Issue #2633752 by Lendude, dww, alexpott, AdamBernstein, turpentyne, garryh: Views inline field separator renders HTML as plain text

(cherry picked from commit 28050a2901)
2020-02-03 18:41:42 +00:00 · 2020-02-03 18:41:42 +00:00 · fb704aeac7
parent 795d6bbf33
commit fb704aeac7
2 changed files with 71 additions and 1 deletions
--- a/core/modules/views/tests/src/Kernel/Plugin/StyleFieldsTest.php
+++ b/core/modules/views/tests/src/Kernel/Plugin/StyleFieldsTest.php
@ -0,0 +1,68 @@
+<?php
+
+namespace Drupal\Tests\views\Kernel\Plugin;
+
+use Drupal\Tests\views\Kernel\ViewsKernelTestBase;
+use Drupal\views\Views;
+
+/**
+ * Tests fields style functionality.
+ *
+ * @group views
+ *
+ * @see \Drupal\views\Plugin\views\row\Fields.
+ */
+class StyleFieldsTest extends ViewsKernelTestBase {
+
+  /**
+   * {@inheritdoc}
+   */
+  public static $testViews = ['test_view'];
+
+  /**
+   * Tests inline fields and separator.
+   */
+  public function testInlineFields() {
+    $renderer = $this->container->get('renderer');
+    $view = Views::getView('test_view');
+    $view->setDisplay();
+
+    // Test using an HTML separator.
+    $row = $view->display_handler->getOption('row');
+    $row['options'] = [
+      'inline' => [
+        'age' => 'age',
+        'id' => 'id',
+        'name' => 'name',
+      ],
+      'separator' => '<br />',
+    ];
+    $view->display_handler->setOption('row', $row);
+    $view->initDisplay();
+    $view->initStyle();
+    $output = $view->preview();
+    $output = $renderer->renderRoot($output);
+    $this->assertContains('<div class="views-row"><span class="views-field views-field-age"><span class="field-content">25</span></span><br /><span class="views-field views-field-id"><span class="field-content">1</span></span><br /><span class="views-field views-field-name"><span class="field-content">John</span></span></div>', (string) $output);
+    $view->destroy();
+
+    // Check that unsafe separators are stripped.
+    $view->setDisplay();
+    $row = $view->display_handler->getOption('row');
+    $row['options'] = [
+      'inline' => [
+        'age' => 'age',
+        'id' => 'id',
+        'name' => 'name',
+      ],
+      'separator' => '<script>alert("escape me!")</script>',
+    ];
+    $view->display_handler->setOption('row', $row);
+    $view->initDisplay();
+    $view->initStyle();
+    $output = $view->preview();
+    $output = $renderer->renderRoot($output);
+    $this->assertNotContains('<script>', (string) $output);
+    $this->assertContains('alert("escape me!")', (string) $output);
+  }
+
+}
--- a/core/modules/views/views.theme.inc
+++ b/core/modules/views/views.theme.inc
@ -139,7 +139,9 @@ function template_preprocess_views_view_fields(&$variables) {
      }

      if (!empty($variables['options']['separator']) && $previous_inline && $object->inline && $object->content) {
-        $object->separator = Xss::filterAdmin($variables['options']['separator']);
+        $object->separator = [
+          '#markup' => $variables['options']['separator'],
+        ];
      }

      $object->class = Html::cleanCssIdentifier($id);