Create a secure way to allow custom HTML elements and attributes in rewrite rules for Views

Created on 19 November 2022, over 1 year ago
Updated 14 March 2024, 3 months ago

Problem/Motivation

Web components are becoming more popular
Web components allow you to create custom HTML elements
Custom elements and attributes are not able to be whitelisted
For structured content you can output the custom element in a twig template
However for some components it would be great to use the built-in Drupal rewrite functionality to map multiple items to a specific custom element
The rewrite functionality runs through the filterAdminXss which doesn't provide a way to pass allowlisted attributes
I've not found the cleanest way to implement this, but as components become more widely used this will need a more accessible way to safely allow web components to be used in rewrites and other places on a Drupal site

See attached views config for view with rewrite.
Here is the html that is output by the view:

<div class="view-content">
    <div class="views-row"><div class="views-field views-field-title">
        <span class="field-content">test basic page </span>
    </div></div>
</div>

Here is the expected output:

<div class="view-content">
    <div class="views-row"><div class="views-field views-field-title">
        <span class="field-content"><nic-component>test basic page </nic-component></span>
    </div></div>
</div>

Steps to reproduce

See attached view config.

  • Fresh install
  • Add basic page to site
  • Create new view
  • Create page display of content
  • Unformatted list of fields
  • Edit title field
  • Override output of this field with custom text
  • Enter: {{ title__value }}
  • Apply
  • Save

Proposed resolution

Provide a way to allowlist views rewrite custom html elements.

Remaining tasks

User interface changes

API changes

Data model changes

Release notes snippet

✨ Feature request
Status

Active

Version

11.0 πŸ”₯

Component
FilterΒ  β†’

Last updated about 20 hours ago

No maintainer
Created by

πŸ‡ΊπŸ‡ΈUnited States nicxvan

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • πŸ‡ΊπŸ‡ΈUnited States nicxvan

    After retesting with ckeditor 5, if you allow list the custom element then you can add it to the ckeditor source and it is no longer stripped out.

    This remains an issue with views rewrites.

  • Status changed to Postponed: needs info 4 months ago
  • πŸ‡§πŸ‡ͺBelgium Wim Leers Ghent πŸ‡§πŸ‡ͺπŸ‡ͺπŸ‡Ί

    After retesting with ckeditor 5, if you allow list the custom element then you can add it to the ckeditor source and it is no longer stripped out.

    πŸ₯³

    This remains an issue with views rewrites.

    Could you please share a config export of a minimal view that triggers this problem? πŸ™ (It doesn't need to load the actual web component β€” for the purpose of this issue/bug report AFAICT it's sufficient to observe <nic-webcomponent> to be present in the views rewrite but absent in the user-facing output).

  • Status changed to Active 4 months ago
  • πŸ‡ΊπŸ‡ΈUnited States nicxvan

    I've added steps to reproduce, and example of the view and actual output vs expected output to the issue summary.

    Let me know if there is anything else to look at next.

  • Assigned to Wim Leers
  • πŸ‡§πŸ‡ͺBelgium Wim Leers Ghent πŸ‡§πŸ‡ͺπŸ‡ͺπŸ‡Ί

    Thanks, will try to reproduce next week to narrow down πŸ‘

  • Issue was unassigned.
  • πŸ‡§πŸ‡ͺBelgium Wim Leers Ghent πŸ‡§πŸ‡ͺπŸ‡ͺπŸ‡Ί

    1 month later, didn't happen. And just got reassigned to a new project, so … definitely won't have time. 😬 Sorry.

Production build 0.69.0 2024