Opening a separate issue from #746846: Jump menu grouping label encoding which focused on URLs encoding, to prevent duplicate entries.

Bug description: whenever an option in a jump menu contains a special character (such as &), it appears double escaped in the select list (visitors will see "&", HTML source code will be "&").

The culprit is in the file plugins/views_plugin_style_jump_menu.inc, at the following line :
$field = strip_tags($this->row_plugin->render($row));

Before that, options text is not escaped (ampersands code is "&"). After that, it is escaped (ampersands code is "&") and it will be escaped once more later in a theme function (probably form_select_options() which runs check_plain on each option choice). Note that I'm not using any custom theme file or function for the view.

CommentFileSizeAuthor
#8 942350-8.entity-decode.views-2.11.patch1.44 KBksenzee
#8 942350-8.entity-decode.head_.patch1.18 KBksenzee
#6 jump_menu_bug_test_view.txt2.09 KBmdupont
#3 views_jump_menu_double_escaping.png32.56 KBmdupont
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

mdupont’s picture

mdupont
Primary language French
Location Switzerland
CreditAttribution: mdupont commented

Note: For the impatient, a temporary workaround is to use hook_form_alter() on $form_id = ctools_jump_menu in a custom module:

function mymodule_form_alter(&$form, &$form_state, $form_id) {
  switch ($form_id) {
    case 'ctools_jump_menu':
      foreach ($form['jump']['#options'] as $key => $value) {
        $form['jump']['#options'][$key] = html_entity_decode($value, ENT_QUOTES);
       }
       break;
  }
}
dawehner’s picture

dawehner
Primary language German
CreditAttribution: dawehner commented
Status: Active » Closed (duplicate)

See #746846: Jump menu grouping label encoding

mdupont’s picture

mdupont
Primary language French
Location Switzerland
CreditAttribution: mdupont commented
Status: Closed (duplicate) » Active
FileSize
views_jump_menu_double_escaping.png32.56 KB

Sorry, I have to reopen because I think this is not a duplicate. Details below. If you still think this is a duplicate, I won't argue and I'll post to the other issue.

As you can read on http://drupal.org/node/746846#comment-3150884, the "duplicate" issue was about grouping labels that were url endoded, and in the end a patch was committed for that. But the current issue is about regular option items, for which special characters are escaped twice (this is not url encoding), so we run into display problems when such a character is used.

For an illustration you can compare the attached screenshot to the one attached to the other issue, which is http://drupal.org/files/issues/746846-screenshot.png

I opened a separate issue not to pollute a thread for which a patch was already available, and because it's not exactly the same issue (therefore it would need a separate patch as well).

iamjon’s picture

iamjon CreditAttribution: iamjon commented

mdupont hi,
i spoke to deriene about this on irc he said he thinks it's been fixed in 6.x-2.x-dev, can you confirm?

mdupont’s picture

mdupont
Primary language French
Location Switzerland
CreditAttribution: mdupont commented

Hi,

I tested the following setups:

- Views 2.12 + CTools 1.8
- Views 2.x-dev + CTools 1.8
- Views 2.x-dev + CTools 1.x-dev
- Views 3.x-dev + CTools 1.x-dev

The bug is still here on all tested configurations. The ampersand (&) character is escaped to "&", the single quote (') is escaped to "'" and so on. I made sure no cache was activated.

mdupont’s picture

mdupont
Primary language French
Location Switzerland
CreditAttribution: mdupont commented
FileSize
jump_menu_bug_test_view.txt2.09 KB

I attached a simple view to demonstrate the bug. Just add a node which title contains some special characters and look at the /jump-menu-test page.

merlinofchaos’s picture

merlinofchaos CreditAttribution: merlinofchaos commented
Assigned: Unassigned » merlinofchaos
ksenzee’s picture

ksenzee
she/her
Location Seattle area
CreditAttribution: ksenzee commented
Status: Active » Needs review
FileSize
942350-8.entity-decode.head_.patch1.18 KB
942350-8.entity-decode.views-2.11.patch1.44 KB

It looks to me like we should be converting the HTML entities in the same place we run strip_tags, since it's at that point that we know we're dealing with rendered text. I'm attaching two patches. One applies to the branch tips for 2.x and 3.x, both D6 and D7. The other applies to 2.11 for the benefit of anyone who needs a fix and isn't yet running -dev or 3.x. (It also includes a fix for the grouping issue from http://drupal.org/node/746846#comment-3150884, which I believe is fixed on the branches.)

MXT’s picture

MXT
Primary language Italian
Location Milan
CreditAttribution: MXT commented

Tracking.

awolfey’s picture

awolfey CreditAttribution: awolfey commented

#8 works for me. Thanks ksenzee.

mrfelton’s picture

mrfelton CreditAttribution: mrfelton commented

Cool, We came across this issue when working with menu_node_views, and ended up committing s patch against that module to fix the problem there.

http://drupalcode.org/project/menu_node_views.git/blobdiff/6103e9c20e0bf...

I've seen other modules with views integration doing a similar thing. Would be great to see this fixed in the Views module.

xurizaemon’s picture

xurizaemon
he/him
Location Ōtepoti, Aotearoa 🏝
CreditAttribution: xurizaemon commented
Status: Needs review » Reviewed & tested by the community

Tracking. Patch from #8 (2.11 version, but we don't use grouping anyway) works like it says on the packet, thanks ksenzee.

Node title of "What's your favourite colour?</option><script>alert('x');</script>" appears as it ought to.

Tested on 2x sites.

dawehner’s picture

dawehner
Primary language German
CreditAttribution: dawehner commented
Status: Reviewed & tested by the community » Fixed

patch looks great. Thanks for writing a patch ksenzee.

Commited to all three branches

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.