Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
If you're got a node that has PHP in it and you have the teaser enabled, it will show the raw PHP in the block.
I tried adding the following code into the module (similar.module) to fix it but it just prettified the output. Although, that helped with the fact that the output is, by default, not pretty.
Line 232:
$node->teaser = check_markup($node->teaser);
Comment | File | Size | Author |
---|---|---|---|
#8 | checkplain.patch | 766 bytes | hickory |
Comments
Comment #1
norio CreditAttribution: norio commentedThis quick and dirty fix will not show any nodes with '
<?php
' in it and will format the node according to the filters you've set.Replace:
With:
PS: You can replace preg_match with strpos(). It will probably run faster.
Comment #2
deekayen CreditAttribution: deekayen commentedI committed check_plain on the title and check_markup on the teaser. Skipping nodes with PHP in them isn't the solution.
Comment #3
(not verified) CreditAttribution: commentedComment #4
deekayen CreditAttribution: deekayen commentedPatch should be backed out. Check plain is converting too many characters.
Comment #5
deekayen CreditAttribution: deekayen commentedI reverted the check_plain/check_markup/check_output in 4.6 and 4.7. I'm not hot about the idea of evaluating PHP.
Perhaps this thread should take on discussing a way to ignore nodes with the PHP Code evaluator filter enabled or some other alternate patch.
Comment #6
deekayen CreditAttribution: deekayen commentedI re-committed the check_plain/markup/output if nothing else because it probably has some xss benefits.
Comment #7
deekayen CreditAttribution: deekayen commentedSo perhaps now I should just make special str_replaces for this (from http://drupal.org/node/86666):?
e.g., ' ; [minus the space] instead of ', " instead of ".
Comment #8
hickory CreditAttribution: hickory commentedcheck_plain shouldn't be run on node titles in blocks, it's already being run by the l() function, so characters get double-escaped. Patch attached.
Comment #9
deekayen CreditAttribution: deekayen commentedapplied in HEAD v1.7
Comment #10
(not verified) CreditAttribution: commented