Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
I found an issue that when I enter in just the title with an ampersand and not a corresponding URL, the HTML entity was being output so that it output &.
So in function theme_link_formatter_link_default($vars), I changed the following line:
// If only a title, display the title.
elseif (!empty($vars['element']['title'])) {
return check_plain($vars['element']['title']);
}
To
// If only a title, display the title.
elseif (!empty($vars['element']['title'])) {
return check_plain(htmlspecialchars_decode($vars['element']['title']));
}
I am not sure if htmlspecialchars_decode() opens up any security issues or not. Any feedback on this fix would be helpful.
Comment | File | Size | Author |
---|---|---|---|
#12 | link-html_entity_decode_fix_for_plain_text_title-1836632-12.patch | 501 bytes | nileema.jadhav |
| |||
#8 | link-ampersand_title_plain_text-1836632-8.patch | 608 bytes | seanB |
#3 | link_fix-ampersands-in-titles_1836632_3.patch | 534 bytes | JKingsnorth |
Comments
Comment #1
JKingsnorth CreditAttribution: JKingsnorth commentedComment #2
jcfiala CreditAttribution: jcfiala commentedSo, I'm confused. Was it displaying "This & That" on the screen, or "This & That", for instance?
Also, this isn't the way to present fixes as patches. I welcome patches, so here's a couple of links that may be helpful:
Comment #3
JKingsnorth CreditAttribution: JKingsnorth commentedThe issue boils down to: when using the 'Title as plain text' display for the field, ampersands are converted to:
Test & Test
The hint is in 'as plain text' I suppose. But it would be better if characters like ampersands displayed properly.
Using 'Title as link' does not exhibit this problem.
I've attached a patch for jmart's fix in #1 but the question remains if there are any issues in using this approach in terms of security.
Comment #4
jcfiala CreditAttribution: jcfiala commentedHmm.... Okay, I got it.
Here's the deal. If there's a URL, then the code goes through the l() function, which checks to see if the option 'html' is true - if it is, it bypasses the check_plain function. (Which it is, usually. By default link fields are set to do token replacement, and that means we feed the title through filter_xss.) However, if there isn't a url, then we force the title through check_plain() even if the 'html' option is on! Whoops.
The short version of all this is, if you don't need token support in the link field, then turn it off and you won't need to patch anything.
I'm thinking tokens should be something that is off by default, actually.
In any case, I've got code that's fixing the immediate problem, but I'm considering the issue of tokens being on by default in a link field.
Comment #5
jcfiala CreditAttribution: jcfiala commentedOkay, I've pushed a fix for this up to the code - should show up in 7.x-1.x-dev tomorrow.
Comment #7
seanBThe latest dev version doesn't seem to check from the HTML option in the 'Title as plain text' formatter.
Probably we should do this:
Comment #8
seanBPatch is attached.
Comment #9
jedihe CreditAttribution: jedihe as a volunteer commentedTested seanB's patch and it works fine. Moving to RTBC.
Also adjusting the title to one that better describes the issue.
Comment #11
maxplus CreditAttribution: maxplus commentedHi,
#8 solved this issue for me, thanks!
Comment #12
nileema.jadhav CreditAttribution: nileema.jadhav as a volunteer and at TATA Consultancy Services for Pfizer, Inc. commentedSmall tweak applied.
Comment #13
ruchirashree CreditAttribution: ruchirashree commentedPatch #12 is working as expected. Verified on D 7.x, PHP 5.6, Mysql 5.5.
Comment #14
dev.patrick CreditAttribution: dev.patrick at TATA Consultancy Services for Pfizer, Inc. commentedApplied and checked patch and its working. Just to sum up :
Without patch : If manage display has "Title, as plain text" and in title field has content "This & That" it was printing This
&
; That.After applying patch : We get desired result This & That. (No need to mention patch applied cleanly too as test is pass). Marking RTBC.
Comment #16
nileema.jadhav CreditAttribution: nileema.jadhav as a volunteer and at TATA Consultancy Services for Pfizer, Inc. commentedComment #17
nileema.jadhav CreditAttribution: nileema.jadhav as a volunteer and at TATA Consultancy Services for Pfizer, Inc. commentedAdded into 7.x-1.x-dev version.
Comment #19
afarino CreditAttribution: afarino commentedThis is still an issue in D8
"&" in a link title field gets converted to "&" when printed onto page.
I'm using views to print the link so I don't know if this is views related as well.