I get an error when I try to translate the completion message (the Return to front page for example).
The error states: The submitted string contains disallowed HTML: Return to the front page..
Regular HTML works just fine in the field (also links), it's just when I put the token in there that it is giving errors.
The code:
/**
* Returns the default checkout completion message.
*/
function commerce_checkout_completion_message_default() {
return t('Your order is number [commerce-order:order-number]. You can <a href="[commerce-order:url]">view your order</a> on your account page when logged in.')
. "\n\n" . t('<a href="[site:url]">Return to the front page.</a>');
}
I think it would be better if the tokens aren't in the actual text (and then the translations won't give any errors with the tokens)
I solved this by doing:
/**
* Returns the default checkout completion message.
*/
function commerce_checkout_completion_message_default() {
return t('Your order is number @order-number. You can <a href="@order-url">view your order</a> on your account page when logged in.', array('@order-number' => '[commerce-order:order-number]','@order-url' => '[commerce-order:url]'))
. "\n\n" . t('<a href="@site-url">Return to the front page.</a>', array("@site-url" => "[site:url]"));
}
Comment | File | Size | Author |
---|---|---|---|
#5 | drupal-1292140-5-locale_is_safe_tokens.patch | 1.15 KB | infojunkie |
#3 | drupal-translation_of_token_uri-1292140-2.patch | 806 bytes | Martijn Houtman |
commerce_checkout_translatable_completion_message_27-09-2011.patch | 985 bytes | romenov | |
Comments
Comment #1
Damien Tournoud CreditAttribution: Damien Tournoud commentedThis is a core bug. Reassigning.
Comment #2
Martijn Houtman CreditAttribution: Martijn Houtman commentedI ran into the same troubles, and tracked it down to being a bug in the _filter_xss_attributes() (or possibly the drupal_strip_dangerous_protocols()) function. Imagine the situation of translating this string:
<a href="[node:url]">view</a>
The drupal_strip_dangerous_protocols() function detects the "[node:" part as a protocol definition, rather than a token.
I think this bug deserves some attention, as many bugs relate to it:
http://drupal.org/node/1734690
http://drupal.org/node/1292140
http://drupal.org/node/1535316
(and possibly more)
I understand the solution @romenov came up with (replacing tokens with t() arguments), but I see this more as a workaround, rather than a solution.
Comment #3
Martijn Houtman CreditAttribution: Martijn Houtman commentedExample patch attached. This is most likely the wrong place to put it, though. Comments welcome.
Comment #4
Martijn Houtman CreditAttribution: Martijn Houtman commentedHmm, just wondering about the patch, it still will not allow patterns like:
...
Splitting on ://, rather than on : would make things much easier. Too bad that some protocols (mailto, tel) do not adhere to this standard.
Comment #5
infojunkie CreditAttribution: infojunkie commentedHere's a patch against 7.x - sorry, but that's my main focus at the moment.
This patch targets
locale_string_is_safe()
, replacing tokens with "safe" text before the string is passed tofilter_xss()
. The regular expression used is the same as the one used intoken_scan()
. This patch has the advantage that we avoid messing with the security subsystem and keep the change local to the language subsystem.Comment #6
ñull CreditAttribution: ñull commentedPatch #5 works for me!
Comment #9
David_Rothstein CreditAttribution: David_Rothstein commentedLooks like this still needs to be fixed in Drupal 8.
Comment #18
catchDuplicate of #2371861: Strings including tokens in href or src attributes cannot be translated due to safeness check incompatibilities.