Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Currently the strip_tags function on line #133 of quicktabs/src/Plugin/views/style/Quicktabs.php prevents the tab title from displaying html.
$title = strip_tags($index);
While this is generally desirable, there may be use cases for adding some html to the tab title. In my case, I have a large header label with small text below that I'd like to render on the tab title. Exposing the 'rendered_strip' form element on the views plugin and rendering the raw title will permit this ability.
Change to:
$strip_tags = $this->options['grouping'][0]['rendered_strip'];
if($strip_tags === TRUE) {
$title = strip_tags($index);
}
else {
$title = $index;
}
Comment | File | Size | Author |
---|---|---|---|
#16 | allow_html_tab_title_views_2942637_16.patch | 1.04 KB | brooke_heaton |
| |||
#10 | 2020 Veterans Conference National Association of State Workforce Agencies.png | 156.53 KB | brooke_heaton |
#9 | allow_html_tab_title_views_2942637_9.patch | 1022 bytes | shelane |
#4 | tab_title_with_html.png | 32.89 KB | brooke_heaton |
Comments
Comment #2
brooke_heaton CreditAttribution: brooke_heaton as a volunteer commentedPatch opens up view $options['grouping'][0]['rendered_strip'] setting for use and checks rendered_strip on tab title render.
Comment #3
brooke_heaton CreditAttribution: brooke_heaton as a volunteer commentedComment #4
brooke_heaton CreditAttribution: brooke_heaton as a volunteer commentedI've attached an example of a Quicktab set with html in the title as an example of what this patch will enable.
Comment #5
brooke_heaton CreditAttribution: brooke_heaton as a volunteer commentedRerolled patch against 8.x-3.x-dev.
Comment #6
brooke_heaton CreditAttribution: brooke_heaton as a volunteer commentedComment #7
shelaneSo, I believe that if it were opened up to all html, it could be considered a security vulnerability (not properly sanitized).
Ultimately, the tabs get built as translatable titles and then built into the html output by the renderer type. These are not currently templated, but that will change. See #3144540: Create templates for the output of of the renderer types.
I think instead we should think of an allowed set of html tags and see how we can put these.
To start with:
img
h2
h3
h4
span
i
Or this function may be all that is needed: Xss::filter
Comment #8
brooke_heaton CreditAttribution: brooke_heaton as a volunteer commentedGood point @shelane. I will revisit this.
Comment #9
shelane@brooke_heaton please test the latest patch here. I'm not certain how to recreate the issue in a view style for my own testing. This is off of the latest dev.
Comment #10
brooke_heaton CreditAttribution: brooke_heaton as a volunteer commented@shelane. Hm, so I think the end result of the Link::fromTextAndUrl is that characters are now being escaped. I'll have to figure out how to translate that. the toString() method does not seem to work.
Comment #11
shelaneI’ve been working on something similar in the Views Bootstrap module. I believe putting the output in the twig template with the raw filter will make that output correctly. I’ll have some time to come around to this in a month or so. I might completely rework this based on what I’ve learned there.
Comment #12
brooke_heaton CreditAttribution: brooke_heaton as a volunteer commented@shelane - which template would that be in? Trying to find a quick workaround for a release on Monday :/
Comment #13
brooke_heaton CreditAttribution: brooke_heaton as a volunteer commentedHm, so this is working for me and does NOT escape the HTML. Interesting.
Comment #14
brooke_heaton CreditAttribution: brooke_heaton as a volunteer commentedUpdated the patch to wrap the xss filtered input in the TranslatableMarkup method. This prevents escaping HTML characters in the final output.
Comment #15
brooke_heaton CreditAttribution: brooke_heaton as a volunteer commentedAdded 'use' statement for Xss. Patch updated.
Comment #16
brooke_heaton CreditAttribution: brooke_heaton as a volunteer commentedIn my use case, I'm using an h5, so I've updated the allowed tags to include h5 and h6. There may be other use cases.
Comment #17
brooke_heaton CreditAttribution: brooke_heaton as a volunteer commentedComment #18
shelaneGreat to hear. Thanks for looking more into it.
Comment #20
shelane