Problem/Motivation
Xss::filterAdmin() is currently stripping out harmless elements (ie. the picture & source html elements that are part of the Core module Responsive Image).
$adminTags sets the elements that are allowed and would need to be updated.
This bug was first found at https://www.drupal.org/node/2687479. Views is stripping out the picture & source elements when responsive images fields are being rewritten. The patch there will be uploaded here to start / demo a fix that would need to be reviewed.
Steps to reproduce
This is for testing responsive image support (picture):
- Install Drupal with Umami profile
- Create new View: Content of type Article, Create a page, Save and edit
- Switch Format from Content to Fields
- Add a Media Image field then
- Choose Formatter = Rendered entity and View mode = Responsive 3x2
- Hide from display
- Add a Global: Custom text field then
- Include the previous Media field as a twig variable
- Save and look at the page
Result: See original image for the articles
Expected: See responsive image for the articles
Proposed resolution
Review/update $adminTags to include any html elements that should be allowed.
Remaining tasks
Verify steps to reproduceReview what HTML elements to addNew HTML elements to be reviewed for XSS vulnerabilities- Provide a MR with new elements and associated tests
HTML elements to add:
- audio : #86
- button, #3217767: Add support for "button" in views rewrite, #40, #43
- data : #3348218: <data> element stripped by $adminTags
- noscript : #27
- picture : #2687479: Responsive Image not working in rewritten Views field/area due to XSS filtering
- source : #2687479: Responsive Image not working in rewritten Views field/area due to XSS filtering
- template : #3443362: Xss::filterAdmin() to allow "template" elements
- video : #3224619: Views strips out "video", "source" tags from "Global: Custom text" field., #14
User interface changes
None
API changes
None
Data model changes
None
