Updated: Comment #0


In the interest of security should we sanitize _title_callback returns by default?

Proposed resolution

Decide whether to sanitize by default - these are primarily used for breadcrumbs, head title and page title

Remaining tasks

Determine a way to replicate the old PASS_THROUGH logic for when the title contains html

User interface changes


API changes

_title_callback no longer needs to return a sanitized string

Follow-up from #2100397: [meta] Ensure that DX issues identified by a recent review are covered with individual issues.


dawehner’s picture

Issue summary:View changes
Status:Active» Fixed

Autosanization should deal with it, right?

Status:Fixed» Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.