The node titles printed by node_title_list() are not filtered through drupal_specialchars(), so titles, like bead&breakfast break XHTML validity... The attached patch fixes this.

CommentFileSizeAuthor
Drupal-nodetitle-validity-fix.patch839 bytesgábor hojtsy

Comments

Steven’s picture

Steven commented

This patch ignores the larger problem, which is that node titles and comment titles are run through strip_tags() on /submission/ rather than specialchar'd on display. This makes them inconsistent with all other plain text fields in Drupal. Fixing this requires changing the submission procedure for both and making sure every place where node and comment titles are displayde properly escapes them and not just this once instance.

I've been meaning to fix this, but I just haven't gotten around to it.

Strip_tags() should never, ever be used for content filtering: it prevents you from using any HTML, but you still have to escape & and <.

drumm’s picture

drumm
he/him
Location NY, US
commented

I said I would help out with this is IRC, but I don't think I'll be able to do it.

One question that came up was: Should l() and drupal_get_title() do the filtering for & and <?

gábor hojtsy’s picture

gábor hojtsy
he/him
Primary language Hungarian
Location Hungary
commented

l() is used to do things like wrapping an image in a link, so escaping < there is definitely not a good idea.

budda’s picture

budda
Primary language English
Location Cheshire
commented

This problem also affects the menu.module and the links it creates with the title="" attribute. They break xhtml too with the likes of & entity.

flevour’s picture

flevour commented
Status: Active » Fixed

In current CVS titles are handled correctly.

Anonymous’s picture

(not verified) commented
Status: Fixed » Closed (fixed)