It appears that webform node body content is being run through my HTML filter twice.

My HTML filter module strips out harmful tags and attributes (including the SCRIPT tag) and then it does things like obfuscates e-mail addresses using JavaScript. So, yes...it removes user-added SCRIPT tags and then adds some of its own.

It seems that webform is passing node content through my filter twice though - so at the first pass, e-mail addresses are being obfuscated with JavaScript, and then on the second pass, the SCRIPT tags for the obfuscation code is being stripped, leaving the plain-text JavaScript code to appear to the user.

I have confirmed that this only happens after upgrading to Webform 3.x, and only happens on webform nodes - regular web page nodes are not affected.

Is there a simple fix to this problem? Thanks!

CommentFileSizeAuthor
#1 webform_double_filter.patch986 bytesquicksketch

Comments

quicksketch’s picture

quicksketch
he/him
commented
Status: Active » Fixed
StatusFileSize
new webform_double_filter.patch986 bytes

Thanks for your very excellent report. I was able to confirm the problem just by setting the "Filtered HTML" input format to escape tags rather than strip them and they're very clearly getting double-encoded. It looks like this problem has existed for as long as 3.x has had the ability to attach to multiple content types.

Right now Webform is manually calling node_prepare() to add the body and links to a node, but this is no longer necessary. See http://api.drupal.org/api/function/node_build_content/6. The fix is just to remove our manual call to node_prepare(), since it is now called for us.

I've applied this patch to CVS and I'll be following up with a 3.1 release shortly. It's amazing how you can have over 4000 installations of 3.x in the beta versions but you don't find all the problems until the mass population starts upgrading. :-)

quicksketch’s picture

quicksketch
he/him
commented
Title: Webform running through HTML filters twice? » Webform runs body field through HTML filters twice
tjg’s picture

tjg commented

Yup, that seems to have fixed it. Thanks!

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.