html tags are escaped when adding shortcuts

With regards to the dsm() bug, this can be fixed by changing line 512 of shortcut.admin.inc from

drupal_set_message(t('Added a shortcut for %title.', array('%title' => $link['link_title'])));

to

drupal_set_message(t('Added a shortcut for !title.', array('!title' => $link['link_title'])));

This makes t() pass through $link['link_title'] rather than running check_plain() on it. But I'm not sure if this is a good thing to do with regards to security.

I can't track down the code which escapes the tags in the menu itself - if anyone could tell me where it is I'd be grateful, as I've spent far too much time looking for it =). In any event, what is happening here is more or less expected behaviour from the menu system: if you feed it an entry which has HTML tags in its title, it will escape those tags when it displays the entry. I'm guessing what we should do here, then, is to strip the tags from the link title before adding it into the menu system, but I'd appreciate other thoughts on what is partly a UX issue.

Just confirming that this is still an issue. I'm not sure what to tell you on your menu questions, but maybe bumping this issue will cause someone smarter than me to take a look. :)

Confirming this is still present in alpha1.

Simply filtering all html tags from the page title while creating results in clean shortcut names.
See screenshots for behavior before and after this patch.

Uhm, if you apply the patch the html is stripped from the title and isn't saved.

Hm. Using HTML in titles is a feature imo.
If you look at block.module (especially block_admin_configure it is used to emphase the block name within the page title (and highlight it this way).

Don't know if its a bad idea at all. I like the possibility to do it :).

I think the patch at #705250: Remove HTML markup from Shortcuts (which I just marked as duplicate of this issue) at first glance seems like a better approach.... Why not do this in the menu callback that is actually used to save the link?

I got a new patch adapted to the latest HEAD solving the issue as in #705250: Remove HTML markup from Shortcuts by striping html not when displaying but rather when creating the shortcuts.

Unfortunately I can not reproduce the bug - can anyone give step by step instructions? (The "Management block" used above gives a shortcut named "Configure block" without any html for me.)

In february there's a commit where the shortcut title is auto-generated from the menu item for that path. Now it could only be reproduced if there was some markup there, or if there is no menu item for that link.

Seems fine to me!

#11: 607348_html_in_shortcuts.patch queued for re-testing.

*Retesting old patches*

+++ modules/shortcut/shortcut.admin.inc	19 May 2010 11:06:30 -0000
@@ -701,7 +701,7 @@ function shortcut_link_add_inline($short
-      'link_title' => $title,
+      'link_title' => strip_tags($title),

Usage of strip_tags() is fairly uncommon in Drupal. What we need here is a solid inline comment that explains why strip_tags() is required here.

For example, next to the actual cause for strip_tags(), the code should provide reasoning for as to why it does not set 'html' => TRUE instead.

Powered by Dreditor.