If a field containing an inline SVG is passed through views rewrite results the SVG is stripped and mostly removed (normally just leaving the the title left).

The same field containing an inline SVG can be used on a normal node page without being stripped.

Views rewrite uses \Drupal\Component\Utility\Xss::filterAdmin() which has protected strings of protected static $adminTags = array('a', 'abbr', 'acronym', 'address', 'article', 'aside', 'b', 'bdi', 'bdo', 'big', 'blockquote', 'br', 'caption', 'cite', 'code', 'col', 'colgroup', 'command', 'dd', 'del', 'details', 'dfn', 'div', 'dl', 'dt', 'em', 'figcaption', 'figure', 'footer', 'h1', 'h2', 'h3', 'h4', 'h5', 'h6', 'header', 'hgroup', 'hr', 'i', 'img', 'ins', 'kbd', 'li', 'mark', 'menu', 'meter', 'nav', 'ol', 'output', 'p', 'pre', 'progress', 'q', 'rp', 'rt', 'ruby', 's', 'samp', 'section', 'small', 'span', 'strong', 'sub', 'summary', 'sup', 'table', 'tbody', 'td', 'tfoot', 'th', 'thead', 'time', 'tr', 'tt', 'u', 'ul', 'var', 'wbr');

Adding some SVG specific strings such as those found in the following popular purifiers would allow common SVG markup and keep it safe from XSS.
https://github.com/cure53/DOMPurify/blob/master/src/purify.js
or
https://github.com/darylldoyle/svg-sanitizer/blob/master/src/data/AllowedTags.php

A section (not full list) by way of example of some strings those purifiers allow is:

 'accent-height','accumulate','additivive','alignment-baseline', 'ascent','azimuth','baseline-shift','bias','clip','clip-path',
'clip-rule','color','color-interpolation','color-interpolation-filters', 'color-profile','color-rendering','cx','cy','d','dy','dy','direction',
'display','divisor','dur','elevation','end','fill','fill-opacity', 'fill-rule','filter','flood-color','flood-opacity','font-family',
'font-size','font-size-adjust','font-stretch','font-style','font-variant', 'font-weight','image-rendering','in','in2','k1','k2','k3','k4','kerning', 'letter-spacing','lighting-color','local','marker-end','marker-mid',
'marker-start','max','mask','mode','min','offset','operator','opacity', 'order','orient','overflow','paint-order','path','points','r','rx','ry','radius', 'restart','scale','seed','shape-rendering','stop-color','stop-opacity',
'stroke-dasharray','stroke-dashoffset','stroke-linecap','stroke-linejoin', 'stroke-miterlimit','stroke-opacity','stroke','stroke-width','transform', 'text-anchor','text-decoration','text-rendering','u1','u2','viewbox', 'visibility','word-spacing','wrap','writing-mode','x','x1','x2','y', 'y1','y2','z',

The issue can be worked around by simply not passing SVGs through views Rewrite results.

It would be worthwhile confirm that adding common SVG strings to the existing XSS filtering would be safe. Is it?
Are there other HTML elements that are safe to add but which we do not permit? (broaden issue?)

Added some related issues which show the same issue relating to responsive images.

CommentFileSizeAuthor
#26 core-no-filter-admin-when-rewriting-view-field-output.patch771 bytesbeerendlauwers
#25 allow_views_rewrite_results_to_include_inline_svgs-2840938-25.patch1.66 KBvensires
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

serg2 created an issue. See original summary.

Lendude’s picture

Lendude
Primary language Dutch
Location Amsterdam
CreditAttribution: Lendude at Dx Experts commented
Title: Views Rewrite Results strips inline SVGs » Allow Views Rewrite Results to include inline SVGs
Category: Bug report » Feature request

Since this is done by XSS::filterAdmin I would say that this is working as designed, so any changes we make would be a new feature.

There are more requests floating around about people trying to get around the restrictions of only using XSS allowed tags, so maybe it would be worthwhile to allow admins to swap out the used filter in some way. Don't know, just thinking out loud.

serg2’s picture

serg2 CreditAttribution: serg2 commented

Yes, there are quite a few open issues about XSS in general. Initially it would be good to establish if adding these is safe. I will take me a while to find good authoritative sources on this but once I do I will add them in here.

serg2’s picture

serg2 CreditAttribution: serg2 commented
Issue summary: View changes
serg2’s picture

serg2 CreditAttribution: serg2 commented

There was a core issue #2099741: Protect WYSIWYG Editors from XSS Without Destroying User Data which dealt with preventing XSS in Ckeditor. The documentation within the patch is the best information I can find about making user submitted content XSS safe without destroying the content.

It is worth noting that SVGs can be uploaded into WYSIWYG (CKEditor) and used safely because of that patch. It focuses on blacklisting bad, rather than whitelisting good. Some SVG features are stripped but only a few and 'simple' SVGs will get through unharmed.

The core of this issue, allowing SVGs through Views-rewrite results, comes down to:
What is the purpose of the filtering that occurs at the rewrite stage?

It seems like it is 'old code' but it does ensure super safe output. If, for instance, content is being passed though rewrite results which has not previously been filtered it will make it safe.

One solution could be, now that CKeditor is in core, is to use its filter set-up at views rewrite.

That would mean that all the issues that are currently open regarding views rewrite stripping get either fixed or moved into the CKeditor (and the obvious benefits of removing and re-using code).

Should I change this issue to that: "Use CKEditor filtering in views re-write results" ?

Lendude’s picture

Lendude
Primary language Dutch
Location Amsterdam
CreditAttribution: Lendude at Dx Experts commented

Should I change this issue to that: "Use CKEditor filtering in views re-write results" ?

that might work as long as we don't create a dependency on CKEditor in Views. Haven't looked at what CKEditor does so don't know how viable this is, but somehow being able to switch to different filter settings sounds something that would be attractive for a lot of people.

Version: 8.2.x-dev » 8.3.x-dev

Drupal 8.2.6 was released on February 1, 2017 and is the final full bugfix release for the Drupal 8.2.x series. Drupal 8.2.x will not receive any further development aside from critical and security fixes. Sites should prepare to update to 8.3.0 on April 5, 2017. (Drupal 8.3.0-alpha1 is available for testing.)

Bug reports should be targeted against the 8.3.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.4.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.3.x-dev » 8.4.x-dev

Drupal 8.3.6 was released on August 2, 2017 and is the final full bugfix release for the Drupal 8.3.x series. Drupal 8.3.x will not receive any further development aside from critical and security fixes. Sites should prepare to update to 8.4.0 on October 4, 2017. (Drupal 8.4.0-alpha1 is available for testing.)

Bug reports should be targeted against the 8.4.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.5.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.4.x-dev » 8.5.x-dev

Drupal 8.4.4 was released on January 3, 2018 and is the final full bugfix release for the Drupal 8.4.x series. Drupal 8.4.x will not receive any further development aside from critical and security fixes. Sites should prepare to update to 8.5.0 on March 7, 2018. (Drupal 8.5.0-alpha1 is available for testing.)

Bug reports should be targeted against the 8.5.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.6.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.5.x-dev » 8.6.x-dev

Drupal 8.5.6 was released on August 1, 2018 and is the final bugfix release for the Drupal 8.5.x series. Drupal 8.5.x will not receive any further development aside from security fixes. Sites should prepare to update to 8.6.0 on September 5, 2018. (Drupal 8.6.0-rc1 is available for testing.)

Bug reports should be targeted against the 8.6.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.7.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.6.x-dev » 8.8.x-dev

Drupal 8.6.x will not receive any further development aside from security fixes. Bug reports should be targeted against the 8.8.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.9.x-dev branch. For more information see the Drupal 8 and 9 minor version schedule and the Allowed changes during the Drupal 8 and 9 release cycles.

kenton.r’s picture

kenton.r CreditAttribution: kenton.r commented

I just ran into the need of adding an SVG in views rewrite. I would also like to see this feature added.

Version: 8.8.x-dev » 8.9.x-dev

Drupal 8.8.7 was released on June 3, 2020 and is the final full bugfix release for the Drupal 8.8.x series. Drupal 8.8.x will not receive any further development aside from security fixes. Sites should prepare to update to Drupal 8.9.0 or Drupal 9.0.0 for ongoing support.

Bug reports should be targeted against the 8.9.x-dev branch from now on, and new development or disruptive changes should be targeted against the 9.1.x-dev branch. For more information see the Drupal 8 and 9 minor version schedule and the Allowed changes during the Drupal 8 and 9 release cycles.

markdc’s picture

markdc
his lordship
Primary language English
CreditAttribution: markdc commented

@kenton.r Ditto that.

marcoka’s picture

marcoka CreditAttribution: marcoka commented

Very important. I use it like that and that will not work in views because stripped out

This is no special custom tag: https://developer.mozilla.org/en-US/docs/Web/SVG/Element/use
Guess i need to hack core again because of a tag.

#2687479: Responsive Image not working in rewritten Views field/area due to XSS filtering

Juc1’s picture

Juc1 CreditAttribution: Juc1 commented

@marcoka or anyone - do I still need to hack core to allow the svg tag in my View? If so what do I need to do?

Juc1’s picture

Juc1 CreditAttribution: Juc1 commented

reply to myself - permitted html tags are listed in /core/lib/Drupal/Component/Utility/Xss.php but a better option is to use a views template (such as views-view-fields--my-view-here.html.twig) which has no html restrictions.

marcoka’s picture

marcoka CreditAttribution: marcoka commented

Juc1 yes you need to. DI it today, again.

Version: 8.9.x-dev » 9.2.x-dev

Drupal 8 is end-of-life as of November 17, 2021. There will not be further changes made to Drupal 8. Bugfixes are now made to the 9.3.x and higher branches only. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 9.2.x-dev » 9.3.x-dev
C13L0’s picture

C13L0 CreditAttribution: C13L0 commented

Following this issue as it is a feature that we need.

Version: 9.3.x-dev » 9.4.x-dev

Drupal 9.3.15 was released on June 1st, 2022 and is the final full bugfix release for the Drupal 9.3.x series. Drupal 9.3.x will not receive any further development aside from security fixes. Drupal 9 bug reports should be targeted for the 9.4.x-dev branch from now on, and new development or disruptive changes should be targeted for the 9.5.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 9.4.x-dev » 9.5.x-dev

Drupal 9.4.9 was released on December 7, 2022 and is the final full bugfix release for the Drupal 9.4.x series. Drupal 9.4.x will not receive any further development aside from security fixes. Drupal 9 bug reports should be targeted for the 9.5.x-dev branch from now on, and new development or disruptive changes should be targeted for the 10.1.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

vensires’s picture

vensires CreditAttribution: vensires at E-Sepia Web Innovation commented
Version: 9.5.x-dev » 11.x-dev
vensires’s picture

vensires CreditAttribution: vensires at E-Sepia Web Innovation commented
FileSize
allow_views_rewrite_results_to_include_inline_svgs-2840938-25.patch1.66 KB

Until a better solution gets used (ex. override through settings.php or alter hook), I attach a patch which targets the whole Xss class and not Views specifically and adds the SVG and PATH tags to the adminTags array.

I would even consider removing the "views.module" from the issue's "Component" value - either way it's core though it's usually depicted when using views.

beerendlauwers’s picture

beerendlauwers CreditAttribution: beerendlauwers at Netvlies commented
FileSize
core-no-filter-admin-when-rewriting-view-field-output.patch771 bytes

I also encountered this issue. Ideally, there should be another toggle under "Rewrite Results" to skip the Xss::filterAdmin filter.

For now, I'm using the "Rewrite Results" toggle itself for this purpose. See the attached patch. It was written for Drupal 10.1.4, but it'll probably work on other versions.

vensires’s picture

vensires CreditAttribution: vensires at E-Sepia Web Innovation commented

Well, I would say that your patch goes to a more opinionated and insecure approach which would work in my scenario too, yes, but it would compromise all views - even if it is not required. From adding two extra tags as allowed to throwing filtering completely out, well there definitely is a gap.

From what I had read in code and comments etc and understood, I would have expected the HTML template coming from Drupal Views UI to be XssAdmin-filtered, yes, but when TWIG is used no extra processing should be done. In that case I could have separate TWIG files in my theme containing the SVG file only and then be able to include these TWIG files from Drupal Views UI textarea - and we should be safe.

When talking about the "Custom" Views Field Plugin, it's more or less easily done, we just have to remove Xss::filterAdmin(...) from this:

/**
 * {@inheritdoc}
 */
public function render(ResultRow $values) {
  // Return the text, so the code never thinks the value is empty.
  return ViewsRenderPipelineMarkup::create(Xss::filterAdmin($this->options['alter']['text']));
}

But you did mention the field rewriting functionality in general - which might also be easy too, though I haven't studied that far yet. But in general we should be ok from any security issues since FieldPluginBase::renderText() already does the following (among other things):

if (!empty($alter['alter_text']) && $alter['text'] !== '') {
  $tokens = $this->getRenderTokens($alter);
  $value = $this->renderAltered($alter, $tokens);
  // $alter['text'] is entered through the views admin UI and will be safe
  // because the output of $this->renderAltered() is run through
  // Xss::filterAdmin().
  // @see \Drupal\views\Plugin\views\PluginBase::viewsTokenReplace()
  // @see \Drupal\Component\Utility\Xss::filterAdmin()
  $value_is_safe = TRUE;