Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.1. create new content > page
2. as title put One & Two & Three
3. as body put One & Two & Three
4. Preview (filter = Filtered HTML)
5. The title shows One & Two & Three(correct) The body shows One & Two & Three(incorrect).
Apparently everything is saved correctly in the database but the & is translated to & on display time and the & is not touched. So what if I want to have & in my text without surrouding it with < code >? Should I write &amp;? Moreover it's different for title & body fields...
Is this by design? Quite strange though.
Comments
Comment #1
jax commentedMore correct title.
Comment #2
jax commentedApparently there are more encoding problems with forms. If you submit a comment (like this one) and you put a < in it, the comment get's truncated. In the source you can see the complete comment.
(submitting this comment twice, once with < and once with < after "put a")
Comment #3
jax commentedApparently there are more encoding problems with forms. If you submit a comment (like this one) and you put a < in it, the comment get's truncated. In the source you can see the complete comment.
(submitting this comment twice, once with < and once with < after "put a")
Comment #4
heine commentedThis is by design: node / comment titles are 'plain text' whereas node / comment bodies may contain HTML. The exact transformation is defined by the selected 'Input format'.
If you add a raw
<to your comment body it is send to the browser and interpreted as the start of a tag. Use < or <code> tags.Comment #5
jax commentedWell, that's bad design then. If you submit data that breaks your page there should be an error, it shouldn't just accept it. So I'm reopening this once with the suggestion to patch the filter so that it doesn't accept such input. It would be much more user-friendly.
Image someone that doesn't know about entities and he tries to submit a preview. Could luck for him figuring out that he shouldn't write < but <. Moreover there is absolutely no hint in the text that tells the submitter the form will behave like that.
Comment #6
Steven commentedIf your users cannot use HTML, you should change the HTML filter's settings to escape all HTML tags. In that case, any literal < or > characters will be automatically escaped.