The string editor can output invalid HTML to the page.

If your original/translated string contains HTML entities, these are output unescaped - for example "Questions & Answers" (should be rendered in HTML as "Questions & Answers").

The attached patch refactors the l10n_client_footer() and _l10n_client_string_list() functions to use the theme system, and adds HTML escaping within the theme layer. This will allow developers to create a theme override if their particular use-case requires unescaped strings.

The patch is rolled against 6.x-1.8, but I've applied and tested against DRUPAL-6--2 (with offset -18 lines).

Files: 
CommentFileSizeAuthor
l10n_client.valid_HTML.patch7.16 KBmanarth

Comments

Gábor Hojtsy’s picture

Version:6.x-1.8» 7.x-1.x-dev
Status:Needs review» Patch (to be ported)

Security note: the original string comes from source code, where anything is possible. The user data (translation) goes through XSS checks before saved (and not saved if not compliant), so this is I think not a security issue.

Patch note: please roll against Drupal 7 first and then backport (I'll just be able to apply this patch to Drupal 6-2.x then, thanks).