I'm using the auto_nodetitles module in conjunction with the locations module to create a content type which populates it's node's title field with the location's name (using node location) via the htmlspecialchars_decode() function in PHP.
I stayed away from using tokens by themselves because sometimes a location might have an amberstand or an apostrophee, and they render with their HTML character representation, rather than the real chartacters.
My code looks like:
$token = '[location-name_0]';
if (empty($token)) {
return '[type]';
}
else {
return str_replace(array('&', '"', '''), array('&', '"', "'"), $token);
}
Is there another way of doing this without using the htmlspecialchars_decode() function? I looked into using the check_plain() function in Drupal but that will not deal with the ( & ' ) character issues.
To what extent is using the htmlspecialchars_decode() a security hole?
than