taxonomy_autocomplete() uses filter_xss() on the display string, while user_autocomplete() and profile_admin_settings_autocomplete() use check_plain().

Taxonomy terms are plain-text strings that don't allow rich-text formatting, so they should also be passed through check_plain(). Otherwise strange things occur if you have terms containing special characters. The attached image shows the taxonomy term list (1.), and the taxonomy selector on the node edit page during (2.) and after (3.) auto-completion. Note that the suggested items in 2. don't reflect the actual term names.

screenshot-autocomplete.png34.87 KBc960657
taxonomy-autocomplete-1.patch955 bytesc960657
Passed on all environments. View
Members fund testing for the Drupal project. Drupal Association Learn more


c960657’s picture

Issue tags: -quickfix +Quick fix
yched’s picture

Sounds good to me - does it still apply ?

c960657’s picture

Yes (with a 1 line offset).

yched’s picture

Status: Needs review » Reviewed & tested by the community

Looks good then.

Dries’s picture

Status: Reviewed & tested by the community » Fixed

Committed to CVS HEAD. Thanks!

Status: Fixed » Closed (fixed)
Issue tags: -Quick fix

Automatically closed -- issue fixed for 2 weeks with no activity.