[development] HTML in node titles for D5
Derek Wright
drupal at dwwright.net
Thu Jan 17 17:03:31 UTC 2008
On Jan 17, 2008, at 8:27 AM, Earnie Boyd wrote:
> You could write a hook_nodeapi [1] function in a custom module to
> repopulate it before it is saved to the DB.
That doesn't help you at all. Drupal filters on *output*. You can
get "Hello <em>world</em>" into the title field in your DB directly
when you create or edit the node -- you don't need nodeapi for this.
The only way to get "Hello <em>world</em>" to be *output* as HTML
when the node is rendered is to hack *a lot* of places in core to
remove the security filtering in place to prevent XSS attacks, which
is generally a very bad idea for all sorts of reasons. If you do
that, then you have to trust every user with permission to create
nodes that they're not going to input "Hello <script>badness10000</
script> world" as node titles.
Cheers,
-Derek (dww)
More information about the development
mailing list