The fieldset label does not seem to allow basic html like ’ while other field labels do.

(P.S. I updated to 3.0 for needed features.)

CommentFileSizeAuthor
#2 webform_filter_fieldset_change.patch880 bytesquicksketch

Comments

quicksketch’s picture

Priority: Normal » Minor

Thanks, it looks like we do this escaping because Drupal core treats fieldsets and other elements differently. #title on most elements is run through filter_xss_admin() while fieldset titles are not filtered at all, meaning they could cause XSS vulnerabilities if unfiltered.

However, clearly the solution is not to over-compensate or treat fieldsets differently. To be consistent we should just run fieldset labels through filter_xss_admin() like other elements.

See:
http://api.lullabot.com/theme_fieldset
http://api.lullabot.com/theme_form_element

quicksketch’s picture

Title: Fieldset Label HTML » Change fieldset labels to use filter_xss_admin() like other labels
Status: Active » Fixed
StatusFileSize
new880 bytes

Fixed with this committed patch.

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.