Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
These get double-escaped so when you go to user/1/edit, the title shows up as "Eat at Joe & #039;'s"
I checked regular menu items and they seem fine, so this is probably something goofy in profile module.
Comment | File | Size | Author |
---|---|---|---|
#1 | profile_check_plain.patch | 598 bytes | RobLoach |
Comments
Comment #1
RobLoachRemoving the pass to
check_plain
seemed to fix the problem. I tried using the PHP tag in there for a simple CSS attack and it escaped the PHP tag cleanly. My guess is that #title is already passed throughcheck_plain
.Comment #2
webchickYep, tested and works.
Comment #3
Gábor HojtsyThanks, committed.
Comment #4
Gábor HojtsyBetter title
Comment #5
Anonymous (not verified) CreditAttribution: Anonymous commentedAutomatically closed -- issue fixed for two weeks with no activity.