Download & Extend
Flickr Sync » Issues

HTML in flickr Description Field and Title Entified

Posted by xolotl on February 1, 2009 at 5:50am
Project:Flickr Sync
Version:6.x-1.x-dev
Component:Code
Category:feature request
Priority:normal
Assigned:gclicon
Status:active

Issue Summary

Ampersands in flickr title fields are sync'd to nodes as &.

Login or register to post comments

Comments

#1

Posted by elly on February 28, 2009 at 5:57pm

It's true, and, HTML in captions gets entified, too, I've noticed... regardless of what you've got as your default input type on the site.

#2

Posted by elly on October 6, 2009 at 1:09am

it might present some kind of security hole to import unscrubbed html, but i got around the entifying by changing line 671 from

    $content .= '<p>'. htmlentities(html_entity_decode($flickr_photo['description'])) .'</p>';

to

    $content .= '<p>'. $flickr_photo['description'] .'</p>';

#3

Posted by gclicon on September 7, 2011 at 7:39am
Title:Ampersands in flickr Title Fields Entified» HTML in flickr Description Field and Title Entified

Updating title to also include issue in #367396: HTML in flickr Description Field Entified since they are related issues.

This is an issue that will take some time to figure out how to best resolve since just about any solution would present some kind of security hole.

#4

Posted by gclicon on September 7, 2011 at 8:17am
Assigned to:Anonymous» gclicon

#5

Posted by gclicon on October 23, 2011 at 10:16pm
Category:bug report» feature request

#6

Posted by xolotl on October 24, 2011 at 6:10pm

Isn't there an established, secure way to pass such content in Drupal? It's not like this issue is apparent in Drupal core...

If I could point to the method, I would.

#7

Posted by elly on November 8, 2011 at 10:57am

The right thing to do is probably pass it through Drupal's html filter, same as you would for node content. Perhaps this function? http://api.drupal.org/api/drupal/modules--filter--filter.module/function...

nobody click here