Posted by Scott M. Sanders on March 5, 2010 at 9:27pm
3 followers
| Project: | Webform |
| Version: | 6.x-3.0-beta2 |
| Component: | Code |
| Category: | bug report |
| Priority: | minor |
| Assigned: | Unassigned |
| Status: | closed (fixed) |
Issue Summary
The fieldset label does not seem to allow basic html like ’ while other field labels do.
(P.S. I updated to 3.0 for needed features.)
Comments
#1
Thanks, it looks like we do this escaping because Drupal core treats fieldsets and other elements differently. #title on most elements is run through filter_xss_admin() while fieldset titles are not filtered at all, meaning they could cause XSS vulnerabilities if unfiltered.
However, clearly the solution is not to over-compensate or treat fieldsets differently. To be consistent we should just run fieldset labels through filter_xss_admin() like other elements.
See:
http://api.lullabot.com/theme_fieldset
http://api.lullabot.com/theme_form_element
#2
Fixed with this committed patch.
#3
Automatically closed -- issue fixed for 2 weeks with no activity.