Remove all unescaped <> chars from t() strings in core

I've also noticed some use of <?php tags and <tag> tags in the code comments too, which like to mess with some IDEs..... Is there an issue for that? Or should we merge that into this patch?

Patch looks good. Should be checked whether it is escaped another time somewhere. It was displaying good before, so it might be double escaped now. Did not have the chance yet to double check.

Ok, patch looks to be changing only schema descriptions, which are indeed only displayed by schema module. The tags are not valid HTML and so they should not be literally in the string anyway (t()-ed strings could contain tags, but these are not tags). So agreed that patch is good. Should even be committed to Drupal 6!

Some thoughts:

a) In Szeged, we had a big long discussion about t() around the descriptions and it was the consensus of everyone at the table (who included Dries) that t()s should be removed from these descriptions. They mess up things because t() isn't available that early, and people discussed that no one is going to take the time to translate technical descriptions of stuff, since we also don't translate code comments for example. So that's something we should do in a future patch.

b) Ideally, I would really like schema API to be able to translate these descriptions into actual database comments that would make themselves visible in apps like PHPMyAdmin. With this patch, that means these descriptions would show up with weird garbage characters in these programs like <none>. IMO it's the *displayer's* job to escape these, so we should file a patch against Schema module to wrap these in htmlentities() itself.

However, both of these changes are too big for Drupal 6, and Drupal 6 needs a solution here. So I've committed this patch to 7.x so that it can be backported. But I'd love to see people working on the above three enhancements for Drupal 7 (remove t() from schema descriptions and allow schema API to translate descriptions into COMMENT = 'xxxx' statements which will undo this change, and patch schema API to htmlentitles() escape description output).

Uhm, then it would be good to discuss whether schema API is supposed to allow HTML in descriptions. If it does, then these tags need to be escaped. If schema API just blindly runs htmlspecialchars and does not allow any HTML in descriptions (such as links to more docs), then this patch makes new Drupal releases incompatible with new schema module releases (fixed with escaping). The current code assumes that schema API does not escape and allow for markup (emphasis, links) in descriptions, just as form API allows for that.

This patch is important for a future fix in Drupal to filter translatable text, so that <none> and friends are not filtered out from translations as unsecure (non-whitelisted) markup.

Committed to Drupal 6.x.

Hm. Fair enough. I would personally err on the side of not allowing HTML here and just stick links in directly as URLs, which Schema module could turn into links on its display side. I'm trying to think of a reason to have any other kind of HTML here. I'm certain that someone will come along and try and justify the <blink> tag being an integral part of our database documentation. :D

Split off into #332123: Remove t() from all schema descriptions and #12201: Show table descriptions in PHPMyAdmin and other tools.

Re: #9
I just filed #412410: Make schema description plain text instead of HTML.