Quantcast
Channel: Issues for Drupal core
Viewing all articles
Browse latest Browse all 295131

Views strips out video and iframe tags when replacing tokens

$
0
0

Problem/Motivation

When a field containing certain HTML elements like video or iframe is passed through the a token rewrite, then the iframe element is stripped out breaking the output.

Steps to reproduce

1. Create a field which outputs a video or iframe tag. This can be a simple body field.
2. Select this field on a view page.
3. Rewrite the ouput of this field with it's twig placeholder.
4. The video or iframe element is stripped out.

Proposed resolution

Add the video and iframe elements to the XSS whitelist in views. As well as refactor all the existing XSS:filterAdmin() calls into a single function so that contrib modules may override the behaviour as necessary.

The argument now is what happens if the content has rare tags like audio or embed that it wants to keep in rewrites.

We can also revisit how the sanitization should work. Whether it should:
1. Sanitize the individual tokens first rather than the final output.
2. A UI option to opt out of XSS sanitization for the field.

Remaining tasks

N/A

User interface changes

N/A

API changes

Introduce a new optional $additional_tags argument to \Drupal\Component\Utility\Xss::filterAdmin() so that specific modules can choose which extra elements they want to provide support for.

Data model changes

N/A

Release notes snippet

TBD


Viewing all articles
Browse latest Browse all 295131

Trending Articles