I would like the ability to make these kinds of plural formatting:

@count<br/>comments

However, that doesn't work, and in my opinion the <br> is incorrectly stripped.

In views_handler_field_numeric.render() we have this code:

return $this->sanitize_value($this->options['prefix'] . $value . $this->options['suffix']);

Why is this value sanitized? We know the value is a numeric, the prefix/suffix etc are all provided by the site developer. So no injection attacks are possible in this code path. So why sanitize and preclude perfectly acceptable html tags?

So I propose we have this:

return $this->options['prefix'] . $value . $this->options['suffix'];

Patch attached.

CommentFileSizeAuthor
#2 1134074-numeric_field-filter_xss-su_prefix.patch711 bytesdawehner
views_no_sanitize.patch585 bytesberenddeboer
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

merlinofchaos’s picture

merlinofchaos CreditAttribution: merlinofchaos commented
Status: Needs review » Needs work

Your patch allows XSS attacks through prefix and suffix and through $value if it turns out not to actually be numeric.

dawehner’s picture

dawehner
Primary language German
CreditAttribution: dawehner commented
Status: Needs work » Needs review
FileSize
1134074-numeric_field-filter_xss-su_prefix.patch711 bytes

What about use filter_xss for prefix/suffix and check_plain for the main value.

merlinofchaos’s picture

merlinofchaos CreditAttribution: merlinofchaos commented
Status: Needs review » Reviewed & tested by the community

dereine's version is safe. Should backport 6 to 6.x

dawehner’s picture

dawehner
Primary language German
CreditAttribution: dawehner commented
Status: Reviewed & tested by the community » Fixed

Commited to 7.x-3.x and 6.x-3.x
Created an backport for 6.x-2.x and commited to 6.x-2.x

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.