Upon upgrade from 6.x-3.0 to 6.x-3.3, HTML links made in the "Help text" for vocabulary terms at /admin/content/taxonomy/edit/vocabulary/1 are not turned into clickable links, as is the default behavior of Drupal. Rather, they get filtered or sanitized by HS and the code is displayed as plain text along with the rest of the help text.

Disabling HS fixes the issue.

Comments

jrstmartin’s picture

jrstmartin commented
Version: 6.x-3.3 » 6.x-3.2

Did some more investigating and found that the bug was introduced in 3.2 - changed issue version.

wim leers’s picture

wim leers
Location Ghent 🇧🇪🇪🇺
commented
Assigned: Unassigned » wim leers
Status: Active » Closed (works as designed)

The fact that HTML links were supported in previous versions of HS was a security flaw that was fixed in version 3.2.

fnikola’s picture

fnikola commented

Hi, why is this a security flaw? All other cck fields' help, including taxonomy fields, support some HTML. Please see the module from cck/content.module.

/**
 * List of tags allowed by content_filter_xss().
 */
function _content_filter_xss_allowed_tags() {
  return array('a', 'b', 'big',  'code', 'del', 'em', 'i', 'ins',  'pre', 'q', 'small', 'span', 'strong', 'sub', 'sup', 'tt', 'ol', 'ul', 'li', 'p', 'br', 'img');
}