If we rely on token_replace to sanitize the token output, then any token replacement that contains html will have all tags escaped, making it infeasible to use tokens with any form of markup.

This patch turns off token_replace's sanitization operation, and replaces it with a call to filter_xss. An administration page for token_filter is also added, so that admins may select the tags that they wish to allow in token replacements.

Support from Acquia helps fund testing for Drupal Acquia logo

Comments

darvanen’s picture

Status: Needs review » Closed (won't fix)

This module is not intended to extend the functionality of tokens beyond making them available in formatted text.

I think it's a great idea but would be better off as a request on the token module.