diff --git a/core/modules/rest/src/Plugin/views/style/Serializer.php b/core/modules/rest/src/Plugin/views/style/Serializer.php
index 09e94e6..089b68b 100644
--- a/core/modules/rest/src/Plugin/views/style/Serializer.php
+++ b/core/modules/rest/src/Plugin/views/style/Serializer.php
@@ -7,7 +7,9 @@
namespace Drupal\rest\Plugin\views\style;
+use Drupal\Component\Utility\SafeMarkup;
use Drupal\Core\Form\FormStateInterface;
+use Drupal\rest\Plugin\views\row\DataFieldRow;
use Drupal\views\ViewExecutable;
use Drupal\views\Plugin\views\display\DisplayPluginBase;
use Drupal\views\Plugin\views\style\StylePluginBase;
@@ -130,7 +132,16 @@ public function render() {
$content_type = $this->options['formats'] ? reset($this->options['formats']) : 'json';
}
- return $this->serializer->serialize($rows, $content_type);
+ $output = $this->serializer->serialize($rows, $content_type);
+ if ($this->view->rowPlugin instanceof DataFieldRow) {
+ // Individual fields in the DataFieldRow plugin are sanitized in
+ // \Drupal\views\Plugin\views\field\FieldPluginBase::advancedRender() and
+ // we can safely assume that the Serializer does not introduce XSS when
+ // transforming the array into the particular format, hence we can safely
+ // mark the whole serialized string as safe.
+ SafeMarkup::set($output);
+ }
+ return $output;
}
/**
diff --git a/core/modules/rest/src/Tests/Views/StyleSerializerTest.php b/core/modules/rest/src/Tests/Views/StyleSerializerTest.php
index 12eb653..6472b09 100644
--- a/core/modules/rest/src/Tests/Views/StyleSerializerTest.php
+++ b/core/modules/rest/src/Tests/Views/StyleSerializerTest.php
@@ -315,6 +315,13 @@ public function testFieldapiField() {
$result = $this->drupalGetJSON('test/serialize/node-field');
$this->assertEqual($result[0]['nid'], $node->id());
$this->assertEqual($result[0]['body'], $node->body->processed);
+
+ $node->body = '';
+ $node->save();
+ $result = $this->drupalGetJSON('test/serialize/node-field');
+ $this->assertEqual($result[0]['nid'], $node->id());
+ $this->assertTRUE(strpos($result[0]['body'], 'assertTrue(strpos($result[0]['body'], '<script') !== FALSE);
}
}
diff --git a/core/modules/views/src/Tests/Handler/AreaTest.php b/core/modules/views/src/Tests/Handler/AreaTest.php
index 03b8b57..ae4a643 100644
--- a/core/modules/views/src/Tests/Handler/AreaTest.php
+++ b/core/modules/views/src/Tests/Handler/AreaTest.php
@@ -92,9 +92,9 @@ public function testRenderArea() {
// Insert a random string to the test area plugin and see whether it is
// rendered for both header, footer and empty text.
- $header_string = $this->randomString();
- $footer_string = $this->randomString();
- $empty_string = $this->randomString();
+ $header_string = $this->randomMachineName();
+ $footer_string = $this->randomMachineName();
+ $empty_string = $this->randomMachineName();
$view->header['test_example']->options['string'] = $header_string;
$view->header['test_example']->options['empty'] = TRUE;