Problem/Motivation
shortcut_preprocess_page() has this code:
$query = array(
'link' => $link,
'name' => $variables['title'],
);
However, $variables['title']
might have markup in it. For example, on a node page, it has a wrapping span
to support quickedit module. So, if you are using a theme that enables the shortcut link on a node page, then when you click the link to add the shortcut, it adds it with a shortcut name containing that markup. That is not desired, because shortcut listings (e.g., the Shortcuts tab in the toolbar) list shortcuts as plain text, so any markup in their name gets double escaped.
Proposed resolution
Option 1
Change the above to strip_tags($variables['title'])
.
Option 2
Don't use $variables['title'] at all, but use the route's title instead. e.g., \Drupal::service('title_resolver')->getTitle(\Drupal::request(), \Drupal::routeMatch()->getRouteObject())
. A variant of this option might also address #686440: Shortcuts that point to dynamic page titles don't automatically update.
Remaining tasks
Decide on option. Write patch with fix + test.
Comments
Comment #1
Wim LeersPathBasedBreadcrumbBuilder::build()
also uses option 2.Comment #2
Wim LeersThere's also a great potential for inconsistencies (i.e. shortcut title != title that the user sees on the page)… but we already have inconsistencies:
(From #2359901: Discourage $main_content['#title'] in favor of route titles and title callbacks.)
Comment #3
jibranI think this is a duplicate of #2672668: Page title with HTML tags shows HTML tags in shortcut label in the shortcut toolbar tray. #2672668 has a patch and waiting for review.
Comment #6
tstoecklerYes, let's close it in favor of the other one. Please re-open if there's a distinct issue.
Comment #7
tstoeckler