Allow HTML in tab title setting in views style plugin [#2942637]

Currently the strip_tags function on line #133 of quicktabs/src/Plugin/views/style/Quicktabs.php prevents the tab title from displaying html.

$title = strip_tags($index);

While this is generally desirable, there may be use cases for adding some html to the tab title. In my case, I have a large header label with small text below that I'd like to render on the tab title. Exposing the 'rendered_strip' form element on the views plugin and rendering the raw title will permit this ability.

Change to:

 $strip_tags = $this->options['grouping'][0]['rendered_strip'];
      if($strip_tags === TRUE) {
        $title = strip_tags($index);
      }
      else {
        $title =  $index;
      }

Comment	File	Size	Author
#16	allow_html_tab_title_views_2942637_16.patch	1.04 KB	brooke_heaton
#16	8.x-3.x: PHP 7.3 & MySQL 5.6, D8.9 2 pass
#15	allow_html_tab_title_views_2942637_15.patch	1.03 KB	brooke_heaton
#15
#14	allow_html_tab_title_views_2942637_14.patch	800 bytes	brooke_heaton
#14
#10	2020 Veterans Conference National Association of State Workforce Agencies.png	156.53 KB	brooke_heaton
#9	allow_html_tab_title_views_2942637_9.patch	1022 bytes	shelane
#9	7.x-3.x: PHP 5.3 & MySQL 5.5, D7 Patch Failed to Apply
#5	allow_html_tab_title_views_2942637_5.patch	1.12 KB	brooke_heaton
#5
#4	tab_title_with_html.png	32.89 KB	brooke_heaton
#2	allow_html_tab_title_views_2942637_2.patch	1.2 KB	brooke_heaton
#2

Support from Acquia helps fund testing for Drupal Acquia logo

Comments

Comment #1

6 February 2018 at 21:12

brooke_heaton created an issue. See original summary.

Comment #2

brooke_heaton CreditAttribution: brooke_heaton as a volunteer commented 6 February 2018 at 22:10

File	Size
allow_html_tab_title_views_2942637_2.patch	1.2 KB

Patch opens up view $options['grouping'][0]['rendered_strip'] setting for use and checks rendered_strip on tab title render.

Comment #3

brooke_heaton CreditAttribution: brooke_heaton as a volunteer commented 6 February 2018 at 22:06

Status:

Active

» Needs review

Comment #4

brooke_heaton CreditAttribution: brooke_heaton as a volunteer commented 7 February 2018 at 14:30

File	Size
tab_title_with_html.png	32.89 KB

I've attached an example of a Quicktab set with html in the title as an example of what this patch will enable.

Quicktab with title example

Comment #5

brooke_heaton CreditAttribution: brooke_heaton as a volunteer commented 7 December 2018 at 17:43

File	Size
allow_html_tab_title_views_2942637_5.patch	1.12 KB

Rerolled patch against 8.x-3.x-dev.

Comment #6

brooke_heaton CreditAttribution: brooke_heaton as a volunteer commented 7 December 2018 at 17:44

1 file was hidden/shown/deleted

File	Size
allow_html_tab_title_views_2942637_2.patch	1.2 KB

Comment #7

shelane

English

CreditAttribution: shelane commented 18 June 2020 at 05:25

Status:

Needs review

» Needs work

So, I believe that if it were opened up to all html, it could be considered a security vulnerability (not properly sanitized).

Ultimately, the tabs get built as translatable titles and then built into the html output by the renderer type. These are not currently templated, but that will change. See #3144540: Create templates for the output of of the renderer types.

I think instead we should think of an allowed set of html tags and see how we can put these.
To start with:

img
h2
h3
h4
span
i

Or this function may be all that is needed: Xss::filter

Comment #8

brooke_heaton CreditAttribution: brooke_heaton as a volunteer commented 18 June 2020 at 16:34

Good point @shelane. I will revisit this.

Comment #9

shelane

English

CreditAttribution: shelane commented 18 June 2020 at 23:33

File	Size
allow_html_tab_title_views_2942637_9.patch	1022 bytes
7.x-3.x: PHP 5.3 & MySQL 5.5, D7 Patch Failed to Apply

@brooke_heaton please test the latest patch here. I'm not certain how to recreate the issue in a view style for my own testing. This is off of the latest dev.

Comment #10

brooke_heaton CreditAttribution: brooke_heaton as a volunteer commented 22 October 2020 at 03:03

File	Size
2020 Veterans Conference National Association of State Workforce Agencies.png	156.53 KB

@shelane. Hm, so I think the end result of the Link::fromTextAndUrl is that characters are now being escaped. I'll have to figure out how to translate that. the toString() method does not seem to work.

Comment #11

shelane

English

CreditAttribution: shelane commented 22 October 2020 at 02:51

I’ve been working on something similar in the Views Bootstrap module. I believe putting the output in the twig template with the raw filter will make that output correctly. I’ll have some time to come around to this in a month or so. I might completely rework this based on what I’ve learned there.

Comment #12

brooke_heaton CreditAttribution: brooke_heaton as a volunteer commented 22 October 2020 at 03:04

@shelane - which template would that be in? Trying to find a quick workaround for a release on Monday :/

Comment #13

brooke_heaton CreditAttribution: brooke_heaton as a volunteer commented 22 October 2020 at 03:21

Hm, so this is working for me and does NOT escape the HTML. Interesting.

    $tab_titles[] = [
        '0' => Link::fromTextAndUrl(
          $this->t(Xss::filter($index, ['img', 'em', 'strong', 'h2', 'h3', 'h4', 'small', 'span', 'i', 'br'])),
          Url::fromRoute(
            '<current>',
            [],
            [
              'attributes' => [
                'class' => $link_classes,
              ],
            ]
          )
        )->toRenderable(),
        '#wrapper_attributes' => $wrapper_attributes,
      ];

Comment #14

brooke_heaton CreditAttribution: brooke_heaton as a volunteer commented 22 October 2020 at 03:33

File	Size
allow_html_tab_title_views_2942637_14.patch	800 bytes

Updated the patch to wrap the xss filtered input in the TranslatableMarkup method. This prevents escaping HTML characters in the final output.

Comment #15

brooke_heaton CreditAttribution: brooke_heaton as a volunteer commented 22 October 2020 at 03:37

File	Size
allow_html_tab_title_views_2942637_15.patch	1.03 KB

2 files were hidden/shown/deleted

File	Size
allow_html_tab_title_views_2942637_5.patch	1.12 KB

allow_html_tab_title_views_2942637_14.patch	800 bytes

Added 'use' statement for Xss. Patch updated.

Comment #16

brooke_heaton CreditAttribution: brooke_heaton as a volunteer commented 22 October 2020 at 03:40

File	Size
allow_html_tab_title_views_2942637_16.patch	1.04 KB
8.x-3.x: PHP 7.3 & MySQL 5.6, D8.9 2 pass

1 file was hidden/shown/deleted

File	Size
allow_html_tab_title_views_2942637_15.patch	1.03 KB

In my use case, I'm using an h5, so I've updated the allowed tags to include h5 and h6. There may be other use cases.

Comment #17

brooke_heaton CreditAttribution: brooke_heaton as a volunteer commented 22 October 2020 at 03:40

Status:

Needs work

» Needs review

Comment #18

shelane

English

CreditAttribution: shelane commented 22 October 2020 at 14:02

Great to hear. Thanks for looking more into it.

Comment #19

14 December 2020 at 18:36

shelane committed 16b0b88 on 8.x-3.x authored by brooke_heaton

Issue #2942637 by brooke_heaton, shelane: Allow HTML in tab title...

Comment #20

shelane

English

CreditAttribution: shelane commented 14 December 2020 at 18:36

Status:

Needs review

» Fixed

Comment #21

28 December 2020 at 18:39

Status:

Fixed

» Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.

Allow HTML in tab title setting in views style plugin

Comments

Comment #1

Comment #2

Comment #3

Comment #4

Comment #5

Comment #6

Comment #7

Comment #8

Comment #9

Comment #10

Comment #11

Comment #12

Comment #13

Comment #14

Comment #15

Comment #16

Comment #17

Comment #18

Comment #19

Comment #20

Comment #21

Referenced by

Thank you to these Drupal contributors

News items

Our community

Documentation

Drupal code base

Governance of community