[development] HTML in node titles for D5

Derek Wright drupal at dwwright.net
Thu Jan 17 17:03:31 UTC 2008

On Jan 17, 2008, at 8:27 AM, Earnie Boyd wrote:

> You could write a hook_nodeapi [1] function in a custom module to  
> repopulate it before it is saved to the DB.

That doesn't help you at all. Drupal filters on *output*.  You can  
get "Hello <em>world</em>" into the title field in your DB directly  
when you create or edit the node -- you don't need nodeapi for this.

The only way to get "Hello <em>world</em>" to be *output* as HTML  
when the node is rendered is to hack *a lot* of places in core to  
remove the security filtering in place to prevent XSS attacks, which  
is generally a very bad idea for all sorts of reasons.  If you do  
that, then you have to trust every user with permission to create  
nodes that they're not going to input "Hello <script>badness10000</ 
script> world" as node titles.

-Derek (dww)

More information about the development mailing list