Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
token_replace by default does a check_plain on the replacement values. The API mentions (and is used as such) that when $strict is FALSE, there is no check_plain run.
The net result is that when using the token values as default form values, double escaping occurs.
Comment | File | Size | Author |
---|---|---|---|
#1 | webform-1721996-token-filter.patch | 522 bytes | Stevel |
Comments
Comment #1
Stevel CreditAttribution: Stevel commentedThis patch adds the sanitize option to token_replace to match the value of the $strict variable. When $strict is true, check_plain is used for the token_replace values, otherwise the token replacements are left alone.
Comment #2
quicksketchThanks! Excellent I'll review it when I get a chance.
Comment #3
victoriachan CreditAttribution: victoriachan commentedHi,
I have got the same problem where when I use a token (from user profile field) as a default value in a webform form field, the resulting output is displayed with unnecessary
check_plain()
it seems.For example,
Mum's Shop
is displayed asMum's Shop
.I am using 7.x-3.18, and have applied the patch, but it doesn't seem to make any difference. I don't think it is specific to Profile2 either, as I have tried it using a normal text field as token, and had the same result.
It's tricky to find out what is applying the
check_plain()
to the token value as it involves so many different modules. I have tried printing the$string
variable that is returned fromtoken_replace()
in_webform_filter_values()
, and the apostrophe has already been encoded as'
then (even when hardcoding the sanitize option as false).Any idea how I can approach this?
Thanks,
Victoria
Comment #4
quicksketchThis patch is specifically for the 7.x-4.x branch. I don't think you can pull tokens out of Profile2 in the 3.x version of the module, unless you're using "Webform Patched" module, which is a hacked version of Webform to add token support to the 3.x branch.
I've committed this patch to the 7.x-4.x branch. Thanks @Stevel!