/**
* {@inheritdoc}
*/
public function build()
{
$this->view->display_handler->preBlockBuild($this);
if ($output = $this->view->buildRenderable($this->displayID, [], FALSE)) {
// Override the label to the dynamic title configured in the view.
if (empty($this->configuration['views_label']) && $this->view->getTitle()) {
// @todo https://www.drupal.org/node/2527360 remove call to SafeMarkup.
$output['#title'] = SafeMarkup::xssFilter($this->view->getTitle(), Xss::getAdminTagList());
}
// Before returning the block output, convert it to a renderable array
// with contextual links.
$this->addContextualLinks($output);
return $output;
}
return array();
}
/**
* Escapes #plain_text or filters #markup as required.
*
* Drupal uses Twig's auto-escape feature to improve security. This feature
* automatically escapes any HTML that is not known to be safe. Due to this
* the render system needs to ensure that all markup it generates is marked
* safe so that Twig does not do any additional escaping.
*
* By default all #markup is filtered to protect against XSS using the admin
* tag list. Render arrays can alter the list of tags allowed by the filter
* using the #allowed_tags property. This value should be an array of tags
* that Xss::filter() would accept. Render arrays can escape text instead
* of XSS filtering by setting the #plain_text property instead of #markup. If
* #plain_text is used #allowed_tags is ignored.
*
* @param array $elements
* A render array with #markup set.
*
* @return \Drupal\Component\Render\MarkupInterface|string
* The escaped markup wrapped in a Markup object. If
* SafeMarkup::isSafe($elements['#markup']) returns TRUE, it won't be
* escaped or filtered again.
*
* @see \Drupal\Component\Utility\Html::escape()
* @see \Drupal\Component\Utility\Xss::filter()
* @see \Drupal\Component\Utility\Xss::adminFilter()
*/
protected function ensureMarkupIsSafe(array $elements)
{
if (empty($elements['#markup']) && empty($elements['#plain_text'])) {
return $elements;
}
if (!empty($elements['#plain_text'])) {
$elements['#markup'] = Markup::create(Html::escape($elements['#plain_text']));
} elseif (!SafeMarkup::isSafe($elements['#markup'])) {
// The default behaviour is to XSS filter using the admin tag list.
$tags = isset($elements['#allowed_tags']) ? $elements['#allowed_tags'] : Xss::getAdminTagList();
$elements['#markup'] = Markup::create(Xss::filter($elements['#markup'], $tags));
}
return $elements;
}
/**
* Overrides \Drupal\views\Plugin\views\display\PathPluginBase::execute().
*/
public function execute()
{
parent::execute();
// And now render the view.
$render = $this->view->render();
// First execute the view so it's possible to get tokens for the title.
// And the title, which is much easier.
// @todo Figure out how to support custom response objects. Maybe for pages
// it should be dropped.
if (is_array($render)) {
$render += array('#title' => SafeMarkup::xssFilter($this->view->getTitle(), Xss::getAdminTagList()));
}
return $render;
}
