Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Problem/Motivation
The meta title of the pages are escaped twice.
Steps to reproduce :
- create a node which title is "It's her birthday !"
- display the node
Expected meta title : It's her birthday ! | Site name
Current meta title : It's her birthday ! | Site name
There is a core issue that tries to work on it : #2579091: Make safe_join Twig filter return a Markup object
We can still provide a working version right now.
Proposed resolution
Use the |raw
filter on the title variable so it's not escaped again (and it's more secure too).
Remaining tasks
Patch, Review, Commit
User interface changes
None.
API changes
None.
Data model changes
None.
Comment | File | Size | Author |
---|---|---|---|
#6 | meta-title-double-escaped-707484-6.patch | 459 bytes | blacklabel_tom |
#2 | zen-prevent_title_double_escape-2833767-2.patch | 455 bytes | DuaelFr |
Comments
Comment #2
DuaelFrComment #3
andypostRTBC, this is pretty annoying to fix everytime
Comment #4
JohnAlbinWhat? No, you have it backwards. Using the
|raw
filter is extremely dangerous unless you know what you are doing. e.g. If an anonymous user is allowed to create nodes on a site, allowing un-filtered markup in the title is a security hole.If there is a problem it is probably in html.html.twig where it says
{% set title = head_title|safe_join(' | ') %}
Also, I don't understand what the issue is. In the current issue description has an example with a "current title" of
It's her birthday ! | Site name
. It's not double-escaped like the issue claims, so it looks exactly like what I would expect.Can you update the example so it actually shows the problem?
Comment #5
andypostYes, the problem in this set that should be removed see http://cgit.drupalcode.org/zen/tree/STARTERKIT/templates/layout/html.htm...
Core does this inplace http://cgit.drupalcode.org/drupal/tree/core/themes/classy/templates/layo...
It is double-escape - first in safe_join & second in template on render!
Comment #6
blacklabel_tom CreditAttribution: blacklabel_tom at Reason Digital commentedHi All,
I've attached a patch that fixes this issue for me.
Cheers
Tom
Comment #7
blacklabel_tom CreditAttribution: blacklabel_tom at Reason Digital commented