Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.The string editor can output invalid HTML to the page.
If your original/translated string contains HTML entities, these are output unescaped - for example "Questions & Answers" (should be rendered in HTML as "Questions & Answers").
The attached patch refactors the l10n_client_footer() and _l10n_client_string_list() functions to use the theme system, and adds HTML escaping within the theme layer. This will allow developers to create a theme override if their particular use-case requires unescaped strings.
The patch is rolled against 6.x-1.8, but I've applied and tested against DRUPAL-6--2 (with offset -18 lines).
| Comment | File | Size | Author |
|---|---|---|---|
| l10n_client.valid_HTML.patch | 7.16 KB | manarth | |
Comments
Comment #1
Gábor HojtsySecurity note: the original string comes from source code, where anything is possible. The user data (translation) goes through XSS checks before saved (and not saved if not compliant), so this is I think not a security issue.
Patch note: please roll against Drupal 7 first and then backport (I'll just be able to apply this patch to Drupal 6-2.x then, thanks).