Not sure if this is a bug in the module or the libraries used, but it seems that Typrogrify converts any plain text back to HTML that came from the "Display any HTML as plain text" filter, to reproduce:

Turn on these filters and set them in the following processing order:

  1. Display any HTML as plain text
  2. Typrogrify

And enter any HTML tags, they don't get filtered.

As soon as you turn off all features of Typrogrify, or remove it from the text format altogether, the HTML tags gets converted to plain text.

CommentFileSizeAuthor
#4 unfilter-htmlplaintext-2005768.patch1.77 KBAnonymous (not verified)

Comments

subashroy2020’s picture

subashroy2020 commented

Very useful information
Thanks

migmedia’s picture

migmedia commented
Assigned: Unassigned » migmedia
Priority: Normal » Critical
codycraven’s picture

codycraven commented

Confirming, this is a massive bug and a security issue.

Anonymous’s picture

Anonymous (not verified) commented
StatusFileSize
new unfilter-htmlplaintext-2005768.patch1.77 KB

I have had a look at the code, the attached patch to smartypants.php and unicode-conversion.php will allow the Typrogrify to work with "Display any HTML as plain text" filter in the order described in the issue.

The str_replace() call in ProcessEscapes() in smartypants.php converts angle brackets HTML entities ('<', '>') back to unescaped original characters ('<', '>'):

str_replace(
    array('\\\\',  '\"',    "\'",      '\.',    '\-',    '\`',    '\,',     '&lt;', '&gt;'),
    array('&#92;', '&#34;', '&#8217;', '&#46;', '&#45;', '&#96;', '&#x2c;', '<',    '>'), $_);

The plain text filter works after removing the angle bracket replacements in ProcessEscapes(). I've replaced them with '"', ''' and '"', "'" as Typrogrify look for them and turn them into typographer quotation marks.

Since plain filter now works, I've added angle bracket HTML entities to unicode-conversion.php, as now Typrogrify will have to work with HTML entities.

I am not sure if this will be the solution for everyone, but it worked in my client's sites for their use so far, so hopefully this is a step in the right direction.

migmedia’s picture

migmedia commented

This issue should be fixed in 7.x-1.x-dev.

As a side-effect, all arrow-replacements in the filter-settings will be unset. Because I haven't found a solution to change/update the filtersettings through the update-script.
!!! So please check your filtersettings after update!

@sunnz Thank you for your effort, your patch is very similar to my solution I had developed in the last days...

Anonymous’s picture

Anonymous (not verified) commented

@migmedia, tested 7.x-1.x-dev and deployed on my client sites, works great!

migmedia’s picture

migmedia commented
Status: Active » Fixed

Fixed in 7.x-1.0-rc8

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.