I have a simplenews block with a title ("subject") containing an ampersand. Because of the usage of check_plain, the ampersand gets excaped to &.

The attached patch fixes this by using check_markup instead of check_plain.

CommentFileSizeAuthor
#2 simplenews-block-title-2.patch841 bytesjix_
simplenews-block-title-1.patch855 bytesjix_

Comments

heine’s picture

heine commented
Status: Needs review » Needs work

Block titles have no format, so using check_markup makes no sense.

Find out where the second check_plain takes place, then fix that. AFAIK, module supplied block titles 'subject' should display as is (block.module:487+).

jix_’s picture

jix_ commented
Status: Needs work » Needs review
StatusFileSize
new simplenews-block-title-2.patch841 bytes

Or it might not even need to be filtered at all, I'm not 100% sure. Aren't blocks filtered with check_plain somewhere else already?

Here's another patch in case :)

jix_’s picture

jix_ commented

Oh, didn't see #1 before I posted. I'll go and check where the other filter is.

jix_’s picture

jix_ commented
Status: Needs review » Needs work
jix_’s picture

jix_ commented
Status: Needs work » Needs review

Ok, turns out the check_plain that I removed was the second one. The first one is happening in taxonomy_get_term, which is called right before the block subject is set, so the patch in #2 should do the trick.

jix_’s picture

jix_ commented
Status: Needs review » Needs work

Dammit, sorry. I got confused there. It's not in taxonomy_get_term. I'll keep looking for it.

jix_’s picture

jix_ commented
Status: Needs work » Needs review

Hmm, still not entirely sure. But it is filtered before the block subject is set, so the patch in #2 still applies.

sutharsan’s picture

sutharsan commented
Status: Needs review » Postponed (maintainer needs more info)

please described what goes wrong _exactly_. Write down the steps to reproduce, I can't.
I have created a newsletter with an ampersant in the title. Enable the corresponding subscription block. The block title is displayed correctly. On the blocks admin page and on the block edit page the amp is double escaped. When I manually override the block title but still containing an ampersant, it behaves identical.
patch #2 is dangerous because it does not escape the newsletter title when displayed as block title. You can try it out by adding a HTML tag like <strong> to the newsletter title and reading the page HTML output. You will find the tag unchanged.

jix_’s picture

jix_ commented
Status: Postponed (maintainer needs more info) » Closed (fixed)

Ok, so somehow, a certain person who configured the newsletters for the site where this was happening managed to actually type &amp; in the newsletter's title field. That's why it went wrong.

My sincerest apologies for all this confusion, and for wasting your time.