The core blog module uses this code to include the username, because the links are included with (a variant of) theme_links. So the links are themselves escaped in l():

t("!username's blog", array('!username' => format_username($node)))

Unfortunately flexible_blogs does not do that, it escapes the site name itself, so it becomes double escaped. It should use !site instead (like it does in the attributes):

t('!site blog', array('!site' => variable_get('site_name', 'Drupal')))
CommentFileSizeAuthor
escape-sitename.patch1.06 KBgábor hojtsy

Comments

ksenzee’s picture

ksenzee
she/her
commented

I'm having a hard time reproducing any bugs associated with this. Everything seems to work with special characters in the site name and the user's name. Any help?

basicmagic.net’s picture

basicmagic.net commented

subscribe

David_Rothstein’s picture

David_Rothstein commented
Status: Active » Fixed

I was able to reproduce the bug by putting HTML in the site title. Without the patch, the site name was double-escaped, but with the patch it was (correctly) escaped once.

Therefore, committed: http://drupalcode.org/project/flexible_blogs.git/commit/9fd3b4b

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.