Commit 52d995f1 authored by catch's avatar catch

Issue #2564283 by alexpott, stefan.r, joelpittet: Remove use of...

Issue #2564283 by alexpott, stefan.r, joelpittet: Remove use of SafeMarkup::checkPlain() from adminSummary() and adminLabel() in views plugins
parent 958a47a2
......@@ -181,8 +181,7 @@ protected function defineOptions() {
*/
public function adminLabel($short = FALSE) {
if (!empty($this->options['admin_label'])) {
$title = SafeMarkup::checkPlain($this->options['admin_label']);
return $title;
return $this->options['admin_label'];
}
$title = ($short && isset($this->definition['title short'])) ? $this->definition['title short'] : $this->definition['title'];
return $this->t('!group: !title', array('!group' => $this->definition['group'], '!title' => $title));
......
......@@ -14,7 +14,6 @@
use Drupal\views\Plugin\CacheablePluginInterface;
use Drupal\views\Plugin\views\HandlerBase;
use Drupal\Component\Utility\Html;
use Drupal\Component\Utility\SafeMarkup;
use Drupal\views\Plugin\views\display\DisplayPluginBase;
use Drupal\views\ViewExecutable;
......@@ -172,7 +171,7 @@ protected function defineOptions() {
* Display the filter on the administrative summary
*/
public function adminSummary() {
return SafeMarkup::checkPlain((string) $this->operator) . ' ' . SafeMarkup::checkPlain((string) $this->value);
return $this->operator . ' ' . $this->value;
}
/**
......
......@@ -7,7 +7,6 @@
namespace Drupal\views\Plugin\views\filter;
use Drupal\Component\Utility\SafeMarkup;
use Drupal\Component\Utility\Unicode;
use Drupal\Core\Form\FormStateInterface;
use Drupal\views\Plugin\views\display\DisplayPluginBase;
......@@ -337,7 +336,7 @@ public function adminSummary() {
return;
}
$operator = SafeMarkup::checkPlain($info[$this->operator]['short']);
$operator = $info[$this->operator]['short'];
$values = '';
if (in_array($this->operator, $this->operatorValues(1))) {
// Remove every element which is not known.
......@@ -353,13 +352,13 @@ public function adminSummary() {
else if (count($this->value) == 1) {
// If any, use the 'single' short name of the operator instead.
if (isset($info[$this->operator]['short_single'])) {
$operator = SafeMarkup::checkPlain($info[$this->operator]['short_single']);
$operator = $info[$this->operator]['short_single'];
}
$keys = $this->value;
$value = array_shift($keys);
if (isset($flat_options[$value])) {
$values = SafeMarkup::checkPlain($flat_options[$value]);
$values = $flat_options[$value];
}
else {
$values = '';
......@@ -375,7 +374,7 @@ public function adminSummary() {
break;
}
if (isset($flat_options[$value])) {
$values .= SafeMarkup::checkPlain($flat_options[$value]);
$values .= $flat_options[$value];
}
}
}
......
......@@ -7,7 +7,6 @@
namespace Drupal\views\Plugin\views\filter;
use Drupal\Component\Utility\SafeMarkup;
use Drupal\Core\Database\Database;
use Drupal\Core\Form\FormStateInterface;
......@@ -292,12 +291,12 @@ public function adminSummary() {
}
$options = $this->operatorOptions('short');
$output = SafeMarkup::checkPlain($options[$this->operator]);
$output = $options[$this->operator];
if (in_array($this->operator, $this->operatorValues(2))) {
$output .= ' ' . $this->t('@min and @max', array('@min' => $this->value['min'], '@max' => $this->value['max']));
}
elseif (in_array($this->operator, $this->operatorValues(1))) {
$output .= ' ' . SafeMarkup::checkPlain($this->value['value']);
$output .= ' ' . $this->value['value'];
}
return $output;
}
......
......@@ -7,7 +7,6 @@
namespace Drupal\views\Plugin\views\filter;
use Drupal\Component\Utility\SafeMarkup;
use Drupal\Core\Database\Database;
use Drupal\Core\Form\FormStateInterface;
......@@ -162,10 +161,10 @@ public function adminSummary() {
$options = $this->operatorOptions('short');
$output = '';
if (!empty($options[$this->operator])) {
$output = SafeMarkup::checkPlain($options[$this->operator]);
$output = $options[$this->operator];
}
if (in_array($this->operator, $this->operatorValues(1))) {
$output .= ' ' . SafeMarkup::checkPlain($this->value);
$output .= ' ' . $this->value;
}
return $output;
}
......
......@@ -7,7 +7,6 @@
namespace Drupal\views\Plugin\views\row;
use Drupal\Component\Utility\SafeMarkup;
use Drupal\Core\Entity\EntityManagerInterface;
use Drupal\Core\Form\FormStateInterface;
use Drupal\Core\Language\LanguageManagerInterface;
......@@ -160,7 +159,7 @@ public function buildOptionsForm(&$form, FormStateInterface $form_state) {
public function summaryTitle() {
$options = \Drupal::entityManager()->getViewModeOptions($this->entityTypeId);
if (isset($options[$this->options['view_mode']])) {
return SafeMarkup::checkPlain($options[$this->options['view_mode']]);
return $options[$this->options['view_mode']];
}
else {
return $this->t('No view mode selected');
......
......@@ -7,6 +7,7 @@
namespace Drupal\views_ui\Tests;
use Drupal\Core\Entity\Entity\EntityViewMode;
use Drupal\views\Views;
/**
......@@ -87,6 +88,13 @@ public function testRowUI() {
$this->drupalPostForm(NULL, ['row[type]' => 'entity:node'], t('Apply'));
$this->assertUrl($row_options_url);
$this->assertFieldByName('row_options[view_mode]', 'teaser');
// Change the teaser label to have markup so we can test escaping.
$teaser = EntityViewMode::load('node.teaser');
$teaser->set('label', 'Teaser <em>markup</em>');
$teaser->save();
$this->drupalGet('admin/structure/views/view/frontpage/edit/default');
$this->assertEscaped('Teaser <em>markup</em>');
}
}
......@@ -29,8 +29,22 @@ public function testViewsUi() {
$this->assertEscaped('<marquee>test</marquee>', 'Field admin label is properly escaped.');
$this->drupalGet('admin/structure/views/nojs/handler/sa_contrib_2013_035/page_1/header/area');
$this->assertRaw('{{ title }} == &amp;lt;marquee&amp;gt;test&amp;lt;/marquee&amp;gt;', 'Token label is properly escaped.');
$this->assertRaw('{{ title_1 }} == &amp;lt;script&amp;gt;alert(&amp;quot;XSS&amp;quot;)&amp;lt;/script&amp;gt;', 'Token label is properly escaped.');
$this->assertEscaped('{{ title }} == <marquee>test</marquee>', 'Token label is properly escaped.');
$this->assertEscaped('{{ title_1 }} == <script>alert("XSS")</script>', 'Token label is properly escaped.');
}
/**
* Checks the admin UI for double escaping.
*/
public function testNoDoubleEscaping() {
$this->drupalGet('admin/structure/views');
$this->assertNoEscaped('&lt;');
$this->drupalGet('admin/structure/views/view/sa_contrib_2013_035');
$this->assertNoEscaped('&lt;');
$this->drupalGet('admin/structure/views/nojs/handler/sa_contrib_2013_035/page_1/header/area');
$this->assertNoEscaped('&lt;');
}
}
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment