When using the fieldset FAPI element it was possible to output HTML tags as part of the legend, when switching to the details FAPI element, this is no longer possible.

Attached patch fixes this

CommentFileSizeAuthor
#3 i2348851-3.patch2.28 KBJelle_S
PASSED: [[SimpleTest]]: [PHP 5.4 MySQL] 79,390 pass(es). View
details-legend-html-tags.patch879 bytesattiks
PASSED: [[SimpleTest]]: [PHP 5.4 MySQL] 78,801 pass(es). View
Membership dollars fund testing for the Drupal project. Drupal Association Learn more

Comments

attiks’s picture

Status: Active » Needs review
larowlan’s picture

Patch is good but if you want to rely on this behavior, I'd recommend adding a test.

Jelle_S’s picture

FileSize
2.28 KB
PASSED: [[SimpleTest]]: [PHP 5.4 MySQL] 79,390 pass(es). View

New patch with test

attiks’s picture

Status: Needs review » Reviewed & tested by the community

Test is looking good

Fabianx’s picture

Could we get #2324371: Fix common HTML escaped render #key values due to Twig autoescape in first, then this one could use SafeMarkup::checkAdminXss() and prevent double escaping of strings?

It is not a big deal if not, because filterAdminXss() is pretty much re-entrant, so more asking ...

Damien Tournoud’s picture

Yes, isn't this type of thing supposed to be automatically handled by Twig autoescape now? I don't like seeing more Xss::filterAdmin calls in preprocess functions.

Fabianx’s picture

Well, yes it escapes it.

So probably we could also say, if you need #title to have HTML, admin XSS escape it yourself.

Like:

#title => SafeMarkup::checkAdminXss('
mytitle

');

In this case this would be a won't fix.

attiks’s picture

#7 Sounds good to me, but just wondering if this is documented somewhere, I guess a lot of people will otherwise waist time trying to figure out why they don't see their HTML.

Fabianx’s picture

#8 When you do that, does it strip the HTML tags or just output verbatim as:

<h1>Title</h1>

?

In case it is output verbatim, I think people could know, in case its stripped, we should probably fix it.

The test is still very useful here.

attiks’s picture

#9 Verbatim output

alexpott’s picture

Status: Reviewed & tested by the community » Needs work

Needs work for #5, #6, #7, #8, #9, #10 :)

attiks’s picture

Maybe this just has to be "won't fix"? Or will this complicate it for developers?

Version: 8.0.x-dev » 8.1.x-dev

Drupal 8.0.6 was released on April 6 and is the final bugfix release for the Drupal 8.0.x series. Drupal 8.0.x will not receive any further development aside from security fixes. Drupal 8.1.0-rc1 is now available and sites should prepare to update to 8.1.0.

Bug reports should be targeted against the 8.1.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.2.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.1.x-dev » 8.2.x-dev

Drupal 8.1.9 was released on September 7 and is the final bugfix release for the Drupal 8.1.x series. Drupal 8.1.x will not receive any further development aside from security fixes. Drupal 8.2.0-rc1 is now available and sites should prepare to upgrade to 8.2.0.

Bug reports should be targeted against the 8.2.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.3.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.2.x-dev » 8.3.x-dev

Drupal 8.2.6 was released on February 1, 2017 and is the final full bugfix release for the Drupal 8.2.x series. Drupal 8.2.x will not receive any further development aside from critical and security fixes. Sites should prepare to update to 8.3.0 on April 5, 2017. (Drupal 8.3.0-alpha1 is available for testing.)

Bug reports should be targeted against the 8.3.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.4.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.3.x-dev » 8.4.x-dev

Drupal 8.3.6 was released on August 2, 2017 and is the final full bugfix release for the Drupal 8.3.x series. Drupal 8.3.x will not receive any further development aside from critical and security fixes. Sites should prepare to update to 8.4.0 on October 4, 2017. (Drupal 8.4.0-alpha1 is available for testing.)

Bug reports should be targeted against the 8.4.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.5.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.