Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.In og.field.inc, og_field_formatter_view() generates a label for a group from og_label(), which is then passed to theme_link(). The problem with this is og_label_multiple() by default calls filter_xss() on the text, which escapes any entities; theme_link calls check_plain() on the text it's given, which also escapes any entities.
The correction is very simple, as og_label_multiple() does allow for values to not be sanitized. Patch will be attached which corrects the issue.
| Comment | File | Size | Author |
|---|---|---|---|
| #4 | og_field_formatter_html_link_1338066_4.patch | 433 bytes | timcosgrove |
| #1 | og_field_formatter_no_santize_1338066_1.patch | 606 bytes | timcosgrove |
Comments
Comment #1
timcosgrove CreditAttribution: timcosgrove commentedPatch attached. This is against current 7.x-1.x.
Comment #2
timcosgrove CreditAttribution: timcosgrove commentedComment #3
amitaibuMaybe we should pass html => TRUE to the theme_link(), as we prefer filter_xss() than check_plain() for cases the group name is for example "H&M".
Comment #4
timcosgrove CreditAttribution: timcosgrove commentedCool, no problem.
Comment #5
amitaibuMoving people here from #1276552: Character encoding fails on group_audience field
Comment #6
bulldozer2003I like it! Thanks.
Comment #7
franz+1 to this, works.
Comment #8
amitaibuCommitted, thanks.