The string editor can output invalid HTML to the page.
If your original/translated string contains HTML entities, these are output unescaped - for example "Questions & Answers" (should be rendered in HTML as "Questions & Answers").
The attached patch refactors the l10n_client_footer() and _l10n_client_string_list() functions to use the theme system, and adds HTML escaping within the theme layer. This will allow developers to create a theme override if their particular use-case requires unescaped strings.
The patch is rolled against 6.x-1.8, but I've applied and tested against DRUPAL-6--2 (with offset -18 lines).
Comment | File | Size | Author |
---|---|---|---|
l10n_client.valid_HTML.patch | 7.16 KB | manarth | |
Comments
Comment #1
Gábor HojtsySecurity note: the original string comes from source code, where anything is possible. The user data (translation) goes through XSS checks before saved (and not saved if not compliant), so this is I think not a security issue.
Patch note: please roll against Drupal 7 first and then backport (I'll just be able to apply this patch to Drupal 6-2.x then, thanks).