Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.I had the problem, that certain html-tags were stripped out, although i had didn't use "Filtered HTML" as format. Thx to the xdebug function traces i could hunt this bug down to filter_xss() in nd_preprocess_node().
I think the correct function to call would be check_markup(), since the use of filter_xss() is only correct for filtered html.
Since it's a 1-liner, i was too lazy to make a patch out of it...
File: nd.module
Line: 168
Wrong:
$region_content .= isset($vars[$name .'_rendered']) ? $vars[$name .'_rendered'] : filter_xss($vars['node']->content[$name]['#value'], array('a', 'div', 'h1', 'h2', 'ul', 'li'));
Correct:
$region_content .= isset($vars[$name .'_rendered']) ? $vars[$name .'_rendered'] : check_markup($vars['node']->content[$name]['#value'], $vars['node']->format, FALSE);
dunkelfuerst
Comments
Comment #1
dunkelfuerst commentedOk, i was slightly wrong with my correct. ;) Since there are some empty fields, end check_markup() returns t('n/a') for empty values, its goot to test the value before giving it away to check_markup().
here it comes:
Comment #2
swentel commentedMakes sense, however, when using $vars['node']->format on a cck field, this might expose security issues I think, ie body of node is Full HTML, but some field really needs to be sanitized ... Can you give an example what field ND is trying to render - I guess it 's not a CCK field, right ?
Comment #3
dunkelfuerst commentedNo, it is the simple body-field. (e.g. forum)
Comment #4
swentel commentedOk, this one can be closed, see #8 at #549926: Images not rendering - this is a problem with content types not having a CCK field. The development version of ND right now is a single API not needing CCK anymore as dependency and this problem is solved there.