I found an issue that when I enter in just the title with an ampersand and not a corresponding URL, the HTML entity was being output so that it output &.

So in function theme_link_formatter_link_default($vars), I changed the following line:

// If only a title, display the title.
  elseif (!empty($vars['element']['title'])) {
    return check_plain($vars['element']['title']);
  }

To

// If only a title, display the title.
  elseif (!empty($vars['element']['title'])) {
    return check_plain(htmlspecialchars_decode($vars['element']['title']));
  }

I am not sure if htmlspecialchars_decode() opens up any security issues or not. Any feedback on this fix would be helpful.

CommentFileSizeAuthor
#12 link-html_entity_decode_fix_for_plain_text_title-1836632-12.patch501 bytesnileema.jadhav
#8 link-ampersand_title_plain_text-1836632-8.patch608 bytesseanB
#3 link_fix-ampersands-in-titles_1836632_3.patch534 bytesJKingsnorth
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

JKingsnorth’s picture

JKingsnorth CreditAttribution: JKingsnorth commented
Version: 7.x-1.0 » 7.x-1.x-dev
Issue summary: View changes
Status: Active » Needs review
jcfiala’s picture

jcfiala CreditAttribution: jcfiala commented
Status: Needs review » Needs work

So, I'm confused. Was it displaying "This & That" on the screen, or "This & That", for instance?

Also, this isn't the way to present fixes as patches. I welcome patches, so here's a couple of links that may be helpful:

JKingsnorth’s picture

JKingsnorth CreditAttribution: JKingsnorth commented
Status: Needs work » Needs review
FileSize
link_fix-ampersands-in-titles_1836632_3.patch534 bytes

The issue boils down to: when using the 'Title as plain text' display for the field, ampersands are converted to:
Test & Test

The hint is in 'as plain text' I suppose. But it would be better if characters like ampersands displayed properly.

Using 'Title as link' does not exhibit this problem.

I've attached a patch for jmart's fix in #1 but the question remains if there are any issues in using this approach in terms of security.

jcfiala’s picture

jcfiala CreditAttribution: jcfiala commented
Status: Needs review » Needs work

Hmm.... Okay, I got it.

Here's the deal. If there's a URL, then the code goes through the l() function, which checks to see if the option 'html' is true - if it is, it bypasses the check_plain function. (Which it is, usually. By default link fields are set to do token replacement, and that means we feed the title through filter_xss.) However, if there isn't a url, then we force the title through check_plain() even if the 'html' option is on! Whoops.

The short version of all this is, if you don't need token support in the link field, then turn it off and you won't need to patch anything.

I'm thinking tokens should be something that is off by default, actually.

In any case, I've got code that's fixing the immediate problem, but I'm considering the issue of tokens being on by default in a link field.

jcfiala’s picture

jcfiala CreditAttribution: jcfiala commented
Status: Needs work » Fixed

Okay, I've pushed a fix for this up to the code - should show up in 7.x-1.x-dev tomorrow.

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.

seanB’s picture

seanB
Primary language Dutch
Location Netherlands
CreditAttribution: seanB commented
Status: Closed (fixed) » Needs work

The latest dev version doesn't seem to check from the HTML option in the 'Title as plain text' formatter.

/**
 * Formats a link's title as plain text.
 */
function theme_link_formatter_link_title_plain($vars) {
  return empty($vars['element']['title']) ? '' : check_plain($vars['element']['title']);
}

Probably we should do this:

/**
 * Formats a link's title as plain text.
 */
function theme_link_formatter_link_title_plain($vars) {
  $link_options = $vars['element'];
  $title = empty($vars['element']['title']) ? '' : $vars['element']['title'];
  $title = $link_options['html'] ? $title : check_plain($title);
  return $title;
}
seanB’s picture

seanB
Primary language Dutch
Location Netherlands
CreditAttribution: seanB commented
Status: Needs work » Needs review
FileSize
link-ampersand_title_plain_text-1836632-8.patch608 bytes

Patch is attached.

jedihe’s picture

jedihe CreditAttribution: jedihe as a volunteer commented
Title: Ampersand in plain title » Double HTML escaping when using plain_title formatter
Status: Needs review » Reviewed & tested by the community

Tested seanB's patch and it works fine. Moving to RTBC.

Also adjusting the title to one that better describes the issue.

The last submitted patch, 3: link_fix-ampersands-in-titles_1836632_3.patch, failed testing.

maxplus’s picture

maxplus CreditAttribution: maxplus commented

Hi,
#8 solved this issue for me, thanks!

nileema.jadhav’s picture

nileema.jadhav CreditAttribution: nileema.jadhav as a volunteer and at TATA Consultancy Services for Pfizer, Inc. commented
Status: Reviewed & tested by the community » Needs review
FileSize
link-html_entity_decode_fix_for_plain_text_title-1836632-12.patch501 bytes

Small tweak applied.

ruchirashree’s picture

ruchirashree CreditAttribution: ruchirashree commented

Patch #12 is working as expected. Verified on D 7.x, PHP 5.6, Mysql 5.5.

dev.patrick’s picture

dev.patrick CreditAttribution: dev.patrick at TATA Consultancy Services for Pfizer, Inc. commented
Status: Needs review » Reviewed & tested by the community

Applied and checked patch and its working. Just to sum up :

Without patch : If manage display has "Title, as plain text" and in title field has content "This & That" it was printing This & That.

After applying patch : We get desired result This & That. (No need to mention patch applied cleanly too as test is pass). Marking RTBC.

  • nileema.jadhav committed 7c501ee on 7.x-1.x 
    Issue #2216399 by jemond: Provide Formatter to remove http:// or https...
nileema.jadhav’s picture

nileema.jadhav CreditAttribution: nileema.jadhav as a volunteer and at TATA Consultancy Services for Pfizer, Inc. commented
nileema.jadhav’s picture

nileema.jadhav CreditAttribution: nileema.jadhav as a volunteer and at TATA Consultancy Services for Pfizer, Inc. commented
Status: Reviewed & tested by the community » Fixed

Added into 7.x-1.x-dev version.

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.

afarino’s picture

afarino CreditAttribution: afarino commented

This is still an issue in D8

"&" in a link title field gets converted to "&" when printed onto page.

I'm using views to print the link so I don't know if this is views related as well.