Apostrophes/quotes in token are converted to HTML entities in titles [#1526142]

To reproduce;

1) create a text field on a node type
2) set the node type to use that field's token in an automatically generated title
3) create a node where that field's value is something similar to testin' is fun
4) see the node's title created as testin' is fun

Comments

Comment #1

Robin Monks CreditAttribution: Robin Monks commented 10 April 2012 at 18:55

This is a patch that has not been extensively tested for security and should not be used in situations where the users creating nodes are not trusted. No, it's not a proper git patch because I want you to think long and hard before applying it, so it's supposed to be hard.

Index: auto_nodetitle.module
===================================================================
--- auto_nodetitle.module	(revision 233)
+++ auto_nodetitle.module	(working copy)
@@ -86,6 +86,7 @@
   }
   // Ensure the generated title isn't too long.
   $node->title = substr($node->title, 0, 255);
+  $node->title = decode_entities($node->title);
   // With that flag we ensure we don't apply the title two times to the same
   // node. See auto_nodetitle_is_needed().
   $node->auto_nodetitle_applied = TRUE;

Feel free to check into the security of this solution and roll a proper patch. At the very least I suspect a check_plain or xss check needs to happen, but I'm not currently willing to dig into node_save enough to figure out which combo.

/Robin