Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
When & is a part of the node title, it is displayed as & when included in a breadcrumb.
Comments
Comment #1
joelrichard CreditAttribution: joelrichard commentedThis may not be a perfect fix, but I made the following change to my local copy of the code by adding a call to htmlspecialchars_decode() to handle the &
custom_breadcrumbs.module, Line: 106
Comment #2
trentoncolley CreditAttribution: trentoncolley commentedI also encountered this problem and instead changed line 205 to:
Edit:
This line was edited because I used the identifier for no link. It appears that decoding entities needs to be done throughout the module.
Comment #3
lemming CreditAttribution: lemming commentedThe issue seems to occur when token_replace() is called to resolve tokens in the breadcrumb. The problem is that token_replace will run filters to escape and clean up the resulting value (causing & => &). Soon after _custom_breadcrumbs_create_crumb() is called, and again will sanitize the values.
The patch here, bypasses the first set of text filtering. This will still result in a safe sanitized solution because _custom_breadcrumbs_create_crumb() will always be called after it.
Comment #4
fonant CreditAttribution: fonant commentedI think encoding and then decoding is a little silly. I've changed line 205 to:
which works fine :)
Comment #5
davemybes CreditAttribution: davemybes commented#3 works perfectly for me. Not sure I like the idea of not running the title through check_plain, even though its only trusted people posting content on our site.
Comment #6
davemybes CreditAttribution: davemybes commentedSetting status accordingly.
Comment #7
fonant CreditAttribution: fonant commented#3 effectively does the same thing as #4, but #4 is less code.
In #3 we sanitise the link text early with check_plain() in _custom_breadcrumbs_create_crumb(), and then have to ask not to sanitise it again when replacing tokens.
In #4 we don't sanitise the link text, but it gets sanitised anyway in custom_breadcrumbs_node_view() where it calls token_replace().
So from a code point of view, I prefer the simplicity of #4 myself. But from a logical point of view, #3 means that the output of _custom_breadcrumbs_create_crumb() is always in HTML whether it's a link or just a text string.
Comment #8
lemming CreditAttribution: lemming commentedincrn8 to address your concern in #5, it's not that we're not running check_plain on the text, we're eliminating the fact that it is being done twice.
Unless you're referring to solution in #4. I would not recommend #4 for a couple reasons.
1.) You're only addressing the issue if the result of the breadcrumb is not a link. If it is a link, your already filtered text will get filtered again by l(). You can enter in more than just a token as the title (i.e. Hello & Goodbye [user:name]) and the '&' will not be encoded correctly using #4.
2.) The filtering done in custom_breadcrumbs_node_view() during token_replace() will only apply to tokens that get replaced, and not the whole title. The final check_plain() on line 205 ensures the whole title result is filtered.
I think it's best to use #3 still, since we ensure both tokens and user entered text get passed to _custom_breadcrumbs_create_crumb() in the same state.
Then _custom_breadcrumbs_create_crumb() ensures that all code paths output filtered text.
Comment #9
rwinikates CreditAttribution: rwinikates commentedpatch in #3 worked great for me.
Comment #10
khuramhb CreditAttribution: khuramhb commented#1 worked for me. I also tried #2, that one didn't work for me.
Thanks a lot.
Comment #11
jfhovinne CreditAttribution: jfhovinne commentedPatch in #3 works for me.
Comment #12
colanIs this still a problem in the latest dev branch? It would need to get fixed there first if it's still a problem. If so, this patch may help.
Comment #13
colanComment #14
NickWebman CreditAttribution: NickWebman commentedSame for the paths...
Works just fine. Thanks.
Comment #15
Peacog CreditAttribution: Peacog commentedI found a very simple solution to this problem. The l() function that is used to create the breadcrumb link has an option 'html' that says that the link text may contain HTML. The _custom_breadcrumbs_identifiers_option() function is used to create the options array. So adding the 'html' option there fixes the problem. Here's a patch.
Comment #16
mtk CreditAttribution: mtk commentedpatch #15 fixes the problem for links, but not for text (last item on path)
Comment #17
ronaldmulero CreditAttribution: ronaldmulero for edX commentedNone of the above solutions worked for me. Using strip_tags() did, though. Here's the patch. Created with git format-patch
Comment #20
ronaldmulero CreditAttribution: ronaldmulero for edX commentedI inadvertantly selected "Test with custom_breadcrumbs 7.x-1.x-dev" when I uploaded the patch in #17. It is actually a patch against the 7.x-2.x branch. Created this one with git diff this time.
Comment #21
ronaldmulero CreditAttribution: ronaldmulero for edX commentedComment #24
ronaldmulero CreditAttribution: ronaldmulero for edX commentedSame idea patched for 7.x-1.x branch instead.
Comment #27
lamp5Closing this because is outdated. Only 7.2 branch and greater are supported.