Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.As per the title, the [submission:values] token should print as HTML when used in confirmation message. Right now it displays as plain text, which ends up scrunching the entire submission and all the labels onto one really long line of text.
| Comment | File | Size | Author |
|---|---|---|---|
| #4 | webform_html_email-2038199.patch | 688 bytes | quicksketch |
| #2 | webform_security_overhaul.patch | 36.57 KB | quicksketch |
Comments
Comment #1
quicksketchHm, actually this issue goes *much* deeper.
The problem with confirmation messages being printed in plain text comes from our token replacement depending on the $email parameter in order to render as HTML. This doesn't make much sense because there are plenty of places where rendering as HTML tokens would be useful (such as the confirmation message or a "summary component in #1242914: Summary component. ).
Worse, we have a conflicting use of _webform_filter_xss() in _webform_filter_values() in that if you ask for "strict" output, it will let token module return HTML but then it's striped out by our call to _webform_filter_xss() at the end of the function. So even if we wanted to get HTML output out of the tokens, it gets stripped by _webform_filter_xss().
To solve this problem, I'd like to recommend deprecating our current overleveraged _webform_filter_values() function. Considering it filters much more than just values now, and it's basically just a wrapper around token_replace(), let's call it "webform_replace_tokens". Additionally, _webform_filter_descriptions() and _webform_filter_xss() are called all over the place and treated as public functions. Let's make those public so other components can use them just as easily as Webform itself does.
Comment #2
quicksketchHere's a patch which makes all these changes (mostly find/replace):
- _webform_filter_values() replaced with webform_replace_tokens().
- _webform_filter_xss() replaced with webform_filter_xss().
- _webform_filter_descriptions() replaced with webform_filter_descriptions().
- webform_replace_tokens() sets $sanitize = FALSE instead of TRUE, since 9/10 uses need it FALSE. This trims out quite a few empty parameters being passed to the function all over the place.
- Token values are now HTML/plain-text based on the $sanitize option.
- Default values everywhere are now properly unsanitized, since they get filtered by FAPI.
- All the old functions still exist, but are marked deprecated.
Comment #3
quicksketchCommitted to 4.x. Changelog entry made: https://drupal.org/node/1609324#webform-security
Comment #4
quicksketchSmall followup patch that also needed committing. Because webform_token_replace() now depends only on the $sanitize option for HTML content, we need to pass in TRUE for e-mails that are HTML.