Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Updated: Comment #0
Problem/Motivation
In the interest of security should we sanitize _title_callback returns by default?
Proposed resolution
Discuss
Decide whether to sanitize by default - these are primarily used for breadcrumbs, head title and page title
Remaining tasks
Determine a way to replicate the old PASS_THROUGH logic for when the title contains html
User interface changes
None
API changes
_title_callback no longer needs to return a sanitized string
Related Issues
Follow-up from #2100397: [meta] Ensure that DX issues identified by a recent review are covered with individual issues.
Comments
Comment #1
dawehnerAutosanization should deal with it, right?