display

merge-requests/3588/head
Alex Pott 2023-03-06 10:03:52 +00:00
parent 15cebd324b
commit f953b42323
No known key found for this signature in database
GPG Key ID: BDA67E7EE836E5CE
3 changed files with 35 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
core/modules/views_ui/src/ViewUI.php
View File

@ -4,6 +4,7 @@ namespace Drupal\views_ui;
use Drupal\Component\Utility\Html; use Drupal\Component\Utility\Html;
use Drupal\Component\Utility\Timer; use Drupal\Component\Utility\Timer;
use Drupal\Component\Utility\Xss;
use Drupal\Core\EventSubscriber\AjaxResponseSubscriber; use Drupal\Core\EventSubscriber\AjaxResponseSubscriber;
use Drupal\Core\Form\FormStateInterface; use Drupal\Core\Form\FormStateInterface;
use Drupal\Core\Link; use Drupal\Core\Link;
@ -697,6 +698,7 @@ class ViewUI implements ViewEntityInterface {
[ [
'data' => [ 'data' => [
'#markup' => $executable->getTitle(), '#markup' => $executable->getTitle(),
'#allowed_tags' => Xss::getHtmlTagList(),
], ],
], ],
]; ];

32
core/modules/views_ui/tests/src/Functional/PreviewTest.php
View File

@ -14,7 +14,13 @@ class PreviewTest extends UITestBase {
* *
* @var array * @var array
*/ */
public static $testViews = ['test_preview', 'test_preview_error', 'test_pager_full', 'test_mini_pager', 'test_click_sort']; public static $testViews = [
'test_preview',
'test_preview_error',
'test_pager_full',
'test_mini_pager',
'test_click_sort',
];
/** /**
* {@inheritdoc} * {@inheritdoc}
@ -171,4 +177,28 @@ SQL;
$this->assertSession()->pageTextContains('Unable to preview due to validation errors.'); $this->assertSession()->pageTextContains('Unable to preview due to validation errors.');
} }
/**
* Tests HTML is filtered from the view title when previewing.
*/
public function testPreviewTitle() {
// Update the view and change title with html tags.
\Drupal::configFactory()->getEditable('views.view.test_preview')
->set('display.default.display_options.title', '<strong>Test preview title</strong>')
->save();
$this->drupalGet('admin/structure/views/view/test_preview/edit');
$this->assertSession()->statusCodeEquals(200);
$this->submitForm([], 'Update preview');
$this->assertSession()->pageTextContains('Test preview title');
// Ensure allowed HTML tags are still displayed.
$this->assertCount(2, $this->xpath('//div[@id="views-live-preview"]//strong[text()=:text]', [':text' => 'Test preview title']));
// Ensure other tags are filtered.
\Drupal::configFactory()->getEditable('views.view.test_preview')
->set('display.default.display_options.title', '<b>Test preview title</b>')
->save();
$this->submitForm([], 'Update preview');
$this->assertCount(0, $this->xpath('//div[@id="views-live-preview"]//b[text()=:text]', [':text' => 'Test preview title']));
}
} }

2
core/modules/views_ui/views_ui.module
View File

@ -5,6 +5,7 @@
* Provide structure for the administrative interface to Views. * Provide structure for the administrative interface to Views.
*/ */
use Drupal\Component\Utility\Xss;
use Drupal\Core\Routing\RouteMatchInterface; use Drupal\Core\Routing\RouteMatchInterface;
use Drupal\Core\Url; use Drupal\Core\Url;
use Drupal\views\ViewExecutable; use Drupal\views\ViewExecutable;
@ -135,6 +136,7 @@ function views_ui_preprocess_views_view(&$variables) {
if (!empty($view->live_preview)) { if (!empty($view->live_preview)) {
$variables['title'] = [ $variables['title'] = [
'#markup' => $view->getTitle(), '#markup' => $view->getTitle(),
'#allowed_tags' => Xss::getHtmlTagList(),
]; ];
} }