Ampersand (&) in event title is converted to html & - Githubissues

backdrop-contrib / fullcalendar_views

Views style plugin to render all sorts of date fields as event calendar with FullCalendar

https://backdropcms.org/project/fullcalendar_views

GNU General Public License v2.0

2 stars 4 forks source link

Ampersand (&) in event title is converted to html & #25

Closed yorkshire-pudding closed 2 years ago

yorkshire-pudding commented 2 years ago

If an event title has an ampersand (&) in, then Full Calendar display this as & whereas other views display normally:

Actual result:

Expected result:

indigoxela commented 2 years ago

That's known behavior in the FullCalendar library. Not sure if I could do anything about that.

See also:

yorkshire-pudding commented 2 years ago

There are some comments in those tickets by Adam Shaw that suggest it should accept a single & character. I've managed to workaround by changing it to "and". Thanks @indigoxela

indigoxela commented 2 years ago

Having a closer look ... the html encoding to $amp; happens in views (check_plain), the next encoding happens when the js setting is rendered in backdrop_pre_render_scripts(), so we end up with \u0026amp;

We need the rendered field because of token replacements, so falling back to the raw value in renderRow isn't an option - and questionable security-wise.

We could do strip_tags(decode_entities($rendered_field)); FullcalendarViewsStyleCalendar::renderRow, but I'm not sure if that's a smart idea.

indigoxela commented 2 years ago

Here's a PR: #27 - but I'd really appreciate some more feedback. Are there any pitfalls with this approach?

yorkshire-pudding commented 2 years ago

That works. I can't think of any issues but may be worth getting someone who knows more about security to check.

indigoxela commented 2 years ago

My concerns are not so much about security, because markup gets stripped (strip_tags). My concerns are more like "is this a valid approach, or a silly workaround, or does Views provide something easier for cases like that"? :wink:

yorkshire-pudding commented 2 years ago

Looks valid to me. As other views with the same data don't have the issue, it makes sense to me that the FullCalendar view fixes it. Thanks @indigoxela

indigoxela commented 2 years ago

Another look... it seems like views uses something similar for paths, so at least the approach isn't wrong per se.

Markup in the title field never worked, as FullCalendar would encode it, anyway. Decode back after Views ran check_plain over it and stripping html tags explicitely makes no difference re markup. I'm pretty sure, this change won't break anything, but fixes double encoding.