Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
I am using a Formatted text field to populate the Marker info text unsing a token in the "Geolocation Google Maps API - Map" formatter. The HTML in the field is being escaped.
Comment | File | Size | Author |
---|---|---|---|
#26 | 2879274-textformatting.patch | 13.68 KB | ChristianAdamski |
#20 | 2879274-20.patch | 3.02 KB | flocondetoile |
#12 | 2879274-12.patch | 3.35 KB | madmanmax |
#9 | 2879274-9-allowed-tags.patch | 1.61 KB | ChristianAdamski |
|
Comments
Comment #2
andres.torres CreditAttribution: andres.torres commentedHaving the same issue, trying yo set a simple link to open the marker in google maps by adding this markup:
<a href="http://maps.apple.com/maps?q=[geolocation_current_item:lat],[geolocation_current_item:lng]">Open in Maps</a>
and the output is in plain text.
Is there a way to insert html or twig code into the marker?
Also noticed that adding a token or any value to display into the marker, forces the marker to add the lat, long data to the output and this is data that is not supposed to show since these values are not set on the marker info text field.
Comment #3
Lukas von BlarerYes, I solved the issue by using the raw filter in the template geolocation-common-map-location.html.twig:
Comment #4
andres.torres CreditAttribution: andres.torres commentedVery big thank you Lucas!!! overriding the twig template with the raw option made my day!
Comment #5
ChristianAdamski CreditAttribution: ChristianAdamski commentedHey all,
Drupal 8 has that concept of "safe markup", where is supposed to prevent XSS and other evil threats. It does mean that twig will autoescape HTML, unless marked safe. Using the "raw" filter would undermine that effort...
Comment #6
rodrigoaguileraMaybe a friendly solution better than to override the twig template is to have a checkbox (unchecked by default) that Reads something like
"Allow to have unfiltered HTML markup on the marker text" with a warning in the description explaining that this is has security implications
Comment #7
Lukas von BlarerSure, my solution is just an ugly workaround and should only be used if access to the field being displayed is restricted. We have to allow input filters to be used for the marker info text. In my case it is a formatted text field and therefore it has already been escaped and is safe.
Comment #8
scottsawyerI just ran into this. I am building a module that outputs the map in a block using the #type => geolocation_google_map, and I would like to provide a link to open in Google Maps in the location => content. I don't want to override the template for every map that is generated, or try to override for specific maps.
Maybe another setting on the element #locations array like: content_allowed_tags => array('span', 'a', 'div') or something?
Comment #9
ChristianAdamski CreditAttribution: ChristianAdamski commentedTry this patch and report back please. It adds 'strong', 'a', 'span', 'div', to allowed tags for formatter and element.
Not sure if this is how it works.
Comment #10
ChristianAdamski CreditAttribution: ChristianAdamski commentedLocally seems to work.
Comment #11
Lukas von BlarerThe filter needs to be configurable in my opinion.
Comment #12
madmanmax CreditAttribution: madmanmax as a volunteer commentedI think the best approach is to change the
info_text
field to atext_format
type. No need to make the allowed tags configurable, just use drupal formatters. I've attached a patch but it's for version 8.x-1.10. I don't have the time to make it for the dev version. And it might needs ahook_update_N()
as well since we changed the type, but I have no clue how to do this.Comment #13
JoshuaBud CreditAttribution: JoshuaBud commentedWith #12 is it possible to place twig arguments into the marker config? I have several fields that I want to include but not every location has all of the fields present and when no entry in the node is present it prints out the token. I would think there would be a simple way to not include empty fields in the info markers and certainly not include a token.
Comment #14
Lukas von BlarerComment #15
Lukas von BlarerSorry, meant to change the status
Comment #17
Lukas von BlarerBoth patches don't apply anymore.
Comment #18
madmanmax CreditAttribution: madmanmax as a volunteer commented@JoshuaBud that sounds like a future request. The issue is regarding escaped HTML.
Comment #19
polmaresma CreditAttribution: polmaresma commented#3 solved the issue to me.
https://www.drupal.org/node/2879274#comment-12098995
Thank's!
Comment #20
flocondetoilePatch #12 rerolled on latest stable version 1.11. Always need an hook_update_N(). Should a simple clear cache may be sufficient ? I could edit an existing field with an simple drush cr when rerolling this patch.
Comment #21
flocondetoileComment #23
KarenS CreditAttribution: KarenS at Lullabot commentedThe patch in #20 is the correct way to fix this. It allows the user to select the appropriate text format for the info box. I tried it with a token replacement in the info box that returns markup. Before the patch the markup was escaped. After the patch it displays correctly.
This patch looks good to me.
Comment #24
KarenS CreditAttribution: KarenS at Lullabot commentedOK there are test errors, but it looks like they're related to the schema change, so maybe a hook update to clear caches would fix that? Testing it locally I get no errors, but I did clear caches manually.
Comment #25
ChristianAdamski CreditAttribution: ChristianAdamski commentedNote to self: look at this, adapt for 2.x and make it happen for infowindow and contextpopup as well.
Comment #26
ChristianAdamski CreditAttribution: ChristianAdamski commentedComment #28
ChristianAdamski CreditAttribution: ChristianAdamski commentedFixed for 2.x. Won't be fixed for 1.x to preserve compatibility.