The changelog for 2.8 says
Unsafe markup was allowed in textfield components' prefix and suffix values
So I was using markup (safely ;) ) in my suffix, something like 

<a href="http://example.com/ref.html" target="_blank">Look up choices</a>

Of course this doesn't work by design with 2.8, I'm wondering if there's a recommended way to get the same functionality back?

Comments

quicksketch’s picture

quicksketch
he/him
commented

I'd be happy to switch the #field_prefix/#field_suffix to use filter_xss() with a limited number of safe tags instead of a check_plain(). It just happened that the security team came up with check_plain() first since it's the easiest fix.

Brigadier’s picture

Brigadier commented

The list of default tags that filter_xss() allows looks fine to me (that is - it includes what I want to use), as long as that passes muster for the preventing xss then I'd be happy.

quicksketch’s picture

quicksketch
he/him
commented
Title: Any way to do markup in prefix & suffix after 2.8? » Allow basic markup in textfield component prefix and suffix
Version: 6.x-2.8 » 6.x-3.1
Category: support » feature

Moving this to the 3.x queue now that 2.x is deprecated.

quicksketch’s picture

quicksketch
he/him
commented
Status: Active » Closed (fixed)

This was fixed quite some time ago, I think as part of #181077: Printable page for webform submissions. Basic HTML has been allowed in these fields for the last several versions.