/** * {@inheritdoc} */ public function build() { $this->view->display_handler->preBlockBuild($this); if ($output = $this->view->buildRenderable($this->displayID, [], FALSE)) { // Override the label to the dynamic title configured in the view. if (empty($this->configuration['views_label']) && $this->view->getTitle()) { // @todo https://www.drupal.org/node/2527360 remove call to SafeMarkup. $output['#title'] = SafeMarkup::xssFilter($this->view->getTitle(), Xss::getAdminTagList()); } // Before returning the block output, convert it to a renderable array // with contextual links. $this->addContextualLinks($output); return $output; } return array(); }
/** * Escapes #plain_text or filters #markup as required. * * Drupal uses Twig's auto-escape feature to improve security. This feature * automatically escapes any HTML that is not known to be safe. Due to this * the render system needs to ensure that all markup it generates is marked * safe so that Twig does not do any additional escaping. * * By default all #markup is filtered to protect against XSS using the admin * tag list. Render arrays can alter the list of tags allowed by the filter * using the #allowed_tags property. This value should be an array of tags * that Xss::filter() would accept. Render arrays can escape text instead * of XSS filtering by setting the #plain_text property instead of #markup. If * #plain_text is used #allowed_tags is ignored. * * @param array $elements * A render array with #markup set. * * @return \Drupal\Component\Render\MarkupInterface|string * The escaped markup wrapped in a Markup object. If * SafeMarkup::isSafe($elements['#markup']) returns TRUE, it won't be * escaped or filtered again. * * @see \Drupal\Component\Utility\Html::escape() * @see \Drupal\Component\Utility\Xss::filter() * @see \Drupal\Component\Utility\Xss::adminFilter() */ protected function ensureMarkupIsSafe(array $elements) { if (empty($elements['#markup']) && empty($elements['#plain_text'])) { return $elements; } if (!empty($elements['#plain_text'])) { $elements['#markup'] = Markup::create(Html::escape($elements['#plain_text'])); } elseif (!SafeMarkup::isSafe($elements['#markup'])) { // The default behaviour is to XSS filter using the admin tag list. $tags = isset($elements['#allowed_tags']) ? $elements['#allowed_tags'] : Xss::getAdminTagList(); $elements['#markup'] = Markup::create(Xss::filter($elements['#markup'], $tags)); } return $elements; }
/** * Overrides \Drupal\views\Plugin\views\display\PathPluginBase::execute(). */ public function execute() { parent::execute(); // And now render the view. $render = $this->view->render(); // First execute the view so it's possible to get tokens for the title. // And the title, which is much easier. // @todo Figure out how to support custom response objects. Maybe for pages // it should be dropped. if (is_array($render)) { $render += array('#title' => SafeMarkup::xssFilter($this->view->getTitle(), Xss::getAdminTagList())); } return $render; }