Commit 7c43cce5 authored by alexpott's avatar alexpott

Issue #2714045 by Lendude, joelpittet, anouschka42, lomasr, dawehner: Views:...

Issue #2714045 by Lendude, joelpittet, anouschka42, lomasr, dawehner: Views: HTML is escaped with aggregation enabled
parent 47fcaa09
......@@ -1222,6 +1222,12 @@ public function renderText($alter) {
if (!empty($alter['alter_text']) && $alter['text'] !== '') {
$tokens = $this->getRenderTokens($alter);
$value = $this->renderAltered($alter, $tokens);
// $alter['text'] is entered through the views admin UI and will be safe
// because the output of $this->renderAltered() is run through
// Xss::filterAdmin().
// @see \Drupal\views\Plugin\views\PluginBase::viewsTokenReplace()
// @see \Drupal\Component\Utility\Xss::filterAdmin()
$value_is_safe = TRUE;
}
if (!empty($this->options['alter']['trim_whitespace'])) {
......
......@@ -168,6 +168,67 @@ public function testRewrite() {
$this->assertSubString($output, $random_text);
}
/**
* Tests rewriting of the output with HTML.
*/
public function testRewriteHtmlWithTokens() {
/** @var \Drupal\Core\Render\RendererInterface $renderer */
$renderer = \Drupal::service('renderer');
$view = Views::getView('test_view');
$view->initHandlers();
$this->executeView($view);
$row = $view->result[0];
$id_field = $view->field['id'];
$id_field->options['alter']['text'] = '<p>{{ id }}</p>';
$id_field->options['alter']['alter_text'] = TRUE;
$output = $renderer->executeInRenderContext(new RenderContext(), function () use ($id_field, $row) {
return $id_field->theme($row);
});
$this->assertSubString($output, '<p>1</p>');
// Add a non-safe HTML tag and make sure this gets removed.
$id_field->options['alter']['text'] = '<p>{{ id }} <script>alert("Script removed")</script></p>';
$id_field->options['alter']['alter_text'] = TRUE;
$output = $renderer->executeInRenderContext(new RenderContext(), function () use ($id_field, $row) {
return $id_field->theme($row);
});
$this->assertSubString($output, '<p>1 alert("Script removed")</p>');
}
/**
* Tests rewriting of the output with HTML and aggregation.
*/
public function testRewriteHtmlWithTokensAndAggregation() {
/** @var \Drupal\Core\Render\RendererInterface $renderer */
$renderer = \Drupal::service('renderer');
$view = Views::getView('test_view');
$view->setDisplay();
$view->displayHandlers->get('default')->options['fields']['id']['group_type'] = 'sum';
$view->displayHandlers->get('default')->setOption('group_by', TRUE);
$view->initHandlers();
$this->executeView($view);
$row = $view->result[0];
$id_field = $view->field['id'];
$id_field->options['alter']['text'] = '<p>{{ id }}</p>';
$id_field->options['alter']['alter_text'] = TRUE;
$output = $renderer->executeInRenderContext(new RenderContext(), function () use ($id_field, $row) {
return $id_field->theme($row);
});
$this->assertSubString($output, '<p>1</p>');
// Add a non-safe HTML tag and make sure this gets removed.
$id_field->options['alter']['text'] = '<p>{{ id }} <script>alert("Script removed")</script></p>';
$id_field->options['alter']['alter_text'] = TRUE;
$output = $renderer->executeInRenderContext(new RenderContext(), function () use ($id_field, $row) {
return $id_field->theme($row);
});
$this->assertSubString($output, '<p>1 alert("Script removed")</p>');
}
/**
* Tests the arguments tokens on field level.
*/
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment