Descriptions shown in the data selector help fieldset display HTML entities due to two calls to check_plain() -- one in theme_rules_data_selector_help() and the other from a t() call by the entity API module in entity_metadata_field_default_property_callback() which sets the "description" property. For example:

Field <em class="placeholder">field_myfieldname</em>

Change this to display like:

Field field_myfieldname

Support from Acquia helps fund testing for Drupal Acquia logo

Comments

solotandem’s picture

Component: User Interface » User interface
Status: Active » Needs review
FileSize
1.03 KB

Attached 1-line patch replaces check_plain() with filter_xss_admin().

solotandem’s picture

Issue summary: View changes

Tweak the format.

solotandem’s picture

Revised patch fixes another occurrence of same issue.

klausi’s picture

Status: Needs review » Reviewed & tested by the community

Great, works for me.

fago’s picture

Status: Reviewed & tested by the community » Needs work

The question is where should the check_plain() happen? I don't think we should rely on the hook to provide just sanitized strings - for that any caller would have provide it that way. Instead, we should check-plain on output and ensure nothing can go through.

Thus
- we should fix entity-api to not sanitize the strings going in the hook
- we should ensure it's checked everywhere it's output in rules

fago’s picture

Priority: Normal » Major
solotandem’s picture

I also considered the question you pose in #4. However, it seems that filter_xss_admin() provides the security needed and allows for acceptable HTML entities (e.g. the "emphasis" tag around the field name). How would you duplicate the current functionality without declaring the "description" item in Rules? Or, is that not a concern?

fago’s picture

FileSize
723 bytes

We can easily fix it to not contain escaped html in the entity API, see attached patch. But I agree that using filter_xss() for the description, and 'check_plain' for the label in Rules does it too. Not sure whether HTML in descriptions really is something we should enforce, but at least it's working then even if people do not upgrade to the latest entity api.

Though, let's use filter_xss() not filter_xss_admin() as its more restrictive.

fago’s picture

Status: Needs work » Fixed

ok, I've committed that patch to the entity api + fixed the data selection autocompletion widget to not escape twice. Given that changes it works for me in all situations. Update to the latest entity api dev version to test.

>But I agree that using filter_xss() for the description, and 'check_plain' for the label in Rules does it too.
I've not done so for now, as usually there shouldn't be HTML in there anyway.

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.

marcoscano’s picture

Status: Closed (fixed) » Active

Hi, not sure if it's the good place for this, but:

With entity_api 7.x-1.0-rc1 and rules 7.x-2.0, I have a text-based email being sent with a value taken from the the token from a date field. The result, in the body of the email, is:

<span class="date-display-single" property="dc:date" datatype="xsd:dateTime" content="2011-11-22T20:00:00+01:00">22/Nov/11 - 20:00</span>

instead of

22/Nov/11 - 20:00

Is this the same issue?

fago’s picture

Status: Active » Closed (fixed)

no

fago’s picture

Issue summary: View changes

Tweak

dagomar’s picture

Component: User interface » Rules Core
Issue summary: View changes
Status: Closed (fixed) » Active
FileSize
16.92 KB

I have exactly this issue, even though it was closed a year ago. I'm on rules dev and entity api dev. I have no clue why this is happening. See attachment.

wbmstrss’s picture

I'm experiencing the same issue - seeing HTML in the select choices.

Core/Modules
Drupal 7.24
Rules 7.x-2.6
Entity API 7.x-1.2
Token 7.x-1.5+0-dev (2013-Oct-18)

wbmstrss’s picture

Update: found a thread discussing JQuery Update Module issues and changed the configuration on my site to use JQuery 1.5 versus 1.7. After doing so, the rules display is behaving normally and I actually can see the the selectable list of data selectors now.

That selectable list data selectors was not visible to me using JQuery 1.7, but I'm not familiar enough with D7 to jump to the conclusion that what I'm seeing is something is wrong versus something I don't understand how to configure.

myselfhimself’s picture

Hello,
Thanks for the Rules module :-D !!!!!!!!
With jQuery 1.10 I misfortunately do see the HTML markup within the auto-complete suggestions...

brad.curnow’s picture

With jQuery 1.10 I misfortunately do see the HTML markup within the auto-complete suggestions...

If you're using the jQuery update module, go to the settings (D7: admin/config/development/jquery_update) and under "Alternate jQuery version for administrative pages" choose version 1.5 and it should work just fine.

BC

mvonfrie’s picture

under "Alternate jQuery version for administrative pages" choose version 1.5 and it should work just fine

I have exactly the same issue as @wbmstrss with JQuery 1.7 or never. When I change it to 1.5 the data selection doesn't work at all anymore, even the arrow at the right of the textbox disappears.

Core/Modules
Drupal 7.27
Rules 7.x-2.6
Entity API 7.x-1.5
Token 7.x-1.5

VladimirAus’s picture

I have exactly the same issue as @wbmstrss with JQuery 1.7 or never. When I change it to 1.5 the data selection doesn't work at all anymore, even the arrow at the right of the textbox disappears.

@mvonfrie click save and after it would give you errors, the arraw will reappear.

kopeboy’s picture

Can we make it work with jQuery 1.7?

It's very annoying..

kopeboy’s picture

Version: 7.x-2.x-dev » 7.x-2.7

@VladimirAus

clicking Save doesn't work on some conditions!

For example, if you try to create a condition of "Entity is of bundle", clicking save will just reload page with error and still no data selectors.

I'm using jQuery 1.5 on admin pages (was using 1.7 before and selector would appear but with raw html)

kristiaanvandeneynde’s picture

Have the same issue with jQuery 1.5, .17, 1.8 and 1.10

Funksmaname’s picture

I dunno why, but it seems that just now setting the main drupal jquery to 1.5 as well as admin to 1.5 and THEN changing the main version back to 1.10 makes the drop down not show html.

though it worked previously on another site, trying to change ONLY the alternate version to 1.5 didn't seem to work on this site, but doing as above did...

hope this helps?

---

I was wrong - the thing hand't refreshed - when I set main to 1.10 and admin to 1.5 i get no drop down on rules fields (the down arrow is gone)

sorry - it only works if both main and admin are set to 1.5

fearlsgroove’s picture

Version: 7.x-2.7 » 7.x-2.x-dev
Status: Active » Needs review
FileSize
1.38 KB

The root of this issue is newer versions of jquery UI use "ui-autocomplete" instead of "autocomplete" for namespacing things like classes and local data, so the _renderItem (and close()) hacks rules is using don't work.

Here's some code that makes rules autocomplete hacks even uglier, but it works in every current version of jquery update.

kristiaanvandeneynde’s picture

It's impractical to try and keep your JavaScript compatible with all versions of jQuery, so ugly is allowed here I suppose :) Will try to test this patch after the weekend.

kristiaanvandeneynde’s picture

Status: Needs review » Reviewed & tested by the community

Tested and seems to work to me.

designerbrent’s picture

This seems to do the trick for me.

akosipax’s picture

Seems to be a duplicate of https://www.drupal.org/node/1810656

It has the same patch done.

das-peter’s picture

Works for me as well. Would like to see this in since more and more extensions are relying on newer jquery versions.

DrCord’s picture

The fix in #23 worked for me as well.

fago’s picture

Status: Reviewed & tested by the community » Closed (duplicate)