Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Problem/Motivation
Changing the administrative name in views ui does not update the active page title and gives the following js error:
TypeError: response.siteName is undefined
core/modules/views_ui/js/ajax.js?v=8.0.0-dev
Line 35
Proposed resolution
Add siteName to the response.
Remaining tasks
User interface changes
API changes
Comment | File | Size | Author |
---|---|---|---|
#28 | 2314443-28.patch | 1.98 KB | Lendude |
#28 | 2314443-28-TEST_ONLY.patch | 1.44 KB | Lendude |
#27 | 2314443-27.patch | 1.97 KB | Lendude |
#27 | 2314443-27-TEST_ONLY.patch | 1.42 KB | Lendude |
#26 | reroll_diff_7-26.txt | 816 bytes | immaculatexavier |
Comments
Comment #1
olli CreditAttribution: olli commentedHere's an alternative without a need for site name in the response.
Comment #2
olli CreditAttribution: olli commentedComment #3
olli CreditAttribution: olli commentedI wonder if #1 really makes a better effort to replace the
<title>
than the original code.Comment #4
olli CreditAttribution: olli commentedComment #5
dawehnerBoth variants seems to be equivalent problematic if some admin theme changes the way how page titles are generated. Well, in this case the user will just see a not-perfect title.
Nothing horrible.
Comparing the two versions I would prefer the first one, given that it does not include a complex reged in the javascript file, which is always a burden for maintenance.
What do you think, which one is the one you like?
Comment #6
olli CreditAttribution: olli commentedTo get rid of the site name and regex, could we use a simple string replace?
Comment #7
olli CreditAttribution: olli commentedOne more! Let's leave the js alone and just add the siteName to the response.
The difference between the first and the latest one is whether you want to do this:
Pick either one.
Comment #8
dawehnerEven the other one has the better DI, semantically it seems better not having to specify the actual page title as well. So I would be fine with the current version of the patch.
Comment #9
alexpottShouldn't we be escaping this? I don;t think we can just trust this value.
Comment #10
olli CreditAttribution: olli commentedWe need both the title and siteName without escaping to set the
document.title
. If we escape the siteName, the regex fails and if we escape the page title, it will get double escaped. This is also how it is in Views 7.xComment #11
dawehnerDid you tried an xss::filter?
Comment #12
olli CreditAttribution: olli commentedRe #11: I guess that wouldn't work if my site name is
<script>alert(0)</script>
.I don't see why we'd escape or filter the value we use to set
document.title
in js.Comment #13
jhedstromPatch here still applies, but I think is at needs work based on the above.
Comment #22
nod_not a js issue, fix is on the php side
Comment #25
larowlanComment #26
immaculatexavier CreditAttribution: immaculatexavier as a volunteer and at Srijan | A Material+ Company for Drupal India Association commentedRerolled patch against 9.4.x with diff
Comment #27
LendudeHere is a JS test for this, added a case with an unsafe title too to make sure this gets handled properly.
Comment #28
LendudeNow with '===' and not '='
The test only patch is the interdiff.
Comment #30
longwaveTest and fix look good to me. Can't quite believe this has been broken for so long, almost wonder if this feature should be removed instead!
Comment #32
LendudeUnrelated fail
Comment #34
longwaveUnrelated fail in QuickEditFileTest
Comment #35
alexpottI tested this with XSS in both the site name and the views admin title - all works fine.
Committed and pushed fe3be7e13e to 10.0.x and b72a2b1194 to 9.5.x and abdb8f0024 to 9.4.x and d3c42ff26f to 9.3.x. Thanks!