Validate view_name in ajaxView()

This patch can solve the problem until someone will create better solution.

joelpittet → changed the visibility of the branch 11.x to hidden.

joelpittet → changed the visibility of the branch 3457963-validate-viewname-in to hidden.

Seems to have a test failure so probably need test coverage for this one please

thanks!

There are more use-cases /node/add/öüä, /media/add/öüä, admin/structure/views/view/öüä. So any config name.

I updated the condition to check for a valid name and path in ViewAjaxController.php. The view may be without a path(In case of blocks).

Added new test cases for the Malicious strings in Name, Display Id, and Path.

Pipeline failures

The pipeline issue has been resolved.

Moving status to Review.

Test-only job runs without issue so tests still need work.

here's a solution to the underlying problem (which also solves #14)

https://www.drupal.org/project/drupal/issues/3475540 📌 Throw an understandable exception when there is an attempt to load config entities with disallowed characters Needs work

@jannakha The suggested fix for ASCII is already added,

/**
   * Validates given value to protect from unexpected requests.
   *
   * @param mixed $value
   *   Given value for validation.
   *
   * @return bool
   *   Returns TRUE if value valid, otherwise FALSE
   */
  private function isValid(mixed $value): bool {
    return is_scalar($value)
      && mb_check_encoding($value, 'ASCII');
  }

If 📌 Throw an understandable exception when there is an attempt to load config entities with disallowed characters Needs work solves more problems including this one this should probably be closed.

@smustgrave
The handling in special character on 📌 Throw an understandable exception when there is an attempt to load config entities with disallowed characters Needs work for Configuration settings. But here we patched for Ajax views links. Is the fix on Config will help for the Views URLs?