Give the gift of Drupal. All merchandise is 50% off through 2016.
The class Attribute is used in drupal to collect and render html attributes. It applies 'htmlspecialchars'(inside check_plain) to everything. It modifies the value of any attribute that may contain one of the five special characters(&,',",<,>). The purpose is to allow these characters to be displayed on the page but not treated as markup in the document. But drupal's blanket approach has the side affect of eliminating the use of 'numeric character references'(NCR's). These are identified by a prefix of '&#', a decimal or hexadecimal number N that maps to the unicode character set, and a suffix of ';'. NCR's are legal html markup and are supported by all mainstream browsers(though some older implementations were poor, eg. IE6). By converting the '&' in the NCR to '&, check_plain destroys the NCR.
This has stopped . That issue uses the 'data-*' attribute to display iconic characters from an icon font in menu links. The patch there retrieves and properly saves the attribute, but when the link is to be printed to the document a call to Attribute ends up in modifying the string and destroying its value as an NCR.
The solution is to filter out NCR's from being processed by check_plain in AttributeString.php
PASSED: [[SimpleTest]]: [MySQL] 53,873 pass(es). View
FAILED: [[SimpleTest]]: [MySQL] 53,859 pass(es), 6 fail(s), and 0 exception(s). View
PASSED: [[SimpleTest]]: [MySQL] 53,883 pass(es). View
FAILED: [[SimpleTest]]: [MySQL] Unable to apply patch 1930322-decode-safe-entities-for-HTML-attributes-73.patch. Unable to apply patch. See the log in the details link for more information. View