Contrib.social

Allow Views Rewrite Results to include inline SVGs

Open on Drupal.org β†’
Created on 4 January 2017, over 8 years ago
Updated 20 October 2023, over 1 year ago

If a field containing an inline SVG is passed through views rewrite results the SVG is stripped and mostly removed (normally just leaving the the title left).

The same field containing an inline SVG can be used on a normal node page without being stripped.

Views rewrite uses \Drupal\Component\Utility\Xss::filterAdmin() which has protected strings of protected static $adminTags = array('a', 'abbr', 'acronym', 'address', 'article', 'aside', 'b', 'bdi', 'bdo', 'big', 'blockquote', 'br', 'caption', 'cite', 'code', 'col', 'colgroup', 'command', 'dd', 'del', 'details', 'dfn', 'div', 'dl', 'dt', 'em', 'figcaption', 'figure', 'footer', 'h1', 'h2', 'h3', 'h4', 'h5', 'h6', 'header', 'hgroup', 'hr', 'i', 'img', 'ins', 'kbd', 'li', 'mark', 'menu', 'meter', 'nav', 'ol', 'output', 'p', 'pre', 'progress', 'q', 'rp', 'rt', 'ruby', 's', 'samp', 'section', 'small', 'span', 'strong', 'sub', 'summary', 'sup', 'table', 'tbody', 'td', 'tfoot', 'th', 'thead', 'time', 'tr', 'tt', 'u', 'ul', 'var', 'wbr');

Adding some SVG specific strings such as those found in the following popular purifiers would allow common SVG markup and keep it safe from XSS.
https://github.com/cure53/DOMPurify/blob/master/src/purify.js
or
https://github.com/darylldoyle/svg-sanitizer/blob/master/src/data/AllowedTags.php

A section (not full list) by way of example of some strings those purifiers allow is:

 'accent-height','accumulate','additivive','alignment-baseline', 'ascent','azimuth','baseline-shift','bias','clip','clip-path',
'clip-rule','color','color-interpolation','color-interpolation-filters', 'color-profile','color-rendering','cx','cy','d','dy','dy','direction',
'display','divisor','dur','elevation','end','fill','fill-opacity', 'fill-rule','filter','flood-color','flood-opacity','font-family',
'font-size','font-size-adjust','font-stretch','font-style','font-variant', 'font-weight','image-rendering','in','in2','k1','k2','k3','k4','kerning', 'letter-spacing','lighting-color','local','marker-end','marker-mid',
'marker-start','max','mask','mode','min','offset','operator','opacity', 'order','orient','overflow','paint-order','path','points','r','rx','ry','radius', 'restart','scale','seed','shape-rendering','stop-color','stop-opacity',
'stroke-dasharray','stroke-dashoffset','stroke-linecap','stroke-linejoin', 'stroke-miterlimit','stroke-opacity','stroke','stroke-width','transform', 'text-anchor','text-decoration','text-rendering','u1','u2','viewbox', 'visibility','word-spacing','wrap','writing-mode','x','x1','x2','y', 'y1','y2','z',

The issue can be worked around by simply not passing SVGs through views Rewrite results.

It would be worthwhile confirm that adding common SVG strings to the existing XSS filtering would be safe. Is it?
Are there other HTML elements that are safe to add but which we do not permit? (broaden issue?)

Added some related issues which show the same issue relating to responsive images.

✨ Feature request
Status

Active

Version

11.0 πŸ”₯

Component
ViewsΒ  β†’

Last updated about 12 hours ago

Created by

πŸ‡¬πŸ‡§United Kingdom serg2

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • Comment over 1 year ago β†’
    πŸ‡¬πŸ‡·Greece vensires
  • Comment over 1 year ago β†’
    πŸ‡¬πŸ‡·Greece vensires

    Until a better solution gets used (ex. override through settings.php or alter hook), I attach a patch which targets the whole Xss class and not Views specifically and adds the SVG and PATH tags to the adminTags array.

    I would even consider removing the "views.module" from the issue's "Component" value - either way it's core though it's usually depicted when using views.

  • Open in Jenkins β†’ Open on Drupal.org β†’
    Environment: PHP 8.2 & MySQL 8
    last update over 1 year ago
    30,393 pass
  • Open in Jenkins β†’ Open on Drupal.org β†’
    Environment: PHP 8.1 & MySQL 5.7 updated deps
    last update over 1 year ago
    30,393 pass
  • Open in Jenkins β†’ Open on Drupal.org β†’
    Environment: PHP 8.2 & pgsql-14.1
    last update over 1 year ago
    30,393 pass
  • Open in Jenkins β†’ Open on Drupal.org β†’
    Environment: PHP 8.2 & sqlite-3.34
    last update over 1 year ago
    30,393 pass
  • Comment over 1 year ago β†’
    πŸ‡§πŸ‡ͺBelgium beerendlauwers

    I also encountered this issue. Ideally, there should be another toggle under "Rewrite Results" to skip the Xss::filterAdmin filter.

    For now, I'm using the "Rewrite Results" toggle itself for this purpose. See the attached patch. It was written for Drupal 10.1.4, but it'll probably work on other versions.

  • Open in Jenkins β†’ Open on Drupal.org β†’
    Environment: PHP 8.2 & MySQL 8
    last update over 1 year ago
    Patch Failed to Apply
  • Comment over 1 year ago β†’
    πŸ‡¬πŸ‡·Greece vensires

    Well, I would say that your patch goes to a more opinionated and insecure approach which would work in my scenario too, yes, but it would compromise all views - even if it is not required. From adding two extra tags as allowed to throwing filtering completely out, well there definitely is a gap.

    From what I had read in code and comments etc and understood, I would have expected the HTML template coming from Drupal Views UI to be XssAdmin-filtered, yes, but when TWIG is used no extra processing should be done. In that case I could have separate TWIG files in my theme containing the SVG file only and then be able to include these TWIG files from Drupal Views UI textarea - and we should be safe.

    When talking about the "Custom" Views Field Plugin, it's more or less easily done, we just have to remove Xss::filterAdmin(...) from this:

    /**
 * {@inheritdoc}
 */
public function render(ResultRow $values) {
  // Return the text, so the code never thinks the value is empty.
  return ViewsRenderPipelineMarkup::create(Xss::filterAdmin($this->options['alter']['text']));
}

    But you did mention the field rewriting functionality in general - which might also be easy too, though I haven't studied that far yet. But in general we should be ok from any security issues since FieldPluginBase::renderText() already does the following (among other things):

    if (!empty($alter['alter_text']) && $alter['text'] !== '') {
  $tokens = $this->getRenderTokens($alter);
  $value = $this->renderAltered($alter, $tokens);
  // $alter['text'] is entered through the views admin UI and will be safe
  // because the output of $this->renderAltered() is run through
  // Xss::filterAdmin().
  // @see \Drupal\views\Plugin\views\PluginBase::viewsTokenReplace()
  // @see \Drupal\Component\Utility\Xss::filterAdmin()
  $value_is_safe = TRUE;
contrib.social Blog FAQ Discussions
Production build 0.71.5 2024