Display problems with name containing apostrophe

That looks correct, to me.

Yes, this is an ongoing argument with the core developers and arises out of the need to protect you from hackers.

Right now, my code is being updated for another issue, so I can't commit this fix yet, but it does seem to fix it (and I think gives me an idea for a core patch). In "function realname_make_name", on approximately line 319, you will find

        $stuff['%'. $i] = check_plain($account->$name);

Change that line to

        $stuff['%'. $i] = drupal_validate_utf8($account->$name) ? htmlspecialchars($account->$name, ENT_COMPAT) : '';

And let me know if that solves the problem.

Fix committed to 6.x only.

The suggested fix is wrong.

The appearance of &039; means that the name is passed twice through check_plain. The realname in realname_make_name should be treated as the plain text data it is; and escaped upon using it in another context. This means that you need to escape the name with check_plain the moment it is used in an HTML context.

As you can see from the theme_username documentation, it too treats the username as plaintext and escapes it upon output (either via l() or check_plain).

Please read Safe String Theory for the web and Handle text in a secure fashion for background.

My suggestion is to treat the name as plaintext in realname_make_name (do not use check_plain), and review the uses of the name elsewhere in the module for the need for escaping.

Thank you, Heine. I have read those references several times, which is why I use check_plain. Perhaps I use it too liberally.

I have removed the check_plain/htmlspecialchars entirely. Committed to both branches.