diff --git a/core/lib/Drupal/Component/Utility/SafeMarkup.php b/core/lib/Drupal/Component/Utility/SafeMarkup.php index 56bd518..5bf096f 100644 --- a/core/lib/Drupal/Component/Utility/SafeMarkup.php +++ b/core/lib/Drupal/Component/Utility/SafeMarkup.php @@ -153,6 +153,23 @@ public static function checkAdminXss($string) { } /** + * Filters field separators. + * + * Strings smaller than 3 characters will not be set as safe. This should + * never be a problem because even the smallest HTML tags, such as "

", + * require 3. + * + * @param string $string + * A string. + * + * @return string + * The filtered string, which is marked as safe if longer than 2 characters. + */ + public static function filterSeparator($string) {; + return Unicode::strlen($string) < 3 ? $string : Xss::filterAdmin($string); + } + + /** * Retrieves all strings currently marked as safe. * * This is useful for the batch and form APIs, where it is important to diff --git a/core/modules/field/src/Plugin/views/field/Field.php b/core/modules/field/src/Plugin/views/field/Field.php index 7fdc28b..908bcb0 100644 --- a/core/modules/field/src/Plugin/views/field/Field.php +++ b/core/modules/field/src/Plugin/views/field/Field.php @@ -701,7 +701,7 @@ protected function renderItems($items) { if ($this->options['multi_type'] == 'separator') { $output = ''; $separator = ''; - $escaped_separator = Xss::filterAdmin($this->options['separator']); + $escaped_separator = SafeMarkup::filterSeparator($this->options['separator']); foreach ($items as $item) { $output .= $separator . SafeMarkup::escape($item); $separator = $escaped_separator; diff --git a/core/modules/views/views.theme.inc b/core/modules/views/views.theme.inc index 4e007ad..700b389 100644 --- a/core/modules/views/views.theme.inc +++ b/core/modules/views/views.theme.inc @@ -132,7 +132,7 @@ function template_preprocess_views_view_fields(&$variables) { } if (!empty($variables['options']['separator']) && $previous_inline && $object->inline && $object->content) { - $object->separator = Xss::filterAdmin($variables['options']['separator']); + $object->separator = SafeMarkup::filterSeparator($variables['options']['separator']); } $object->class = Html::cleanCssIdentifier($id); @@ -388,7 +388,7 @@ function template_preprocess_views_view_summary_unformatted(&$variables) { foreach ($variables['rows'] as $id => $row) { // Only false on first time. if ($count++) { - $variables['rows'][$id]->separator = Xss::filterAdmin($variables['options']['separator']); + $variables['rows'][$id]->separator = SafeMarkup::filterSeparator($variables['options']['separator']); } $variables['rows'][$id]->attributes = array(); $variables['rows'][$id]->link = $argument->summaryName($row); @@ -578,7 +578,7 @@ function template_preprocess_views_view_table(&$variables) { if (!empty($column_reference['content'])) { if (!empty($options['info'][$column]['separator'])) { $safe_content = SafeMarkup::escape($column_reference['content']); - $safe_separator = Xss::filterAdmin($options['info'][$column]['separator']); + $safe_separator = SafeMarkup::filterSeparator($options['info'][$column]['separator']); $column_reference['content'] = SafeMarkup::set($safe_content . $safe_separator); } } diff --git a/core/tests/Drupal/Tests/Component/Utility/SafeMarkupTest.php b/core/tests/Drupal/Tests/Component/Utility/SafeMarkupTest.php index eadc122..55fee39 100644 --- a/core/tests/Drupal/Tests/Component/Utility/SafeMarkupTest.php +++ b/core/tests/Drupal/Tests/Component/Utility/SafeMarkupTest.php @@ -101,4 +101,23 @@ public function testInvalidSetMultiple() { SafeMarkup::setMultiple($texts); } + /** + * Tests SafeMarkup::filterSeparator(). + * + * @covers ::filterSeparator + */ + public function testFilterSeparator() { + $returned = SafeMarkup::filterSeparator('
'); + $this->assertEquals('
', $returned, 'Separator string "
" was not modified.'); + $this->assertTrue(SafeMarkup::isSafe($returned), 'Separator string "
" was marked as safe'); + $returned = SafeMarkup::filterSeparator('---'); + $this->assertEquals('---', $returned, 'Separator string "---" was not modified'); + $this->assertTrue(SafeMarkup::isSafe($returned), 'Separator string "---" was marked as safe'); + $returned = SafeMarkup::filterSeparator('<'); + $this->assertEquals('<', $returned, 'Separator string "<" was not modified'); + $this->assertFalse(SafeMarkup::isSafe($returned), 'Separator string "<" was not marked as safe'); + $returned = SafeMarkup::filterSeparator(''); + $this->assertEquals('alert("hello");', $returned, 'Separator string "" was modified'); + $this->assertTrue(SafeMarkup::isSafe($returned), 'Modified separator string "alert("hello");" was marked as safe'); + } } diff --git a/core/themes/engines/twig/twig.engine b/core/themes/engines/twig/twig.engine index 5ef2f10..84cd53a 100644 --- a/core/themes/engines/twig/twig.engine +++ b/core/themes/engines/twig/twig.engine @@ -279,7 +279,7 @@ function twig_drupal_join_filter($value, $glue = '') { $output = ''; foreach ($value as $item) { $output .= $separator . SafeMarkup::escape($item); - $separator = $glue; + $separator = SafeMarkup::filterSeparator($glue); } return SafeMarkup::set($output);