Problem/Motivation
When a field containing certain HTML elements like video or iframe is passed through the a token rewrite, then the iframe element is stripped out breaking the output.
Steps to reproduce
1. Create a field which outputs a video or iframe tag. This can be a simple body field.
2. Select this field on a view page.
3. Rewrite the ouput of this field with it's twig placeholder.
4. The video or iframe element is stripped out.
Proposed resolution
Add the video and iframe elements to the XSS whitelist in views. As well as refactor all the existing XSS:filterAdmin() calls into a single function so that contrib modules may override the behaviour as necessary.
The argument now is what happens if the content has rare tags like audio or embed that it wants to keep in rewrites.
We can also revisit how the sanitization should work. Whether it should:
1. Sanitize the individual tokens first rather than the final output.
2. A UI option to opt out of XSS sanitization for the field.
Remaining tasks
N/A
User interface changes
N/A
API changes
Introduce a new optional $additional_tags argument to \Drupal\Component\Utility\Xss::filterAdmin() so that specific modules can choose which extra elements they want to provide support for.
Data model changes
N/A
Release notes snippet
TBD