I get an error when I try to translate the completion message (the Return to front page for example).
The error states: The submitted string contains disallowed HTML: Return to the front page..

Regular HTML works just fine in the field (also links), it's just when I put the token in there that it is giving errors.

The code:

/**
 * Returns the default checkout completion message.
 */
function commerce_checkout_completion_message_default() {
  return t('Your order is number [commerce-order:order-number]. You can <a href="[commerce-order:url]">view your order</a> on your account page when logged in.')
    . "\n\n" . t('<a href="[site:url]">Return to the front page.</a>');
}

I think it would be better if the tokens aren't in the actual text (and then the translations won't give any errors with the tokens)

I solved this by doing:

/**
 * Returns the default checkout completion message.
 */
function commerce_checkout_completion_message_default() {
  return t('Your order is number @order-number. You can <a href="@order-url">view your order</a> on your account page when logged in.', array('@order-number' => '[commerce-order:order-number]','@order-url' => '[commerce-order:url]'))
    . "\n\n" . t('<a href="@site-url">Return to the front page.</a>', array("@site-url" => "[site:url]"));
}
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

Damien Tournoud’s picture

Project: Commerce Core » Drupal core
Version: 7.x-1.0 » 8.x-dev
Component: Checkout » locale.module
Assigned: romenov » Unassigned
Priority: Minor » Normal
Status: Needs review » Needs work

This is a core bug. Reassigning.

Martijn Houtman’s picture

I ran into the same troubles, and tracked it down to being a bug in the _filter_xss_attributes() (or possibly the drupal_strip_dangerous_protocols()) function. Imagine the situation of translating this string:

<a href="[node:url]">view</a>

The drupal_strip_dangerous_protocols() function detects the "[node:" part as a protocol definition, rather than a token.

I think this bug deserves some attention, as many bugs relate to it:

http://drupal.org/node/1734690
http://drupal.org/node/1292140
http://drupal.org/node/1535316

(and possibly more)

I understand the solution @romenov came up with (replacing tokens with t() arguments), but I see this more as a workaround, rather than a solution.

Martijn Houtman’s picture

Example patch attached. This is most likely the wrong place to put it, though. Comments welcome.

Martijn Houtman’s picture

Hmm, just wondering about the patch, it still will not allow patterns like:

...

Splitting on ://, rather than on : would make things much easier. Too bad that some protocols (mailto, tel) do not adhere to this standard.

infojunkie’s picture

Version: 8.x-dev » 7.x-dev
Issue summary: View changes
Status: Needs work » Needs review
FileSize
1.15 KB

Here's a patch against 7.x - sorry, but that's my main focus at the moment.

This patch targets locale_string_is_safe(), replacing tokens with "safe" text before the string is passed to filter_xss(). The regular expression used is the same as the one used in token_scan(). This patch has the advantage that we avoid messing with the security subsystem and keep the change local to the language subsystem.

ñull’s picture

Status: Needs review » Reviewed & tested by the community

Patch #5 works for me!

The last submitted patch, 3: drupal-translation_of_token_uri-1292140-2.patch, failed testing.

David_Rothstein’s picture

Version: 7.x-dev » 8.0.x-dev
Status: Reviewed & tested by the community » Needs work
Issue tags: +Needs backport to D7

Looks like this still needs to be fixed in Drupal 8.

Version: 8.0.x-dev » 8.1.x-dev

Drupal 8.0.6 was released on April 6 and is the final bugfix release for the Drupal 8.0.x series. Drupal 8.0.x will not receive any further development aside from security fixes. Drupal 8.1.0-rc1 is now available and sites should prepare to update to 8.1.0.

Bug reports should be targeted against the 8.1.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.2.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.1.x-dev » 8.2.x-dev

Drupal 8.1.9 was released on September 7 and is the final bugfix release for the Drupal 8.1.x series. Drupal 8.1.x will not receive any further development aside from security fixes. Drupal 8.2.0-rc1 is now available and sites should prepare to upgrade to 8.2.0.

Bug reports should be targeted against the 8.2.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.3.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.2.x-dev » 8.3.x-dev

Drupal 8.2.6 was released on February 1, 2017 and is the final full bugfix release for the Drupal 8.2.x series. Drupal 8.2.x will not receive any further development aside from critical and security fixes. Sites should prepare to update to 8.3.0 on April 5, 2017. (Drupal 8.3.0-alpha1 is available for testing.)

Bug reports should be targeted against the 8.3.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.4.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.3.x-dev » 8.4.x-dev

Drupal 8.3.6 was released on August 2, 2017 and is the final full bugfix release for the Drupal 8.3.x series. Drupal 8.3.x will not receive any further development aside from critical and security fixes. Sites should prepare to update to 8.4.0 on October 4, 2017. (Drupal 8.4.0-alpha1 is available for testing.)

Bug reports should be targeted against the 8.4.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.5.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.4.x-dev » 8.5.x-dev

Drupal 8.4.4 was released on January 3, 2018 and is the final full bugfix release for the Drupal 8.4.x series. Drupal 8.4.x will not receive any further development aside from critical and security fixes. Sites should prepare to update to 8.5.0 on March 7, 2018. (Drupal 8.5.0-alpha1 is available for testing.)

Bug reports should be targeted against the 8.5.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.6.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.5.x-dev » 8.6.x-dev

Drupal 8.5.6 was released on August 1, 2018 and is the final bugfix release for the Drupal 8.5.x series. Drupal 8.5.x will not receive any further development aside from security fixes. Sites should prepare to update to 8.6.0 on September 5, 2018. (Drupal 8.6.0-rc1 is available for testing.)

Bug reports should be targeted against the 8.6.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.7.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.6.x-dev » 8.8.x-dev

Drupal 8.6.x will not receive any further development aside from security fixes. Bug reports should be targeted against the 8.8.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.9.x-dev branch. For more information see the Drupal 8 and 9 minor version schedule and the Allowed changes during the Drupal 8 and 9 release cycles.

Version: 8.8.x-dev » 8.9.x-dev

Drupal 8.8.7 was released on June 3, 2020 and is the final full bugfix release for the Drupal 8.8.x series. Drupal 8.8.x will not receive any further development aside from security fixes. Sites should prepare to update to Drupal 8.9.0 or Drupal 9.0.0 for ongoing support.

Bug reports should be targeted against the 8.9.x-dev branch from now on, and new development or disruptive changes should be targeted against the 9.1.x-dev branch. For more information see the Drupal 8 and 9 minor version schedule and the Allowed changes during the Drupal 8 and 9 release cycles.

catch’s picture