This is in reference to http://drupal.org/node/369867 Images are being blocked in Views because the aggregator plugin is running them through filter_xss. The views_handler_field_xss class, defined in views/handlers/views_handler_field.inc does not check to see if Aggregator is allowing HTML tags in the content of feed items as defined in /admin/content/aggregator/settings
The attached patch checks to see if the variable aggregator_allowed_html_tags has been set . If not, it can accept a set of tags at the time the $views_handler_field_xss->render() function is called. By default, it will stip all html tags when calling filter_xss()
Comment | File | Size | Author |
---|---|---|---|
#12 | 713078-aggregator_xss.patch | 2.59 KB | dawehner |
#9 | 713078-aggregator_xss.patch | 2.59 KB | dawehner |
views_handler_field.patch | 639 bytes | achaux | |
Comments
Comment #1
merlinofchaos CreditAttribution: merlinofchaos commentedSetting proper status. Hopeful we can get a review on this, the explanation makes a lot of sense.
Comment #2
achaux CreditAttribution: achaux commentedI was searching through some older issues and came across this: http://drupal.org/node/627402 It is definitely related, but it seem that the patch did not fix the problem of displaying allowed HTML entities from the RSS feeds. I just added this for historical context, does not necessarily change the status of this bug report.
Comment #3
dawehnerFor me this makes absolute no sense for me, because this is filter_xss handler and not a aggregator specific handler.
Comment #4
jfable CreditAttribution: jfable commentedFor me it makes perfect sense. I would make the assumption that an Aggregator View would utilize the same allowed values tags as set in /admin/content/aggregator/settings. The fact that it doesn't is counter-intuitive.
Currently there is no way to pass allowed tags to the filter_xss function in views/aggregator. I would call that a bug. This seems to be a very reasonable fix to me.
Comment #5
achaux CreditAttribution: achaux commentedCorrect, filter_xss is not an aggregator specific handler. The patch does not change the filter_xss handler, only what is passed to the filter_xss handler.
Comment #6
dawehnerBut still
1) + function render($values, $allowed_html_tags = FALSE) {
I don't think that the signature of the render function should be changed.
2) I don't think that we should use the settings of aggregator+ function render($values, $allowed_html_tags = FALSE) {
for every filter_xss thing. You could better make a new handler for it.
Thx for finding this bug.
Comment #7
achaux CreditAttribution: achaux commentedThanks for the reply dereine. I want to keep this thread going because I think Views should respect the settings set/defined by Aggregator, especially since Views has an "Aggregator item" view type. Since the only way to generate a view of RSS/Atom feeds through Views GUI is by using the Aggregator item view type, I think that it is very important. I'll look into adding a new Aggregator handler. Any suggestions are welcome.
Comment #8
merlinofchaos CreditAttribution: merlinofchaos commentedOk, the answer is that we need an aggregator specific handler that has its own render that does essentially what this patch does. I agree that the generic _xss should not do this, because that would force aggregator settings onto non-aggregator uses. However, I do agree, that aggregator specific output should.
Summary:
A clean patch that does the above seems very likely to be accepted.
Comment #9
dawehnerHere is a general patch.
Comment #10
merlinofchaos CreditAttribution: merlinofchaos commentedThis looks good. Patch does not apply. Reroll and mark RTBC?
Comment #11
dawehner.
Comment #12
dawehnerI love cvs/git *arg*
After just 1,5hours of work i have a working patch file.
The second line is the current cvs, the previous is old version of cvs/git checkout of the cvs. WTH
Comment #13
merlinofchaos CreditAttribution: merlinofchaos commentedCommitted to all branches.