I have an external table with a field defined in hook_views_data, whose field handler is set to views_handler_field. I have a view created which includes this field for display. The field contains trusted HTML, which I do not wish Views to encode. I have defined a tpl.php for output of the field content. The HTML is coming into the tpl.php having been passed through check_plain, which requires me to decode in the tpl.php. I realize I can decode the string in the tpl.php but this is inefficient.

Per the comment in theme() in class views_handler_field:

Call out to the theme() function, which probably just calls render() but allows sites to override output fairly easily.

Why is render being called? Is this a security feature? Or does views expose a means of passing through field data unaltered?

Thanks in advance. -Dwight

Comments

merlinofchaos’s picture

merlinofchaos commented
Status: Active » Fixed

You will need to provide a custom handler. The default handler assumes maximum security is needed, but it is not too hard to create handlers. It is better to be secure by default and go through extra work to unsecure something that is trusted than the other way around.

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.