Module replaces "&" with "&"

That sounds like a bug...

I just checked and figured out that it isn't actually a bug. Token field values are sanitized by default when they're generated, and the title value is sanitized again before it's printed on the page. That's once too often.

You need to configure your tokens to use the plain version of your text field. This can be done by enabling the "token" view mode on your content type, and setting the formatter for your text-field to "Plain text" (instead of "Default").

Let me know whether this helps.

Glad it works for you :)

If I set the token to clear text and I'm using the token somewhere else (outside of Automatic Entity Label) it may goes unfiltered into the content. This sounds like a high security risk to me.

Does someone know what the difference is between [node:author:field_foo] and [node:author:field-foo]? I guess we need -raw tokens

Does someone know what the difference is between [node:author:field_foo] and [node:author:field-foo]? I guess we need -raw tokens

The value should mostly be the same, but dash tokens are provided by the Entity Tokens module (part of entity), underscore tokens by the Token module, see #1272560: Entity tokens duplicates field tokens created by token module.

Ok, thanks for these details :-).

However the proposed "solution" looks like a major security problem.

However the proposed "solution" looks like a major security problem.

I don't think it is because the token_replace function sanitizes token output by default anyway (see "sanitize" option). So specifying a "raw value" in the token view mode only makes sure that the value is not sanitized twice...

In other words, tokens should always have "raw" values and the responsibility for sanitizing values properly lies with the module allowing token replacement. For the case of "automatic entity labels" the sanitize option on token_replace is disabled, because labels/titles are sanitized automatically when the title is displayed.

Does this make sense?

Makes not really sense to me. In such I case we could have sanitizes tokens disabled by default everywhere as there is no need to sanitize tokens at all - as modules will do the job.

We also had such an issue in token_formatters and as I understood it this was fixed by adding 'html' => TRUE. It may not comparable, but it has also double encoded text.

The Page Title field of the content type doesn't appear in the "Manage Display" then how to apply this solution?

@hass: the computed title is stored in the database as a raw value (e.g. in node.title). If you don't use the module to auto-generate the value and you enter special characters in the title field, the value will be saved as the raw value in the database. So when we do auto-generate the value with token replacement, we need to make sure to do the same and also save raw values (to avoid double-sanitization). That's why I disable the sanitize option when calling the token_replace() function.

If you use the same token somewhere else, then the respective module will also use the token_replace() function to replace token patterns in your string. By default, this step will sanitize all token values (because the sanitize option is set to TRUE by default), so you should not run into any security issues there. If you have your field formatter configured to return sanitized values, you will also get double sanitization in this case. (Of course if your module also disables the sanitize option, then you need to take care of sanitization yourself at a later step.)

Essentially, the token view mode should be configured to always return raw values of fields, because sanitization is usually done at a later step.

Not sure what you're referring to by "setting 'html' => TRUE".

The Page Title field of the content type doesn't appear in the "Manage Display" then how to apply this solution?

You need to apply the solution to the field representing your token, i.e. if you have [node:field-price] in your automatic label pattern, you need to adjust the token display settings for the "price field" -- not the title field.

I have no idea why it's double check_plained. If it's in raw format in the database title field - why is it double check_plained on output? The tokens are only used on node save, not on node view, isn't it? None of my normal node titles are double check_plained, just single check_plained.

I had the same problem with Automatic Nodetitles + drupal 7.9, but it works correctly with AEL + D7.15.
My use case:
- content type with Node reference field and a textfield. The title field is the concatenation of both.

But I need to use the correct token:
[node:field-site-name] Field "field_site_name" is OK
[node:field_site_name] Textfield is not.

#15 working for me…
I was using tokens with underscores with no luck, then changed them with dashes, and everything's ok.
Seems then to be a bug in Entity Tokens…

Here's something funky...

Using Auto Nodetitle and a 2-tiered vocab, if I put [node:field-video-template-category:1:parent] - [node:field-video-template-category:1] the first term gets its "&" replaced with ";&amp" but if the "&" exists in the second term, it does NOT get replaced.

For example, say you have a 2-tiered taxonomy like this:
Milk & Honey
-Sweet Things & Natural Products

If you use Auto Nodetitle to title your nodes with these tokens:
[node:field-video-template-category:1:parent] - [node:field-video-template-category:1]

...you end up with a node titled:
Milk & Honey - Sweet Things & Natural Products

I'm gonna play with the tokens a bit. Maybe there's something else I need to do to get them both to play nice? (Use the 'raw' value?)

UPDATE: Well, that didn't take long.
If I do this:
[node:field-video-template-category:1:parents] - [node:field-video-template-category:1]
....I don't have the "&" problem anymore.
So to recap, it's "parents" and not "parent".

Still kinda weird, no?

#3 didn't work.
Dash token works good, thanks johnv #15

I'm still getting these entities in the latest versions of all modules. My two text fields I am concatenating are both "Plain Text" fields. But I'm still getting html entities in my generated title.

I'm still getting these entities in the latest versions of all modules. My two text fields I am concatenating are both "Plain Text" fields. But I'm still getting html entities in my generated title.

I don't know why that happens for you. Maybe to narrow it down check your database, if {node}.title contains html entities, then it's something wrong with tokens; otherwise it's an issue with the formatter/theme. You could also try using PHP code instead of tokens; that way you have more control over the value.

OK, so I looked at the node table, and the html entities are there in the title. Again, the fields are "Plain Text" fields, so this shouldn't be happening, right? I'll try using PHP mode to fix it, but it would be nice to figure out why it's happening. Is that core field tokens that are the problem then?

Correct, if your fields are plain text then this should not be happening. Core field tokens are most likely not the problem, unless something has changed which I'm not aware of.

Hm, are you configuring the correct view mode? You need to configure either the "token" view mode, or alternatively the "Default" one. Other view modes such as "Teaser" or "Full page" will not affect your token output.

Ahh, that is it. The default was to hide those fields in the "Manage Display" area. But once I customized the "Tokens" display and set those to "Plain text" as well, it did not include the HTML entities. I didn't test it further, but maybe just not having them hidden in the Tokens display fixed it--maybe I didn't have to select plain text. Thanks for your help in figuring it out! I should have remembered the displays, but I forgot.

Hi,

both #3 and #15 worked for me, thanks!

Still an issue for me. I'm using [node:field_tags] instead of [node:field-tags] (a term reference field) because the latter lists the terms alphabetically.

I've verified that the token view for the field is switched to plain text. My guess is that the term reference field is sanitized an additional time.

Interestingly when I display the title in a views field it works fine (apostrophes aren't converted to ').

Does anyone know a direction to investigate this? I'll also go for a way to use [node:field-tags] without terms being alphabetized.

Could it be something similar to this? https://drupal.org/node/2052917

I'm a novice but willing to dive in if I know where.
Thanks

Added code tags to display an entity "as-is".

It might be worth tapping into _auto_entitylabel_patternprocessor() to add e.g. dpm($output); right after the token_replace() line, just to see what the value is prior to the node being saved, that at least would help identify whether the tokens are being processed correctly by token_replace().

FYI just to be clear, AEL v7.x-1.2 passes the 'sanitize' => FALSE value into token_replace(). This means that any irregularities are due to the module that provides the tokens and possibly the entity's token display settings (which starts getting messy/complicated), rather than AEL itself.

To reiterate what @DamienMcKenna said, the values provided by the tokens are the issue. AEL instructs the token callbacks not to sanitize the result and AEL also does not perform encoding on the result.

I experienced this issue when using the standard tokens for fields, which are provided by Drupal. Enabling the Entity Tokens module (packaged with Entity API) and use the tokens it provides worked.

The Page Title field of the content type doesn't appear in the "Manage Display" then how to apply this solution?

You need to apply the solution to the field representing your token, i.e. if you have [node:field-price] in your automatic label pattern, you need to adjust the token display settings for the "price field" -- not the title field.

But what if I need to label the field with [node:title] contents?

I want to label "Title field of the image field" with [node:title] contents

It was rendering correctly in views, just not on the node itself. #15 works for me and maintained the correct handling in views. The token view mode method by itself did not.

Use case:
[node:field-person-first-name] [node:field-person-last-name] to make node title.

Problem still exists in D8 version. Which is strange...

$output = $this->token
      ->replace($pattern, array($entity_type => $entity), array(
        'sanitize' => FALSE,
        'clear' => TRUE
      ));

But not that strange since the _sanitize_ option is not supported.

The caller is responsible for choosing the right escaping / sanitization.
If the result is intended to be used as plain text, using
PlainTextOutput::renderFromHtml() is recommended.

and

// Escape the tokens, unless they are explicitly markup.
foreach ($replacements as $token => $value) {
    $replacements[$token] = $value instanceof MarkupInterface ? $value : new HtmlEscapedText($value);
 }

... and this is fixed in the latest version of the module.

Hello All,

I am using LDAP module. So when ever the password is reset in Drupal user edit form, the same password will be updated in LDAP. Because of this issue, when ever my password has "&" in it the password is not getting updated in LDAP properly. Please let me know if anybody have any solutions for this issue.

I truly appreciate your time.

--
Best
Prashanth

I am still having this issue on my website. I am trying to fill the title field based on tokens. Currently & shows up as &. If I make the fields with the value plain text, the title will not show up on the node page or any views.

Here is a sample of the replacement code in the auto node title field:

$posttype ='[node:field_type_promo_post]';
$article = '[node:field_article_title_promo]';
$product ='[node:field_product_title_promo]';

//EDIT THIS CODE BELOW HERE//

switch ($posttype) {
  case 'Article':
  return $article;

 case 'Product':
  return $product;
}

Any suggestions?

I am getting the following behaviour with 'auto_entitylabel' 7.x-1.x-dev from 2017-Aug-03 in combination with 'token' 7.x-1.x-dev from 2022-Jan-12.

Setup:

Node title is constructed from two text fields (First name and Last name).

In Token browser, I get two token candidates for this:

[node:original:field_name_first_txt] [node:original:field_name_last_txt] and
[node:field_name_last_txt], [node:field_name_first_txt]

I do not know what the difference of these two variants is.
I do not get token variants with dashes (-) instead of underscores (_).

Result:

With both token variants, as well O'Toole as O’Toole is encoded properly in node title.

This works only with the latest development releases (mentioned above). With the recommended releases, O'Brien was garbled to O'Brien, Ra'ad became Ra'ad.

I believe this long-standing enconding issue is now fixed in the latest dev releases. Can anyone confirm this, and if it is fixed, could we get a new recommended release?

Thank you!

Drupal 7 is end of life and no longer supported.
Closing the issue as outdated.