Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
ability to escape disallowed tags
Comment | File | Size | Author |
---|---|---|---|
#3 | drupal_70.patch | 3.84 KB | doq |
escape disallowed tags 4.7.3.patch.txt | 4.85 KB | doq |
Comments
Comment #1
drummWhy is there an underscore at the end of $escape_?
Go ahead and fix the code style for $form['filter_html']["filter_html_$format"] (put each array element on its own line) instead of breaking up the option list by putting one on the next line.
Can the added if statement
be merged with the very similar one a bit further up?
In all new code, use
'filter_html_'. $format
instead of"filter_html_$format"
.Comment #2
Steven CreditAttribution: Steven commentedComment #3
doq CreditAttribution: doq commented2 drumm:
Applied your suggestions.
In all new code, use 'filter_html_'. $format instead of "filter_html_$format". - but it is currently as "filter_html_$format" in code? I haven't changed that currently in patch.
Comment #4
Steven CreditAttribution: Steven commentedActually, do we need a setting for this? Having the XSS filter just always escape invalid output would mean we can simplify some rules higher up too, I think. And in the end, the goal has never been to make invalid output look pretty—only to make it safe for viewing.
Comment #5
doq CreditAttribution: doq commentedBut if you want to submit xml code, or sometimes there are some words with > etc.
Admin will choose what type of escape to use, but I think this should be in core.
Comment #6
chx CreditAttribution: chx commentedI am neither for neither against this idea, filter_xss doxygen needs an update and we need a proper diff with -p option.
Comment #7
sunComment #8
jhedstromNot sure if this is still relevant or not?
Comment #22
smustgrave CreditAttribution: smustgrave at Mobomo commentedClosing as outdated since there hasn't been update since this issue moved to PNMI 7 years ago.
Also the filter module has gone through several changes (some pending) since this ticket was opened.
If still a valid issue please reopen with an updated issue summary