taxonomy_autocomplete() uses filter_xss() on the display string, while user_autocomplete() and profile_admin_settings_autocomplete() use check_plain().

Taxonomy terms are plain-text strings that don't allow rich-text formatting, so they should also be passed through check_plain(). Otherwise strange things occur if you have terms containing special characters. The attached image shows the taxonomy term list (1.), and the taxonomy selector on the node edit page during (2.) and after (3.) auto-completion. Note that the suggested items in 2. don't reflect the actual term names.

CommentFileSizeAuthor
screenshot-autocomplete.png34.87 KBc960657
taxonomy-autocomplete-1.patch955 bytesc960657
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

c960657’s picture

c960657 CreditAttribution: c960657 commented
Issue tags: -quickfix +Quick fix
yched’s picture

yched CreditAttribution: yched commented

Sounds good to me - does it still apply ?

c960657’s picture

c960657 CreditAttribution: c960657 commented

Yes (with a 1 line offset).

yched’s picture

yched CreditAttribution: yched commented
Status: Needs review » Reviewed & tested by the community

Looks good then.

Dries’s picture

Dries CreditAttribution: Dries commented
Status: Reviewed & tested by the community » Fixed

Committed to CVS HEAD. Thanks!

Status: Fixed » Closed (fixed)
Issue tags: -Quick fix

Automatically closed -- issue fixed for 2 weeks with no activity.

Issue tags: +Quick fix

Restoring issue tags, see #2125755: System messages removed all issue tags during D7 upgrade.