Verified Commit f953b423 authored by Alex Pott's avatar Alex Pott
Browse files

Issue #2825683 by acbramley, ayushmishra206, NitinLama, mohit_aghera, Ramya... 

Issue #2825683 by acbramley, ayushmishra206, NitinLama, mohit_aghera, Ramya Balasubramanian, ranjith_kumar_k_u, Abhijith S, Lendude, pameeela, alexpott, smustgrave: Use Xss::filter() for the view title to ensure that the preview matches the actual display
parent 15cebd32

core/modules/views_ui/src/ViewUI.php

+2 −0
Original line number Diff line number Diff line
@@ -4,6 +4,7 @@ 


use Drupal\Component\Utility\Html;

use Drupal\Component\Utility\Timer;

use Drupal\Component\Utility\Xss;

use Drupal\Core\EventSubscriber\AjaxResponseSubscriber;

use Drupal\Core\Form\FormStateInterface;

use Drupal\Core\Link;
@@ -697,6 +698,7 @@ public function renderPreview($display_id, $args = []) { 
              [

                'data' => [

                  '#markup' => $executable->getTitle(),

                  '#allowed_tags' => Xss::getHtmlTagList(),

                ],

              ],

            ];

core/modules/views_ui/tests/src/Functional/PreviewTest.php

+31 −1
Original line number Diff line number Diff line
@@ -14,7 +14,13 @@ class PreviewTest extends UITestBase { 
   *

   * @var array

   */

  public static $testViews = ['test_preview', 'test_preview_error', 'test_pager_full', 'test_mini_pager', 'test_click_sort'];

  public static $testViews = [

    'test_preview',

    'test_preview_error',

    'test_pager_full',

    'test_mini_pager',

    'test_click_sort',

  ];



  /**

   * {@inheritdoc}
@@ -171,4 +177,28 @@ public function testPreviewError() { 
    $this->assertSession()->pageTextContains('Unable to preview due to validation errors.');

  }



  /**

   * Tests HTML is filtered from the view title when previewing.

   */

  public function testPreviewTitle() {

    // Update the view and change title with html tags.

    \Drupal::configFactory()->getEditable('views.view.test_preview')

      ->set('display.default.display_options.title', '<strong>Test preview title</strong>')

      ->save();



    $this->drupalGet('admin/structure/views/view/test_preview/edit');

    $this->assertSession()->statusCodeEquals(200);

    $this->submitForm([], 'Update preview');

    $this->assertSession()->pageTextContains('Test preview title');

    // Ensure allowed HTML tags are still displayed.

    $this->assertCount(2, $this->xpath('//div[@id="views-live-preview"]//strong[text()=:text]', [':text' => 'Test preview title']));



    // Ensure other tags are filtered.

    \Drupal::configFactory()->getEditable('views.view.test_preview')

      ->set('display.default.display_options.title', '<b>Test preview title</b>')

      ->save();

    $this->submitForm([], 'Update preview');

    $this->assertCount(0, $this->xpath('//div[@id="views-live-preview"]//b[text()=:text]', [':text' => 'Test preview title']));

  }



}

core/modules/views_ui/views_ui.module

+2 −0
Original line number Diff line number Diff line
@@ -5,6 +5,7 @@ 
 * Provide structure for the administrative interface to Views.

 */



use Drupal\Component\Utility\Xss;

use Drupal\Core\Routing\RouteMatchInterface;

use Drupal\Core\Url;

use Drupal\views\ViewExecutable;
@@ -135,6 +136,7 @@ function views_ui_preprocess_views_view(&$variables) { 
  if (!empty($view->live_preview)) {

    $variables['title'] = [

      '#markup' => $view->getTitle(),

      '#allowed_tags' => Xss::getHtmlTagList(),

    ];

  }