Invalid HTML generated due to check_url() not used in URLs being output

Subscribe!

A) Why not just add the check_url() inside drupalorg_project_issue_url() instead of duplicating it at all the call sites? Do we ever need these URLs *not* escaped?

B) We also need a patch for DRUPAL-6--1 branch (which has totally different code organization and function names) since HEAD is just for the redesign and D6--1 is for d.o production.

This code is very ugly. Could we use theme('item_list') *and* l() here, instead of hard-coding the HTML? :)

@Gabor: re: always escaping -- duly noted, thanks. re: both patches: yes, definitely. since this project is branched, we definitely need to keep both branches in sync to avoid regressions. I'm sure you're familiar with the concept. ;)

@DamZ: agreed, this code is pretty nuts. ;) Cleaning it to properly use our APIs would solve the escaping problems, too. There are a bunch of issues relating to this same block that would be nice to fix once the fundamentals were sound:

#703662: Configurable issue counts
#483848: Core Bug Bingo brought me to an 'access denied' page
#383356: Fix core-related issue counts and links to use the version=7.x views filter
#335828: Bug Bingo for specific versions if the user specifies it (I care less about this one)

So, I suggest we re-write the block to be built in a more sane way, get that into both branches, and then go through and quickly fix the rest of these (most of which are tiny patches, but all of which are going to conflict like crazy with this issue).

Thanks,
-Derek

@Gabor: please lighten up. ;) I know you're familiar with the process, that's why I made the joke in the first place (partly to point out the fallacy of that whole policy in general).

Anyway, the "bug at hand" is d.o production, which is DRUPAL-6--1. It wasn't my choice to radically fork the code for this module by reorganizing everything after we branched for D6 production on d.o. I would have much preferred to do all that before branching production from the redesign work. But alas, no one asked me, so now we're stuck with basically doing twice as much work for 95% of the changes in this module. Such is the price to pay for these sorts of decisions... So, if you don't want to bother with the HEAD patch and leave this issue as "to be ported", that's fine, but to fix the current bug, we need a patch for DRUPAL-6--1.

Looks like we don't want to change the behavior of drupalorg_project_issue_url since it's used to generate the location for some redirects, such as http://drupal.org/node/9730, http://drupal.org/node/9731, and http://drupal.org/node/9732. This means we can either use static HTML in some of the places, such as the contributor block, or add another function for generating links.

Here's a patch for HEAD (DRUPAL-6--1 patch on the way) that cleans this up and adds a new function for links vs. urls. Note that this depends on the patch from #853092: Add new links for Drupal 7 issues to HEAD to be applied first.

Here's the same patch against DRUPAL-6--1.

Here's a fix for the patch against HEAD that didn't apply.

fixed up some small issues with both patches, commited each to the appropriate branch.