From db905bd451b97185d05d5af62b881c40b020fff7 Mon Sep 17 00:00:00 2001
From: Lee Rowlands <lee.rowlands@previousnext.com.au>
Date: Fri, 24 May 2019 16:29:11 +1000
Subject: [PATCH] Issue #3048707 by Daniel Korte, Lendude: Views AJAX arguments
 are not HTML decoded

(cherry picked from commit 5ad7fe321230025de376638e78ee83a92bf67468)
---
 .../src/Controller/ViewAjaxController.php     |  3 ++-
 .../Controller/ViewAjaxControllerTest.php     | 20 +++++++++++++++++++
 2 files changed, 22 insertions(+), 1 deletion(-)

diff --git a/core/modules/views/src/Controller/ViewAjaxController.php b/core/modules/views/src/Controller/ViewAjaxController.php
index 11df6c8d3b4a..88ad2b52bd7c 100644
--- a/core/modules/views/src/Controller/ViewAjaxController.php
+++ b/core/modules/views/src/Controller/ViewAjaxController.php
@@ -2,6 +2,7 @@
 
 namespace Drupal\views\Controller;
 
+use Drupal\Component\Utility\Html;
 use Drupal\Component\Utility\UrlHelper;
 use Drupal\Core\Ajax\ReplaceCommand;
 use Drupal\Core\DependencyInjection\ContainerInjectionInterface;
@@ -113,7 +114,7 @@ public function ajaxView(Request $request) {
     $name = $request->request->get('view_name');
     $display_id = $request->request->get('view_display_id');
     if (isset($name) && isset($display_id)) {
-      $args = $request->request->get('view_args');
+      $args = Html::decodeEntities($request->request->get('view_args'));
       $args = isset($args) && $args !== '' ? explode('/', $args) : [];
 
       // Arguments can be empty, make sure they are passed on as NULL so that
diff --git a/core/modules/views/tests/src/Unit/Controller/ViewAjaxControllerTest.php b/core/modules/views/tests/src/Unit/Controller/ViewAjaxControllerTest.php
index d65acaab2c8c..15631423ca8f 100644
--- a/core/modules/views/tests/src/Unit/Controller/ViewAjaxControllerTest.php
+++ b/core/modules/views/tests/src/Unit/Controller/ViewAjaxControllerTest.php
@@ -260,6 +260,26 @@ public function testAjaxViewWithEmptyArguments() {
     $this->assertViewResultCommand($response);
   }
 
+  /**
+   * Tests a valid view with arguments.
+   */
+  public function testAjaxViewWithHtmlEntityArguments() {
+    $request = new Request();
+    $request->request->set('view_name', 'test_view');
+    $request->request->set('view_display_id', 'page_1');
+    $request->request->set('view_args', 'arg1 &amp; arg2/arg3');
+
+    list($view, $executable) = $this->setupValidMocks();
+    $executable->expects($this->once())
+      ->method('preview')
+      ->with('page_1', ['arg1 & arg2', 'arg3']);
+
+    $response = $this->viewAjaxController->ajaxView($request);
+    $this->assertTrue($response instanceof ViewAjaxResponse);
+
+    $this->assertViewResultCommand($response);
+  }
+
   /**
    * Tests a valid view with a pager.
    */
-- 
GitLab