The attached patch corrects the use of check_plain() on project and issue metadata. Previously, component names containing these characters would be double-converted (in some contexts), and status choices wouldn’t be converted (in some contexts). Category and Priority also potentially had this problem, but they are currently hard-coded with strings that aren’t affected (although translation could change this). I haven’t carefully checked Project name, Version, or Assigned.

One non-obvious reason this happened is that the Drupal forms API processes option choices (such as for list boxes) through check_plain(), but expects the caller to process most other fields.

(To test this, I’ve been using a test string such as “testA”. If I see “testA”, it needs check_plain(); if I see “testA”, it’s been double-processed with check_plain().)

Support from Acquia helps fund testing for Drupal Acquia logo

Comments

teliseo’s picture

D’oh! Here’s that last paragraph again, properly encoded:

(To test this, I’ve been using a test string such as “testA”. If I see “testA”, it needs check_plain(); if I see “testA”, it’s been double-processed with check_plain().)

teliseo’s picture

Correction to my patch to also fix the views filter handler for the component field of issues.