Issue #2825683 by acbramley, ayushmishra206, NitinLama, mohit_aghera, Ramya Balasubramanian, ranjith_kumar_k_u, Abhijith S, Lendude, pameeela, alexpott, smustgrave: Use Xss::filter() for the view title to ensure that the preview matches the actual display

2023-03-06 10:03:52 +00:00 · 2023-03-06 10:03:52 +00:00 · f953b42323
parent 15cebd324b
commit f953b42323
3 changed files with 35 additions and 1 deletions
--- a/core/modules/views_ui/src/ViewUI.php
+++ b/core/modules/views_ui/src/ViewUI.php
@ -4,6 +4,7 @@ namespace Drupal\views_ui;

 use Drupal\Component\Utility\Html;
 use Drupal\Component\Utility\Timer;
+use Drupal\Component\Utility\Xss;
 use Drupal\Core\EventSubscriber\AjaxResponseSubscriber;
 use Drupal\Core\Form\FormStateInterface;
 use Drupal\Core\Link;
@ -697,6 +698,7 @@ class ViewUI implements ViewEntityInterface {
              [
                'data' => [
                  '#markup' => $executable->getTitle(),
+                  '#allowed_tags' => Xss::getHtmlTagList(),
                ],
              ],
            ];
--- a/core/modules/views_ui/tests/src/Functional/PreviewTest.php
+++ b/core/modules/views_ui/tests/src/Functional/PreviewTest.php
@ -14,7 +14,13 @@ class PreviewTest extends UITestBase {
   *
   * @var array
   */
-  public static $testViews = ['test_preview', 'test_preview_error', 'test_pager_full', 'test_mini_pager', 'test_click_sort'];
+  public static $testViews = [
+    'test_preview',
+    'test_preview_error',
+    'test_pager_full',
+    'test_mini_pager',
+    'test_click_sort',
+  ];

  /**
   * {@inheritdoc}
@ -171,4 +177,28 @@ SQL;
    $this->assertSession()->pageTextContains('Unable to preview due to validation errors.');
  }

+  /**
+   * Tests HTML is filtered from the view title when previewing.
+   */
+  public function testPreviewTitle() {
+    // Update the view and change title with html tags.
+    \Drupal::configFactory()->getEditable('views.view.test_preview')
+      ->set('display.default.display_options.title', '<strong>Test preview title</strong>')
+      ->save();
+
+    $this->drupalGet('admin/structure/views/view/test_preview/edit');
+    $this->assertSession()->statusCodeEquals(200);
+    $this->submitForm([], 'Update preview');
+    $this->assertSession()->pageTextContains('Test preview title');
+    // Ensure allowed HTML tags are still displayed.
+    $this->assertCount(2, $this->xpath('//div[@id="views-live-preview"]//strong[text()=:text]', [':text' => 'Test preview title']));
+
+    // Ensure other tags are filtered.
+    \Drupal::configFactory()->getEditable('views.view.test_preview')
+      ->set('display.default.display_options.title', '<b>Test preview title</b>')
+      ->save();
+    $this->submitForm([], 'Update preview');
+    $this->assertCount(0, $this->xpath('//div[@id="views-live-preview"]//b[text()=:text]', [':text' => 'Test preview title']));
+  }
+
 }
--- a/core/modules/views_ui/views_ui.module
+++ b/core/modules/views_ui/views_ui.module
@ -5,6 +5,7 @@
 * Provide structure for the administrative interface to Views.
 */

+use Drupal\Component\Utility\Xss;
 use Drupal\Core\Routing\RouteMatchInterface;
 use Drupal\Core\Url;
 use Drupal\views\ViewExecutable;
@ -135,6 +136,7 @@ function views_ui_preprocess_views_view(&$variables) {
  if (!empty($view->live_preview)) {
    $variables['title'] = [
      '#markup' => $view->getTitle(),
+      '#allowed_tags' => Xss::getHtmlTagList(),
    ];
  }