When setting the title of a custom search page, you can use the token '%terms' to insert the user's search terms into the title.

However, these get output with double escaping. For example, a search for "<>chief O'Brien<b>" produces the page title: "Search: &lt;b&gt;Chief O&#039;Brien&lt;b&gt;". In particular, the apostrophe is output incorrectly.

The source of this bug is in apachesolr_search_get_value_title(). This is used as a title callback for the search page, and in apachesolr_search_menu_alter() is passed to the 'title callback' property of the menu items.

apachesolr_search_get_value_title() uses t() with a '@terms' placeholder, which runs the search terms through check_plain().

However, drupal_get_title() already has provision for sanitizing the page title, unless drupal_set_title() was called with the PASS_THROUGH option. We can't change the call to drupal_set_title(), as we're providing a menu title callback, so we shouldn't be escaping the string ourselves, but returning it raw.

Support from Acquia helps fund testing for Drupal Acquia logo

Comments

joachim created an issue. See original summary.

joachim’s picture

Status: Active » Needs review
FileSize
871 bytes
mausolos’s picture

This did not solve the problem for me.

This, however, did:

diff --git a/sites/all/modules/contrib/apachesolr/apachesolr_search.module b/sites/all/modules/contrib/apachesolr/apachesolr_search.module
index 34204ed..6cb8e41 100644
--- a/sites/all/modules/contrib/apachesolr/apachesolr_search.module
+++ b/sites/all/modules/contrib/apachesolr/apachesolr_search.module
@@ -367,7 +367,7 @@ function apachesolr_search_get_value_title($search_page_id = NULL, $value = NULL
   }
   return t($page_title, array(
     '@value' => $value,
-    '@terms' => $terms,
+    '@terms' => rawurldecode($terms),
   ));
 }

mausolos’s picture

Status: Needs review » Needs work

The last submitted patch, 4: 2626686.apachesolr.search-terms-title-double-escape-3.patch, failed testing.

douggreen’s picture

Status: Needs work » Needs review
FileSize
396 bytes

Updated patch is relative to the module and not docroot, so that it applies cleanly.