Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
When using a colon in the title or alt attribute, filter_xss_bad_protocol() filters text.
Comment | File | Size | Author |
---|---|---|---|
#2 | wrong_behaviour_if_alt-2570715-2.patch | 650 bytes | SpaghettiBolognese |
Comments
Comment #2
SpaghettiBolognese CreditAttribution: SpaghettiBolognese at Emble commentedThis patch solves our problems in d7.
Comment #3
awochna CreditAttribution: awochna commented#2 worked for me.
Comment #4
SpaghettiBolognese CreditAttribution: SpaghettiBolognese at Emble commentedComment #6
geek-merlinComment #7
cboyden CreditAttribution: cboyden commentedThis update is causing other HTML entities in alt and title text to be encoded, and even double-encoded, when using the Media WYSIWYG button to insert media. I tested this with versions 1.6-RC7 of wysiwyg_filter and 2.11 of Media.
When you insert an image with the Media WYSIWYG button, you go through two steps where there are Alt and Title fields. The first is right after you upload a new image, and the 2nd is the Style Selector. If you enter some alt text with entities in the first form, such as
the alt text that is rendered in the source code is
which then looks like
if you are seeing the alt text in place of the image, or reading it with a screenreader.
Comment #8
geek-merlinThanks for reporting!
So this must be reverted.
Comment #10
geek-merlinPatch in #2105841: Xss filter() mangles image captions and title/alt/data attributes indicates that core omits alt and title from filtering altogether (in fact it looks like original module code was copied from there). Patch appreciated.