Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
I would like the ability to make these kinds of plural formatting:
@count<br/>comments
However, that doesn't work, and in my opinion the <br> is incorrectly stripped.
In views_handler_field_numeric.render() we have this code:
return $this->sanitize_value($this->options['prefix'] . $value . $this->options['suffix']);
Why is this value sanitized? We know the value is a numeric, the prefix/suffix etc are all provided by the site developer. So no injection attacks are possible in this code path. So why sanitize and preclude perfectly acceptable html tags?
So I propose we have this:
return $this->options['prefix'] . $value . $this->options['suffix'];
Patch attached.
Comment | File | Size | Author |
---|---|---|---|
#2 | 1134074-numeric_field-filter_xss-su_prefix.patch | 711 bytes | dawehner |
views_no_sanitize.patch | 585 bytes | berenddeboer | |
Comments
Comment #1
merlinofchaos CreditAttribution: merlinofchaos commentedYour patch allows XSS attacks through prefix and suffix and through $value if it turns out not to actually be numeric.
Comment #2
dawehnerWhat about use filter_xss for prefix/suffix and check_plain for the main value.
Comment #3
merlinofchaos CreditAttribution: merlinofchaos commenteddereine's version is safe. Should backport 6 to 6.x
Comment #4
dawehnerCommited to 7.x-3.x and 6.x-3.x
Created an backport for 6.x-2.x and commited to 6.x-2.x