Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
If you construct a URL (using the l() function) with query string parameters intended for use with the %get[] token, webform does not appear to take HTML entities into consideration.
Imagine you want to pass Sagger Maker's Bottom Knocker as a query string parameter, you would end up with something like this:
http://example.com/webform-test?test=Sagger%20Maker%26%23039%3Bs%20Bottom%20Knocker
Now, using %get[test] in a webform default value field ends up with this:
Sagger Maker's Bottom Knocker
As you can see, the HTML entity for the apostrophe has not been decoded.
Comments
Comment #1
BladeRider CreditAttribution: BladeRider commentedOoops. Marking as won't fix as the reason for the problem was the offending text being passed through check_plain() - in effect double-escaping!