Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Tested in alpha-14
When creating a feed using Views > Format > Format: RSS Feed, Show: Fields, the titles for items are double encoded. For example:
Given the article title: This "cool" & "neat" article's title has HTML entities
RSS Feed - Fields:
<title>This &quot;cool&quot; &amp; &quot;neat&quot; article&#039;s title has HTML entities</title>
which incorrectly appears as "This "cool" & "neat" article's title has HTML entities"
Double encoding occurs for apostrophes, ampersands and quotes. I have not tested other entities.
Comment | File | Size | Author |
---|---|---|---|
#12 | 2337747-12-double-escaped-views-rss.patch | 4.23 KB | mikeker |
#8 | rss-test-view.yml.txt | 4.68 KB | mikeker |
#4 | views-rss-encoding-2337747-4.patch | 677 bytes | Berdir |
Comments
Comment #1
dawehner.
Just adding a tag to find issues.
Comment #2
Charles BelovComment #3
dawehnerSo yeah the problem is that both views,
FieldPluginBase::render()
as well as autoescaping inviews-view-row-rss.html.twig
causes the issue.Comment #4
BerdirTook me a while to find this, the problem is that in FieldPluginBase::advancedRender(), for fields, we pass things through renderItems(), that assumes unsafe items and passes it through SafeMarkup::escape($item);
If we mark the return value of renderText() as safe, then it is only escaped in twig and works as expected. Not sure if this is the right approach?
Comment #5
dawehnerWe might solve that in a better way with #2280961: (Views)FieldPluginBase::advancedRender() calls SafeMarkup::set() on a string that it doesn't know to be safe but for now having a dedicated comment why we are doing it would be great. Also having a test that this doesn't break anything is probably required.
Comment #6
jhedstromNeeds tests and a code comment as per #5.
Comment #7
mikeker CreditAttribution: mikeker commentedThe patch in #4 didn't fix the issue for me with the attached view.
To repro:
The title is double-escaped as noted in the original report.
Comment #8
mikeker CreditAttribution: mikeker commented/me: attaches "attached view" and goes to lunch...
Comment #9
BerdirCan you try it with the body and HTML tags in there instead of html entities? That's what I'm using it for, HTML entities might be a different problem that are not fixed by my patch.
Comment #10
mikeker CreditAttribution: mikeker commentedI'm not sure I understand what you're saying here... And I have to dash off to get my kid from school in about 1 minute. :)
I think the title and description fields are getting double check_plain()'ed. I tried using HTML entities and plain old HTML in the description field. In core\modules\views\views.theme.inc:
But the title and description are already sanitized earlier as part of Views' rendering (at least as far as I can tell). I'll look at this again later this evening...
Comment #11
mikeker CreditAttribution: mikeker commentedAttached patch runs the title, description, and (just for good measure) link fields through a Twig inline template to ensure they've been sanitized and escaped once and only once... I think. This is where I start to get fuzzy about how Twig and Drupal work -- specifically how Drupal is calling Twig escape functions (especially in light of the cautions here: http://twig.sensiolabs.org/doc/filters/escape.html).
At a minimum, this patch fixes the originally reported issue.
@Berdir, let me know if this fixes the issues you were seeing with HTML in RSS feed fields.
Comment #12
mikeker CreditAttribution: mikeker commentedAdded tests.
Comment #13
dawehnerMaybe a dump question, but why can't we do that in the template directly?
Comment #14
mikeker CreditAttribution: mikeker commentedNot a dumb question at all because we CAN do most of this in the template. Not sure what I was thinking...
Pretty much everything except:
which, as pointed out in #2296885: Remove format_xml_elements() needs to be... something. I'm looking into refactoring
format_xml_elements()
into the template but haven't had the time to dig into it yet.Comment #15
mikeker CreditAttribution: mikeker commentedClosing this as a duplicate of #2296885: Remove format_xml_elements() which fixes not only this issue but (hopefully) cleans up a pile of legacy XML processing.
Comment #16
karenann CreditAttribution: karenann as a volunteer commented--- removed my own post ---