diff --git a/core/includes/theme.inc b/core/includes/theme.inc
index 009bb33..f4f0a57 100644
--- a/core/includes/theme.inc
+++ b/core/includes/theme.inc
@@ -1083,6 +1083,32 @@ function theme_indentation($variables) {
}
/**
+ * Returns HTML for an inline list of items.
+ *
+ * @param $variables
+ * An associative array containing:
+ * - items: A list of items.
+ * - separator: A delimiter to separate the items in the list.
+ *
+ * @return string
+ * HTML for an inline list of items.
+ *
+ * @ingroup themeable
+ */
+function theme_inline_list($variables) {
+ if (!SafeMarkup::isSafe($variables['separator'])) {
+ // Since the separator may be user-specified, it must be filtered to permit
+ // some HTML (such as
) to pass through.
+ $variables['separator'] = Xss::filter($variables['separator'], ['br']);
+ }
+ // Escape the items if they are unsafe.
+ $variables['items'] = array_map(['\Drupal\Component\Utility\SafeMarkup', 'escape'], $variables['items']);
+
+ // Return the inline list.
+ return implode($variables['separator'], $variables['items']);
+}
+
+/**
* Prepares variables for container templates.
*
* Default template: container.html.twig.
@@ -1726,6 +1752,10 @@ function drupal_common_theme() {
'item_list' => array(
'variables' => array('items' => array(), 'title' => '', 'list_type' => 'ul', 'attributes' => array(), 'empty' => NULL, 'context' => array()),
),
+ 'inline_list' => array(
+ 'variables' => array('items' => array(), 'separator' => ', '),
+ 'function' => 'theme_inline_list',
+ ),
'feed_icon' => array(
'variables' => array('url' => NULL, 'title' => NULL),
),
diff --git a/core/modules/system/src/Tests/Theme/FunctionsTest.php b/core/modules/system/src/Tests/Theme/FunctionsTest.php
index 0ed135d..041efce 100644
--- a/core/modules/system/src/Tests/Theme/FunctionsTest.php
+++ b/core/modules/system/src/Tests/Theme/FunctionsTest.php
@@ -42,19 +42,6 @@ function testItemList() {
$expected = '';
$this->assertThemeOutput('item_list', $variables, $expected, 'Empty %callback with title generates no output.');
- // Verify that empty items produce the empty string.
- $variables = array();
- $variables['empty'] = 'No items found.';
- $expected = 'No items found.
';
- $this->assertThemeOutput('item_list', $variables, $expected, 'Empty %callback generates empty string.');
-
- // Verify that empty items produce the empty string with title.
- $variables = array();
- $variables['title'] = 'Some title';
- $variables['empty'] = 'No items found.';
- $expected = 'Some title
No items found.';
- $this->assertThemeOutput('item_list', $variables, $expected, 'Empty %callback generates empty string with title.');
-
// Verify that title set to 0 is output.
$variables = array();
$variables['title'] = 0;
@@ -168,6 +155,37 @@ function testItemList() {
}
/**
+ * Tests theme_inline_list().
+ */
+ function testInlineList() {
+ // Verify that empty items produce no output.
+ $variables = array();
+ $expected = '';
+ $this->assertThemeOutput('inline_list', $variables, $expected, 'Empty %callback generates no output.');
+
+ // Verify that a non-default separator is rendered.
+ $variables = array();
+ $variables['items'] = array('Un', 'Deux', 'Trois');
+ $variables['separator'] = ' and ';
+ $expected = 'Un and Deux and Trois';
+ $this->assertThemeOutput('inline_list', $variables, $expected, '%callback uses a custom separator when provided.');
+
+ // Verify that HTML separators are properly rendered.
+ $variables = array();
+ $variables['items'] = array('Doe', 'Buck', 'Kit');
+ $variables['separator'] = '
';
+ $expected = 'Doe
Buck
Kit';
+ $this->assertThemeOutput('inline_list', $variables, $expected, '%callback allows HTML in user-provided separators.');
+
+ // Verify that the separator is sanitized.
+ $variables = array();
+ $variables['items'] = array('Un', 'Deux', 'Trois');
+ $variables['separator'] = '';
+ $expected = 'Unalert("test")Deuxalert("test")Trois';
+ $this->assertThemeOutput('inline_list', $variables, $expected, '%callback sanitizes user-provided separators.');
+ }
+
+ /**
* Tests links.html.twig.
*/
function testLinks() {
diff --git a/core/modules/views_ui/src/Tests/DisplayPathTest.php b/core/modules/views_ui/src/Tests/DisplayPathTest.php
index 004b9f0..62c1f2f 100644
--- a/core/modules/views_ui/src/Tests/DisplayPathTest.php
+++ b/core/modules/views_ui/src/Tests/DisplayPathTest.php
@@ -35,6 +35,7 @@ class DisplayPathTest extends UITestBase {
public function testPathUI() {
$this->doBasicPathUITest();
$this->doAdvancedPathsValidationTest();
+ $this->doPathXssFilterTest();
}
/**
@@ -60,6 +61,29 @@ protected function doBasicPathUITest() {
}
/**
+ * Tests that View paths are properly filtered for XSS.
+ */
+ public function doPathXssFilterTest() {
+ global $base_path;
+ $this->drupalGet('admin/structure/views/view/test_view');
+ $this->drupalPostForm(NULL, array(), 'Add Page');
+ $this->drupalPostForm('admin/structure/views/nojs/display/test_view/page_2/path', array('path' => ''), t('Apply'));
+ $this->drupalPostForm(NULL, array(), 'Add Page');
+ $this->drupalPostForm('admin/structure/views/nojs/display/test_view/page_3/path', array('path' => ''), t('Apply'));
+ $this->drupalPostForm(NULL, array(), 'Add Page');
+ $this->drupalPostForm('admin/structure/views/nojs/display/test_view/page_4/path', array('path' => ''), t('Apply'));
+ $this->drupalPostForm('admin/structure/views/view/test_view', array(), t('Save'));
+ $this->drupalGet('admin/structure/views');
+ // The anchor text should be escaped.
+ $this->assertEscaped('/');
+ $this->assertEscaped('/');
+ $this->assertEscaped('/');
+ // Links should be url-encoded.
+ $this->assertRaw('/%3Cobject%3Emalformed_path%3C/object%3E');
+ $this->assertRaw('/%3Cscript%3Ealert%28%22hello%22%29%3B%3C/script%3E');
+ }
+
+ /**
* Tests a couple of invalid path patterns.
*/
protected function doAdvancedPathsValidationTest() {
diff --git a/core/modules/views_ui/src/ViewListBuilder.php b/core/modules/views_ui/src/ViewListBuilder.php
index 00be178..ba198a2 100644
--- a/core/modules/views_ui/src/ViewListBuilder.php
+++ b/core/modules/views_ui/src/ViewListBuilder.php
@@ -91,12 +91,6 @@ public function load() {
*/
public function buildRow(EntityInterface $view) {
$row = parent::buildRow($view);
- $display_paths = '';
- $separator = '';
- foreach ($this->getDisplayPaths($view) as $display_path) {
- $display_paths .= $separator . SafeMarkup::escape($display_path);
- $separator = ', ';
- }
return array(
'data' => array(
'view_name' => array(
@@ -113,7 +107,12 @@ public function buildRow(EntityInterface $view) {
'class' => array('views-table-filter-text-source'),
),
'tag' => $view->get('tag'),
- 'path' => SafeMarkup::set($display_paths),
+ 'path' => array(
+ 'data' => array(
+ '#theme' => 'inline_list',
+ '#items' => $this->getDisplayPaths($view),
+ ),
+ ),
'operations' => $row['operations'],
),
'title' => $this->t('Machine name: @name', array('@name' => $view->id())),
diff --git a/core/modules/views_ui/tests/src/Unit/ViewListBuilderTest.php b/core/modules/views_ui/tests/src/Unit/ViewListBuilderTest.php
index a42a879..d4bc2b6 100644
--- a/core/modules/views_ui/tests/src/Unit/ViewListBuilderTest.php
+++ b/core/modules/views_ui/tests/src/Unit/ViewListBuilderTest.php
@@ -89,7 +89,10 @@ public function testBuildRowEntityList() {
);
$page_display->expects($this->any())
->method('getPath')
- ->will($this->returnValue('test_page'));
+ ->will($this->onConsecutiveCalls(
+ $this->returnValue('test_page'),
+ $this->returnValue(''),
+ $this->returnValue('')));
$embed_display = $this->getMock('Drupal\views\Plugin\views\display\Embed', array('initDisplay'),
array(array(), 'default', $display_manager->getDefinition('embed'))
@@ -106,6 +109,16 @@ public function testBuildRowEntityList() {
$values['display']['page_1']['display_plugin'] = 'page';
$values['display']['page_1']['display_options']['path'] = 'test_page';
+ $values['display']['page_2']['id'] = 'page_2';
+ $values['display']['page_2']['display_title'] = 'Page 2';
+ $values['display']['page_2']['display_plugin'] = 'page';
+ $values['display']['page_2']['display_options']['path'] = '';
+
+ $values['display']['page_3']['id'] = 'page_3';
+ $values['display']['page_3']['display_title'] = 'Page 3';
+ $values['display']['page_3']['display_plugin'] = 'page';
+ $values['display']['page_3']['display_options']['path'] = '';
+
$values['display']['embed']['id'] = 'embed';
$values['display']['embed']['display_title'] = 'Embedded';
$values['display']['embed']['display_plugin'] = 'embed';
@@ -115,6 +128,8 @@ public function testBuildRowEntityList() {
->will($this->returnValueMap(array(
array('default', $values['display']['default'], $default_display),
array('page', $values['display']['page_1'], $page_display),
+ array('page', $values['display']['page_2'], $page_display),
+ array('page', $values['display']['page_3'], $page_display),
array('embed', $values['display']['embed'], $embed_display),
)));
@@ -141,8 +156,16 @@ public function testBuildRowEntityList() {
$row = $view_list_builder->buildRow($view);
- $this->assertEquals(array('Embed admin label', 'Page admin label'), $row['data']['view_name']['data']['#displays'], 'Wrong displays got added to view list');
- $this->assertEquals($row['data']['path'], '/test_page', 'The path of the page display is not added.');
+ $expected_displays = array(
+ 'Embed admin label',
+ 'Page admin label',
+ 'Page admin label',
+ 'Page admin label',
+ );
+ $this->assertEquals($expected_displays, $row['data']['view_name']['data']['#displays']);
+
+ $display_paths = $row['data']['path']['data']['#items'];
+ $this->assertEquals('/test_page, /<object>malformed_path</object>, /<script>alert("placeholder_page/%")</script>', implode(', ', $display_paths));
}
}