Problem/Motivation
When a field containing certain HTML elements like video
or iframe
is passed through the a token rewrite, then the iframe
element is stripped out breaking the output.
Steps to reproduce
1. Create a field which outputs a video
or iframe
tag. This can be a simple body field.
2. Select this field on a view page.
3. Rewrite the ouput of this field with it's twig placeholder.
4. The video
or iframe
element is stripped out.
Proposed resolution
Add the video
and iframe
elements to the XSS whitelist in views. As well as refactor all the existing XSS:filterAdmin()
calls into a single function so that contrib modules may override the behaviour as necessary.
The argument now is what happens if the content has rare tags like audio
or embed
that it wants to keep in rewrites.
We can also revisit how the sanitization should work. Whether it should:
1. Sanitize the individual tokens first rather than the final output.
2. A UI option to opt out of XSS sanitization for the field.
Remaining tasks
N/A
User interface changes
N/A
API changes
Introduce a new optional $additional_tags
argument to \Drupal\Component\Utility\Xss::filterAdmin()
so that specific modules can choose which extra elements they want to provide support for.
Data model changes
N/A
Release notes snippet
TBD