Special characters displayed as HTML entities

Created on 22 April 2025, 4 days ago

Problem/Motivation

Special characters such as " ' < > & are escaped in Drupal\advanced_datalayer\Plugin\AdvancedDatalayer\Tag::tidy method;
and thus display as html entities.

Steps to reproduce

Enable advanced_datalayer for a content type and enter special characters in the title.

For example, this test string:

Drupal's test string: This & That

Is output as:

Drupal's test string: This & That

Proposed resolution

The way I see it, it's not needed to run all values through Html::escape, since they are already safely encoded in advanced_datalayer.module by means of Json::encode.

I run a few tests and you can find in the example below, how attempts to inject malicious code fail even after removing Html::escape from the tidy method.

Test string:
Article with special chars: & " ' < > and malicious code: <script>alert('Hacked!');</script>

DataLayer output:
Article with special chars: & " ' < > and malicious code: alert('Hacked!');

🐛 Bug report

Status

Active

Version

2.1

Component

Code

Created by

🇪🇸Spain bmunslow

Live updates comments and jobs are added and updated live.

Merge Requests

!11Special characters displayed as HTML entities
Open
🇪🇸Spain bmunslow
updated 4 days ago

Comments & Activities

Issue created by @bmunslow
Comment 4 days ago →
🇪🇸Spain bmunslow
Comment 4 days ago →
🇪🇸Spain bmunslow
Merge request !11Remove escaping of html special characters → (Open) created by bmunslow
Comment 4 days ago →
🇪🇸Spain bmunslow

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024