Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Inside commerce_customer_commerce_checkout_pane_info() the title is ran through check_plain but in commerce_checkout_form() it is also ran through check_plain().
I'm assuming the one in commerce_customer_commerce_checkout_pane_info was a mistake so attaching a patch to remove it....
Comment | File | Size | Author |
---|---|---|---|
#1 | commerce-double_check_plain-1883308-1.patch | 745 bytes | mjpa |
Comments
Comment #1
mjpa CreditAttribution: mjpa commentedThe patch...
Comment #2
star-szrVery timely, I was just coming here to report the same issue after digging through commerce_customer and i18n.
Without the patch you can end up with panes titled like "
Adresse d'expédition
".Thanks @mjpa!
Steps to reproduce:
Comment #3
rszrama CreditAttribution: rszrama commentedFound another instance in the checkout pane settings form where we used check_plain() for a select form element's options list, which also resulted in double sanitization. Thanks, mjpa!
Commit: http://drupalcode.org/project/commerce.git/commitdiff/bcd81f5