Issue #2569381 by alx_benjamin, init90, vasi, deepakaryan1988,...

Issue #2569381 by alx_benjamin, init90, vasi, deepakaryan1988, Munavijayalakshmi, Lendude, DuaelFr, alexpott, dawehner: Drupal\views\Plugin\views\area\Result does an unnecessary XSS::adminFilter()

Issue #2569381 by alx_benjamin, init90, vasi, deepakaryan1988,...
f5fdfe31 · Alex Pott · 4c20b339 · f5fdfe31 · f5fdfe31 · f5fdfe31
Unverified Commit f5fdfe31 authored 3 years ago by Alex Pott
--- a/core/modules/views/src/Plugin/views/area/Result.php
+++ b/core/modules/views/src/Plugin/views/area/Result.php
@@ -3,7 +3,6 @@
 namespace Drupal\views\Plugin\views\area;

 use Drupal\Component\Utility\Html;
-use Drupal\Component\Utility\Xss;
 use Drupal\Core\Form\FormStateInterface;
 use Drupal\views\Plugin\views\style\DefaultSummary;

@@ -114,7 +113,7 @@ public function render($empty = FALSE) {
    $replacements['@page_count'] = $page_count;
    // Send the output.
    if (!empty($total) || !empty($this->options['empty'])) {
-      $output .= Xss::filterAdmin(str_replace(array_keys($replacements), array_values($replacements), $format));
+      $output .= str_replace(array_keys($replacements), array_values($replacements), $format);
      // Return as render array.
      return [
        '#markup' => $output,

--- a/core/modules/views/tests/modules/views_test_config/test_views/views.view.test_area_result.yml
+++ b/core/modules/views/tests/modules/views_test_config/test_views/views.view.test_area_result.yml
@@ -50,7 +50,7 @@ display:
          group_type: group
          admin_label: ''
          empty: true
-          content: "start: @start | end: @end | total: @total | label: @label | per page: @per_page | current page: @current_page | current record count: @current_record_count | page count: @page_count"
+          content: "<script />start: @start | end: @end | total: @total | label: @label | per page: @per_page | current page: @current_page | current record count: @current_record_count | page count: @page_count"
          plugin_id: result
    display_plugin: default
    display_title: Default

--- a/core/modules/views/tests/src/Kernel/Handler/AreaResultTest.php
+++ b/core/modules/views/tests/src/Kernel/Handler/AreaResultTest.php
@@ -29,6 +29,9 @@ public function testResult() {
    $output = \Drupal::service('renderer')->renderRoot($output);
    $this->setRawContent($output);
    $this->assertText('start: 1 | end: 5 | total: 5 | label: test_area_result | per page: 0 | current page: 1 | current record count: 5 | page count: 1');
+
+    // Make sure that potentially dangerous content was stripped.
+    $this->assertNoRaw('<script />');
  }

  /**