this patch removes the check_plain() from urls inside t() in the system.install file

(and also replaces tabulators with spaces.)

but one thing I do not understand in this file. see this example:

function system_update_7003() {
...
      $messages[] = t('The host !host is no longer blocked because it is not a valid IP address.', array('!host' => $invalid_host ));
    }
  }
  if (isset($invalid_host)) {
    drupal_set_message('Drupal no longer supports wildcard IP address blocking. Visitors whose IP addresses match ranges you have previously set using <em>access rules</em> will no longer be blocked from your site when you put the site online. See the <a href="http://drupal.org/node/24302">IP address and referrer blocking Handbook page</a> for alternative methods.', 'warning');
  }

t() is used on a variable which is not even used, and after that the drupal_set_message() is not translated. The messages are not translated in this file.. Is it a bug or is it some kind of limitation of drupal_set_message() inside update?

CommentFileSizeAuthor
url_in_t.patch9 KBpasqualle

Comments

damien tournoud’s picture

damien tournoud commented
Status: Needs review » Needs work

Those @url are correct. I'm not sure why you want to change them.

pasqualle’s picture

pasqualle
Location 🇭🇺 Budapest
commented

http://api.drupal.org/api/function/t/7

pasqualle’s picture

pasqualle
Location 🇭🇺 Budapest
commented

this is the common format used in Drupal: <a href="!url">

damien tournoud’s picture

damien tournoud commented

The documentation is wrong. The URL is being output in an HTML context here, so it needs to be encoded.

See this snippet from the l() function:

return '<a href="' . check_plain(url($path, $options)) . '"' . drupal_attributes($options['attributes']) . '>' . ($options['html'] ? $text : check_plain($text)) . '</a>';
sun’s picture

sun
Primary language German
Location Karlsruhe
commented 
Here is an example of t() used correctly:

$output .= '<p>' . t('Go to the <a href="@contact-page">contact page</a>.', array('@contact-page' => url('contact'))) . '</p>';

What's unclear here?

pasqualle’s picture

pasqualle
Location 🇭🇺 Budapest
commented

I do not know what are you trying to explain me, why do you need an extra check_plain() for?

so, I wrote a test for every !url in the patch:
test.php

define('DRUPAL_ROOT', getcwd());

require_once DRUPAL_ROOT . '/includes/bootstrap.inc';
drupal_bootstrap(DRUPAL_BOOTSTRAP_FULL);

if ('http://drupal.org/node/243993' == check_plain('http://drupal.org/node/243993')) print ' YES*1';
if ('http://php.net/configuration.changes' == check_plain('http://php.net/configuration.changes')) print ' YES*2';
if ('http://drupal.org/requirements' == check_plain('http://drupal.org/requirements')) print ' YES*3';
if ('http://drupal.org/cron' == check_plain('http://drupal.org/cron')) print ' YES*4';
if ('http://drupal.org/server-permissions' == check_plain('http://drupal.org/server-permissions')) print ' YES*5';
if (url('admin/config/modules') == check_plain(url('admin/config/modules'))) print ' YES*6';

I think you know the result..

damien tournoud’s picture

damien tournoud commented
Status: Needs work » Closed (won't fix)

As explained, all HTML arguments need to be encoded.

URLs can contain any kind of invalid HTML characters, most notably '&'.