I upgraded to Drupal 5.3 and then upgraded modules. When I navigate to admin/settings/pathauto I am given the following warnings:

    * You are using the token [user] which has a -raw companion available [user-raw]. For Pathauto patterns you should use the -raw version of tokens unless you really know what you are doing. See the Pathauto help for more details.
    * You are using the token [title] which has a -raw companion available [title-raw]. For Pathauto patterns you should use the -raw version of tokens unless you really know what you are doing. See the Pathauto help for more details.
    * You are using the token [author-name] which has a -raw companion available [author-name-raw]. For Pathauto patterns you should use the -raw version of tokens unless you really know what you are doing. See the Pathauto help for more details.
    * You are using the token [bookpath] which has a -raw companion available [bookpath-raw]. For Pathauto patterns you should use the -raw version of tokens unless you really know what you are doing. See the Pathauto help for more details.
    * You are using the token [ddmonyyyy] which is not valid within the scope of tokens where you are using it.
    * You are using the token [menupathtitle] which is not valid within the scope of tokens where you are using it.
    * You are using the token [ddmonyyyy] which is not valid within the scope of tokens where you are using it.
    * You are using the token [vocab] which has a -raw companion available [vocab-raw]. For Pathauto patterns you should use the -raw version of tokens unless you really know what you are doing. See the Pathauto help for more details.
    * You are using the token [catpath] which has a -raw companion available [catpath-raw]. For Pathauto patterns you should use the -raw version of tokens unless you really know what you are doing. See the Pathauto help for more details.

When I navigate expand the 'Blog path settings' the 'Pattern for blog page paths' is set to blogs/[user]. Under neath this setting is a note that states 'NOTE: This field contains potentially incorrect patterns'. Following that is the helper texts such as: "[user] User's name, [user-raw] User's unfiltered name. WARNING - raw user input."
The initial warnings at the top of the pathauto admin pages seem to suggest I should set these patterns to use the '*-raw' tokens, but the warnings in the helper text with the *-raw tokens seem to suggest the opposite. Which is it?
Thanks

Comments

greggles’s picture

Did you read the upgrade guide - http://groups.drupal.org/node/6706 ?

I'm hoping that will answer your question. If not then I'll give you my direct advice, but the goal is for the docs (now linked from the project home page and the release node) to explain what people need.

kpm’s picture

Thanks I should have looked to those first. But are the warnings there for some sort of security vulnerability using "-raw"?

greggles’s picture

Status: Active » Fixed

Yes, the "Warning - raw user input" is applicable in other situations (e.g. a module that creates content that is displayed within the body of the page).

Anonymous’s picture

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for two weeks with no activity.

ericinwisconsin’s picture

Category: support » bug
Status: Closed (fixed) » Fixed

Just a note to you... I got this error too... Until I upgraded Token from token-5.x-1.8 to token-5.x-1.9. That fixed the problem.

greggles’s picture

Category: bug » support
Status: Fixed » Closed (fixed)

Good tip. If you were using Token5.x-1.8 until recently then that sounds like you're not on the security mailing list/rss feed http://drupal.org/security or not reading the announcements: http://drupal.org/node/184336

kakajoe@drupal.org’s picture

i already upgrade token ... but still i have the error.. someboy help me ?

schnizZzla’s picture

I was also confused, but greggles post clarifies that:

General Pattern Tips

When given the choice, you should use a -raw version of a token. For example, instead of [title] use the [title-raw]. This is necessary for Pathauto's punctuation replacement to work properly. Despite the warning about raw user input, the Drupal path module (which Pathauto relies on) filters the raw information so within Pathauto it is safe to use these -raw tokens.

see http://groups.drupal.org/node/6706