Skip to content
Snippets Groups Projects
Unverified Commit 16d10753 authored by Alex Pott's avatar Alex Pott
Browse files

Issue #2569381 by alx_benjamin, init90, vasi, deepakaryan1988,... 

Issue #2569381 by alx_benjamin, init90, vasi, deepakaryan1988, Munavijayalakshmi, Lendude, DuaelFr, alexpott, dawehner: Drupal\views\Plugin\views\area\Result does an unnecessary XSS::adminFilter()

(cherry picked from commit f5fdfe31)
parent a0f29195
No related branches found
No related tags found
33 merge requests!2496Issue #3222757 by lauriii, Wim Leers, nod_, rachel_norfolk, itmaybejj,...,!2366Issue #3285105 by Daniel Arend,!2304Issue #3258987: Class "Drupal\Core\Utility\Error" not found in _drupal_error_handler_real() due to bug in PHP 8.1.0-8.1.5,!2148Issue #3270899: Remove Color module from core,!2136Issue #3227824: Move the linkset functionality from the decoupled menus contributed module to core's system module,!2071Issue #927570: Setting 403 or 404 handler to a page that redirects leads to endless loop,!1975Issue #3269749: losing query params from user to user/login redirect,!1961Issue #2888872 Make type filter for dblog view integration more robust,!1959Issue #3236497: Allow other modules to opt out of security release message from update_page_top,!1481Issue #3252562: Allow functions that accept no arguments to be used as callable,!1443Issue #3075230: Provide menu link with disable option [Node Add Form],!1387Draft: Resolve #2511878 "Support enclosure field",!1386Issue #3112548: Layout Builder FuncionalJavascript tests should not rely on Classy,!1377Issue #3204015: Replace Toolbar BackboneJS usage with VanillaJS equivalent,!1370Issue #2888872: Make type filter for dblog view integration more robust,!1356Issue #3076171: Provide a new library to replace jQuery UI autocomplete,!1321Issue #3239123: Refactor (if feasible) uses of the jQuery text function to use vanillaJS,!1311Adding the checkbock suggested by the UX team,!1294Issue #3204011: Replace Tour BackboneJS usage with VanillaJS equivalent (10.0.x),!1282Issue #3227824: Add the decoupled menus module to core,!1269Issue #3239134: Refactor (if feasible) uses of the jQuery val function to use VanillaJS,!1262Issue #3239500: Add Array.includes polyfill to support IE11 and Opera Mini,!1229Issue #3225621: Use media query event listener instead of a listener on the resize event,!1159Convert dblog entries into entities,!1051Issue #3131348: Replace assertions involving calls to empty() with assertEmpty()/assertNotEmpty()/assertArrayNotHasKey(),!799Issue #3214332: Preview content is broken in Claro.,!776Resolve #85494 "Use email verification 9.3.x",!558Resolve #3020422 "Toolbar style update",!548Issue #3207567: Fix Drupal.Commenting.FunctionComment.MissingParamComment,!515Issue #2937515: Fix Drupal.Array.Array.[ArrayClosingIndentation, ArrayIndentation] coding standard,!512Issue #3207771: Menu UI node type form documentation points to non-existent function,!231Issue #2671162: summary text wysiwyg patch working fine on 9.2.0-dev,!49Twig debug output does not display all suggestions when an array of theme hooks is passed to #theme
Hide whitespace changes
Inline Side-by-side
core/modules/views/src/Plugin/views/area/Result.php
+ 1
2
View file @ 16d10753
......@@ -3,7 +3,6 @@
namespace Drupal\views\Plugin\views\area;
use Drupal\Component\Utility\Html;
use Drupal\Component\Utility\Xss;
use Drupal\Core\Form\FormStateInterface;
use Drupal\views\Plugin\views\style\DefaultSummary;
......@@ -114,7 +113,7 @@ public function render($empty = FALSE) {
$replacements['@page_count'] = $page_count;
// Send the output.
if (!empty($total) || !empty($this->options['empty'])) {
$output .= Xss::filterAdmin(str_replace(array_keys($replacements), array_values($replacements), $format));
$output .= str_replace(array_keys($replacements), array_values($replacements), $format);
// Return as render array.
return [
'#markup' => $output,
......
core/modules/views/tests/modules/views_test_config/test_views/views.view.test_area_result.yml
+ 1
1
View file @ 16d10753
......@@ -50,7 +50,7 @@ display:
group_type: group
admin_label: ''
empty: true
content: "start: @start | end: @end | total: @total | label: @label | per page: @per_page | current page: @current_page | current record count: @current_record_count | page count: @page_count"
content: "<script />start: @start | end: @end | total: @total | label: @label | per page: @per_page | current page: @current_page | current record count: @current_record_count | page count: @page_count"
plugin_id: result
display_plugin: default
display_title: Default
......
core/modules/views/tests/src/Kernel/Handler/AreaResultTest.php
+ 3
0
View file @ 16d10753
......@@ -29,6 +29,9 @@ public function testResult() {
$output = \Drupal::service('renderer')->renderRoot($output);
$this->setRawContent($output);
$this->assertText('start: 1 | end: 5 | total: 5 | label: test_area_result | per page: 0 | current page: 1 | current record count: 5 | page count: 1');
// Make sure that potentially dangerous content was stripped.
$this->assertNoRaw('<script />');
}
/**
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment