Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
RSS Style plugin runs check_plain on previously filtered $title which results in double escaped feed title like "Drupal & Drupal"
Comment | File | Size | Author |
---|---|---|---|
#55 | views_1189550_escape_rss_feed_title-54.patch | 867 bytes | patrick.norris |
#45 | 1189550.patch | 6.73 KB | Pol |
#24 | views_1189550_escape_rss_feed_title.patch | 864 bytes | fgjohnson@lojoh.ca |
| |||
#13 | views_1189550_escape_rss_title.patch | 544 bytes | Liam Morland |
#9 | views_1189550_escape_rss_title.patch | 778 bytes | Liam Morland |
Comments
Comment #1
mhrabovcin CreditAttribution: mhrabovcin commentedAttaching patch, probably needs fix in other versions as well.
Comment #2
dawehnerWhere is the first check plain?
For example the display_block runs a filter_xss_admin as well.
Comment #3
mhrabovcin CreditAttribution: mhrabovcin commentedFirst check_plain is in views_handler_argument.inc method title() which does:
Comment #4
dawehnerLooks fine from my perspective.
Assign to merlinofchaos for a last review.
Comment #5
Dmitriy.trt CreditAttribution: Dmitriy.trt commentedDefault title is not escaped with last patch, which breaks whole feed in the worst case.
Comment #6
jpamental CreditAttribution: jpamental commentedI'm seeing this now even in node titles when pulled out in a page or block view (6.x-2.12) - and it shows fine elsewhere (so
Fall '05
is shown asFall '05
)If you look at the node itself (as a page view) it's fine - only a problem when the title is displayed in the view.
Jason
Comment #7
thekevinday CreditAttribution: thekevinday commentedI also have this problem, where I am using a taxonomy term name converted to id.
The view produces an RSS feed.
The term name has an ampersand in it, so the ampersand is in the url.
I then take the taxonomy name url argument and use it as part of the page title.
This is where the check_plain() in #3 causes a problem.
The problem does happen on the actual page (RSS feed).
The title should say
Faculty & Staff Feed
and notFaculty & Staff Feed
The above patch does solve the problem, but given what #5 says, I am hesitant to use the patch.
Comment #8
Liam MorlandMarking as duplicate of this:
#1955072: Node/feed item titles are double escaped
Comment #9
Liam MorlandThis patch is fixing the double-escaping problem for me. The patch un-escapes the title before the generation of the RSS file, during which everything gets escaped. Basically, with this patch, it undoes an escaping that is not needed.
However, it seems to me that it would be better to not do this unnecessary escaping at all. Look at the patch. If I
dsm($this);
above the changed line, the title that I see is not escaped. If Idsm($item->title);
below the changed line, it is escaped. So,$this->get_field()
must be doing the escaping. I have not been able to find where this happens. Any insight would be appreciated.Comment #10
dawehnerIt seems to be, as you wrote before, that we first figure out what causes the encoding.
Comment #11
Liam MorlandI have been working through the code tracing back where the escaping happens. In views_handler_field.inc, there is a theme() method of views_handler_field object. theme() just calls the regular Drupal theme() function with particular parameters. If I add dsm() calls in the theme() method, I can see that the double escaping is happening inside the Drupal theme() function. I have not been able to trace it back further. It is very hard to usefully put dsm() calls inside theme() because theme() is called all over the place and a huge amount of content gets spit out.
Comment #12
dawehnerThe code which escapes the title seem to be part of template_preprocess_views_view_row_rss ?
Comment #13
Liam MorlandThat's it. This patch makes the needed change.
Comment #14
Liam MorlandDoes this solution look good to you?
Comment #15
dawehnerWe could all sleep better if there would be a test, which ensures that the output is as expected (so it's escaped once, and really just once). At least for Drupal 8 this is required.
Comment #16
Liam MorlandIn trying to write test I have discovered that this is not the problem. The title is getting escaped somewhere else, but I don't know where.
Comment #17
Liam MorlandThis might be caused by #2011918: Titles are often double-escaped (including in the content attribute of the dc:title meta element for nodes).
Comment #18
Liam MorlandI am no longer sure of what I wrote in #16. I can't get tests to work because, on two different machines, when I run the views tests as they come, I get an "Base table or view not found" error. Are you able to run tests without errors?
Comment #19
Liam MorlandSteps to reproduce the problem on a fresh D7 install:
While my patch in #13 seemed to solve my problem, it doesn't make sense. Everything else is being escaped at that point in the code, so it seems to me that the title should be too. The title must be getting escaped before it gets to the RSS generation code. It is that previous escaping that should be removed.
Comment #20
Liam MorlandComment #21
Liam MorlandWhen the View Format is set to "Show: Content", check_plain() needs to be run on $item->title in template_preprocess_views_view_row_rss() because it is not already escaped.
When the View Format is set to "Show: Fields", "Content: Title" has already been escaped and "Content: Body" has not been escaped. Why are these different?
Comment #22
Pycouz CreditAttribution: Pycouz commentedThank you for the fix. It works for me.
Comment #23
fgjohnson@lojoh.ca CreditAttribution: fgjohnson@lojoh.ca commentedDrupal 7.42 / Wetkit 4.5
I created a view of content, tagged with a Vocabulary Term.
The view is drawing the feed Title from a contextual filter for the tid.
This resulted in the same double encoding issue found in the function template_preprocess_views_view_row_rss()
Can somebody confirm the issue and recreate the views_1189550_escape_rss_title.patch found in #10?
So... This is what I did to resolve it on row 885 in \theme\theme.inc.
Comment #24
fgjohnson@lojoh.ca CreditAttribution: fgjohnson@lojoh.ca commentedAdding attribution.
Comment #25
Liam MorlandComment #26
Liam MorlandDoes this work both when View Format is set to "Show: Content" and when it is set to "Show: Fields"?
Comment #27
fgjohnson@lojoh.ca CreditAttribution: fgjohnson@lojoh.ca commentedYes...
In my environment this seems to work if I choose
- Format / Show / Fields
or
- Format / Show / Content
Comment #28
amund.ostvoll CreditAttribution: amund.ostvoll commentedJust ran into this bug. No negative impacts found with this patch.
Comment #29
amund.ostvoll CreditAttribution: amund.ostvoll commentedComment #30
zalak.addweb CreditAttribution: zalak.addweb commentedComment #31
PolThe patch is the solution to the problem we've encountered. Thanks!
Marked this as reviewed too.
Comment #32
dawehnerAs talked with drupol on IRC we need to ensure that we escape at least once. This should be at least documented in the issue summary or maybe better also as part of the patch.
While a double escaping is bad, having no escaping by accident at all is orders of magnitude worse, of course.
Comment #33
PolHi,
Here's the backtrace of the display of a feed using the Field row plugin.
views_plugin_display_feed->render()
: calls$this->view->style_plugin->render($this->view->result);
views_plugin_style_rss->render()
: calls$rows .= $this->row_plugin->render($row);
views_plugin_row_rss_fields->render()
: calls$item->title = $this->get_field($row_index, $this->options['title_field']);
views_plugin_row_rss_fields->get_field()
: callsreturn $this->view->style_plugin->get_field($index, $field_id);
views_plugin_style_rss->get_field()
: callsviews_plugin_style->get_field()
views_plugin_style->get_field()
: calls$this->render_fields($this->view->result);
views_plugin_style->render_fields()
: calls$this->rendered_fields[$count][$id] = $this->view->field[$id]->theme($row);
views_handler_field_node->theme()
: callsviews_handler_field->theme()
template_preprocess_views_view_field()
: calls$vars['output'] = $vars['field']->advanced_render($vars['row']);
$vars['field']->advanced_render($vars['row'])
: callsviews_handler_field_node->advanced_render()
views_handler_field_node->advanced_render()
: callsviews_handler_field->advancer_render()
views_handler_field->advancer_render()
: calls$value = $this->render($values);
$this->render()
: callsviews_handler_field_node->render()
views_handler_field_node->render()
: callsreturn $this->render_link($this->sanitize_value($value), $values);
$this->sanitize_value($value)
: callsviews_handler->sanitize_values()
views_handler->sanitize_values()
: calls $value = check_plain($value);This is where the first
check_plain()
is done, so, there is no need to have a second one.Comment #34
dawehnerThis explains maybe the case changed in
template_preprocess_views_view_row_rss
, but does it also fortemplate_preprocess_views_view_rss
?Comment #35
PolHi,
Here's the backtrace of the display of content using RSS Feed style and Content row plugin:
views_plugin_display_feed->render()
: calls$this->view->style_plugin->render($this->view->result);
views_plugin_style_rss->render()
: calls$rows .= $this->row_plugin->render($row);
views_plugin_row_node_rss->render()
: callsreturn theme($this->theme_functions());
return theme($this->theme_functions());
: callstemplate_preprocess_views_view_row_rss()
template_preprocess_views_view_row_rss()
: calls $vars['title'] = check_plain($item->title);This is where the first
check_plain()
is done, and here it make sense to keep it.Comment #36
PolHere's an updated patch. I moved the check_plain from the
template_preprocess_views_view_row_rss()
tomethod views_plugin_row_node_rss::render()
, this way there are no more doublecheck_plain()
calls.Comment #37
PolComment #38
dawehnerDoes that mean that every row plugin would have to be adapted? This sounds like a no go to be honest. We really don't want to introduce any chance of an XSS.
Here is an alternative idea:
\Drupal\Component\Render\MarkupInterface
from D8\Drupal\views\Render\ViewsRenderPipelineMarkup
check_plain()
on it.Comment #39
PolHi @dawehner,
Something like this ?
Comment #40
PolUpdated patch.
Comment #41
PolSorry,
I've included the staged files in the patch.
Comment #44
PolUpdated patch, makes more sense now.
Comment #45
PolUpdated patch, makes more sense now.
Comment #47
dawehnerURLs are special, maybe we should choose its own object for them?
Comment #48
PolI agree, but should it be taken in account in this issue ? It's a bit out of scope no ?
Comment #49
dawehnerFeel free to skip the changes for the link. Yeah ideally just maybe fix the title double escaping here?
Comment #50
PolYes that's the idea.
Comment #51
cburschka[took the liberty of fixing the issue description to actually show the double escaped title]
Comment #52
DamienMcKennaComment #53
patrick.norris CreditAttribution: patrick.norris commentedRerolling patch against latest (7.x-3.29).
Comment #54
patrick.norris CreditAttribution: patrick.norris commentedComment #55
patrick.norris CreditAttribution: patrick.norris commentedHelps to upload the correct file.
Rerolling patch against latest (7.x-3.29).
Comment #56
DamienMcKenna