Issue #2714045 by Lendude, joelpittet, anouschka42, lomasr, dawehner: Views:...

Issue #2714045 by Lendude, joelpittet, anouschka42, lomasr, dawehner: Views: HTML is escaped with aggregation enabled

core/modules/views/src/Plugin/views/field/FieldPluginBase.php

@@ -1222,6 +1222,12 @@ public function renderText($alter) {
     if (!empty($alter['alter_text']) && $alter['text'] !== '') {
       $tokens = $this->getRenderTokens($alter);
       $value = $this->renderAltered($alter, $tokens);
+      // $alter['text'] is entered through the views admin UI and will be safe
+      // because the output of $this->renderAltered() is run through
+      // Xss::filterAdmin().
+      // @see \Drupal\views\Plugin\views\PluginBase::viewsTokenReplace()
+      // @see \Drupal\Component\Utility\Xss::filterAdmin()
+      $value_is_safe = TRUE;
     }
 
     if (!empty($this->options['alter']['trim_whitespace'])) {

core/modules/views/tests/src/Kernel/Handler/FieldKernelTest.php

@@ -168,6 +168,67 @@ public function testRewrite() {
     $this->assertSubString($output, $random_text);
   }
 
+  /**
+   * Tests rewriting of the output with HTML.
+   */
+  public function testRewriteHtmlWithTokens() {
+    /** @var \Drupal\Core\Render\RendererInterface $renderer */
+    $renderer = \Drupal::service('renderer');
+
+    $view = Views::getView('test_view');
+    $view->initHandlers();
+    $this->executeView($view);
+    $row = $view->result[0];
+    $id_field = $view->field['id'];
+
+    $id_field->options['alter']['text'] = '<p>{{ id }}</p>';
+    $id_field->options['alter']['alter_text'] = TRUE;
+    $output = $renderer->executeInRenderContext(new RenderContext(), function () use ($id_field, $row) {
+      return $id_field->theme($row);
+    });
+    $this->assertSubString($output, '<p>1</p>');
+
+    // Add a non-safe HTML tag and make sure this gets removed.
+    $id_field->options['alter']['text'] = '<p>{{ id }} <script>alert("Script removed")</script></p>';
+    $id_field->options['alter']['alter_text'] = TRUE;
+    $output = $renderer->executeInRenderContext(new RenderContext(), function () use ($id_field, $row) {
+      return $id_field->theme($row);
+    });
+    $this->assertSubString($output, '<p>1 alert("Script removed")</p>');
+  }
+
+  /**
+   * Tests rewriting of the output with HTML and aggregation.
+   */
+  public function testRewriteHtmlWithTokensAndAggregation() {
+    /** @var \Drupal\Core\Render\RendererInterface $renderer */
+    $renderer = \Drupal::service('renderer');
+
+    $view = Views::getView('test_view');
+    $view->setDisplay();
+    $view->displayHandlers->get('default')->options['fields']['id']['group_type'] = 'sum';
+    $view->displayHandlers->get('default')->setOption('group_by', TRUE);
+    $view->initHandlers();
+    $this->executeView($view);
+    $row = $view->result[0];
+    $id_field = $view->field['id'];
+
+    $id_field->options['alter']['text'] = '<p>{{ id }}</p>';
+    $id_field->options['alter']['alter_text'] = TRUE;
+    $output = $renderer->executeInRenderContext(new RenderContext(), function () use ($id_field, $row) {
+      return $id_field->theme($row);
+    });
+    $this->assertSubString($output, '<p>1</p>');
+
+    // Add a non-safe HTML tag and make sure this gets removed.
+    $id_field->options['alter']['text'] = '<p>{{ id }} <script>alert("Script removed")</script></p>';
+    $id_field->options['alter']['alter_text'] = TRUE;
+    $output = $renderer->executeInRenderContext(new RenderContext(), function () use ($id_field, $row) {
+      return $id_field->theme($row);
+    });
+    $this->assertSubString($output, '<p>1 alert("Script removed")</p>');
+  }
+
   /**
    * Tests the arguments tokens on field level.
    */