Closed (outdated)
Project:
Drupal core
Version:
9.5.x-dev
Component:
filter.module
Priority:
Normal
Category:
Feature request
Assigned:
Reporter:
Created:
26 Aug 2006 at 19:41 UTC
Updated:
22 Aug 2022 at 20:32 UTC
Jump to comment: Most recent, Most recent file
Comments
Comment #1
drummWhy is there an underscore at the end of $escape_?
Go ahead and fix the code style for $form['filter_html']["filter_html_$format"] (put each array element on its own line) instead of breaking up the option list by putting one on the next line.
Can the added if statement
be merged with the very similar one a bit further up?
In all new code, use
'filter_html_'. $formatinstead of"filter_html_$format".Comment #2
Steven commentedComment #3
doq commented2 drumm:
Applied your suggestions.
In all new code, use 'filter_html_'. $format instead of "filter_html_$format". - but it is currently as "filter_html_$format" in code? I haven't changed that currently in patch.
Comment #4
Steven commentedActually, do we need a setting for this? Having the XSS filter just always escape invalid output would mean we can simplify some rules higher up too, I think. And in the end, the goal has never been to make invalid output look pretty—only to make it safe for viewing.
Comment #5
doq commentedBut if you want to submit xml code, or sometimes there are some words with > etc.
Admin will choose what type of escape to use, but I think this should be in core.
Comment #6
chx commentedI am neither for neither against this idea, filter_xss doxygen needs an update and we need a proper diff with -p option.
Comment #7
sunComment #8
jhedstromNot sure if this is still relevant or not?
Comment #22
smustgrave commentedClosing as outdated since there hasn't been update since this issue moved to PNMI 7 years ago.
Also the filter module has gone through several changes (some pending) since this ticket was opened.
If still a valid issue please reopen with an updated issue summary