- 🇧🇪Belgium pablovos
In file src/Plugin/views/filter/Selective.php all HTML characters are escaped, converting various characters to HTML entities (see HTML::escape).
Current code:
$oids[$key] = Html::escape($value);
I propose to output this as:
$oids[$key] = htmlspecialchars($value, ENT_SUBSTITUTE);
Which leaves allowed characters intact.
- 🇨🇦Canada joelpittet Vancouver
joelpittet → changed the visibility of the branch 3213298-values-with-ampersand to hidden.
- 🇨🇦Canada joelpittet Vancouver
This is interesting... we can maybe see what Drupal Core does for this in terms of options labels and values. We don't want to double escape things and also don't want to have an XSS attack vector
- Status changed to Fixed
9 months ago 11:32pm 5 April 2024 - 🇨🇦Canada joelpittet Vancouver
I replaced the escape with a strip_tags() as we have that in D7 as well and it will do the trick better.
Fixed in 777c0f36dd5ecf2c57dbc739c3f8a1c14e59cc93
Automatically closed - issue fixed for 2 weeks with no activity.