Decide on wheter to sanitize _title_callback returns by default [#2104339]

Updated: Comment #0

Problem/Motivation

In the interest of security should we sanitize _title_callback returns by default?

Proposed resolution

Discuss
Decide whether to sanitize by default - these are primarily used for breadcrumbs, head title and page title

Remaining tasks

Determine a way to replicate the old PASS_THROUGH logic for when the title contains html

User interface changes

None

API changes

_title_callback no longer needs to return a sanitized string

Follow-up from #2100397: [meta] Ensure that DX issues identified by a recent review are covered with individual issues.

Comments

Comment #1

dawehner

German

CreditAttribution: dawehner commented 9 January 2015 at 16:29

Issue summary:	View changes
Status:	Active	» Fixed

Autosanization should deal with it, right?

Comment #2

23 January 2015 at 16:34

Status:

Fixed

» Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.

Decide on wheter to sanitize _title_callback returns by default

Problem/Motivation

Proposed resolution

Remaining tasks

User interface changes

API changes

Comments

Comment #1

Comment #2

Referenced by

Thank you to these Drupal contributors

News items

Our community

Documentation

Drupal code base

Governance of community

Decide on wheter to sanitize _title_callback returns by default

Problem/Motivation

Proposed resolution

Remaining tasks

User interface changes

API changes

Related Issues

Comments

Comment #1

Comment #2

Referenced by