Tab titles containing special characters such as "&" are rendered as literal "&" in the browser instead of the intended character. The issue is a double HTML-encoding chain in QuickTabs.php.
1. Create a Quicktabs instance with a tab title that contains an ampersand, e.g. Meetings & Events.
2. Place the block on a page and view it.
3. Observe the tab label renders as "Meetings & Events" instead of "Meetings & Events".
Remove the t('@title', ...) wrapper (stored tab titles are not translatable strings) and wrap the Xss::filter() result in Markup::create() so that Link::fromTextAndUrl() recognizes it as already-sanitized HTML. Also add the required "use Drupal\Core\Render\Markup;" statement.
Tab titles with special characters (&, <, >, quotes) will now render correctly instead of showing escaped HTML entities.
| Comment | File | Size | Author |
|---|---|---|---|
| #2 | 3588550-2-tab-title-double-encoding.patch | 780 bytes | lucuella |
| Screenshot 2026-05-05 at 3.59.49 PM.png | 117.12 KB | lucuella |
Comments
Comment #2
lucuella commentedAttaching patch against 4.1.0. The fix removes the
t('@title', [...])wrapper that was causing the first encoding pass, and wraps theXss::filter()result inMarkup::create()soLink::fromTextAndUrl()does not escape it a second time.Comment #3
lucuella commented