I've set up an advanced Ddblock using CCK and Views, and it works, but I get unescaped html entities in some fields. It seems that the preprocess functions provided in the advanced slideshow tutorial are not escaping data correctly.

Basically, I've created some nodes (content-type : "slides"), which contain CCK fields like the pager text, the background image to display, etc. Using a view I selected the "slides" I wanted and I created and advanced Ddblock from it. One of my nodes' title contained an ampersand ("&"), and this node title was used as the pager link title, the alt text for the slide image (as I don't use imagecache) and other places in the block. The result is that all items using "$result->node_title" in the preprocess functions displayed the ampersand unescaped, which led to validation errors.

I've fixed the issue with a very ugly hack, but the retrieved data should be properly escaped before being displayed.

CommentFileSizeAuthor
#1 template.php_.txt5.77 KBppblaauw

Comments

ppblaauw’s picture

ppblaauw commented
Status: Active » Needs review
StatusFileSize
new template.php_.txt5.77 KB

Thank you for reporting.

Attached a new template.php file using check_plain() to encode special characters in a plain-text string for display as HTML.

mdupont’s picture

mdupont
Primary language French
Location Switzerland
commented
Status: Needs review » Needs work

Thanks!

It solves the issue with node titles, but in your new template.php you also used check_plain on text fields (like in $slider_items[$key1]['slide_text'] = check_plain($result->node_data_field_pager_item_text_field_slide_text_value);), which already contain HTML code. They will display incorrectly since all HTML tags into these fields will be escaped (<p> will become &lt;p&gt;)

ppblaauw’s picture

ppblaauw commented
Status: Needs work » Needs review

If you want to allow HTML in the slidetext you can change 

check_plain()

into

check_markup()

I think its up to the user of the module to choose between checkplain() and check_markup().
Leave this at check_plain() for now. If other have better suggestions please let me know.

Hope this helps you further. Please et me know.

mdupont’s picture

mdupont
Primary language French
Location Switzerland
commented
Status: Needs review » Reviewed & tested by the community

It's perfect with check_markup(). Thanks for your quick answer and your help.

ppblaauw’s picture

ppblaauw commented
Status: Reviewed & tested by the community » Fixed

Set status to fixed

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.