[development] HTML in node titles for D5

matt at mattfarina.com matt at mattfarina.com
Thu Jan 17 17:32:53 UTC 2008

Since drupal stores what you input (including the html), as Derek  
points out, all you need to do it change the output themeing to allow  
html to pass. You could do this by creating the function  
mythemename_node in your template.php file, making this a copy of the  
function of phptemplate_node, and changing

'title'          => check_plain($node->title)


'title'          => check_markup($node->title, 2)

Change the 2 to the input format you want to use on this field.

This lets you keep filtering on it but pass html.

The problem that will come up with this, now that I think about this  
is places like the page title in the browser. That is passed through  
check_plain so and em tag will show up with the words em.

This is something that might be best done with cck + automatic titles.  
It would be less work in development.


Quoting Derek Wright <drupal at dwwright.net>:

> On Jan 17, 2008, at 8:27 AM, Earnie Boyd wrote:
>> You could write a hook_nodeapi [1] function in a custom module to   
>> repopulate it before it is saved to the DB.
> That doesn't help you at all. Drupal filters on *output*.  You can get
> "Hello <em>world</em>" into the title field in your DB directly when
> you create or edit the node -- you don't need nodeapi for this.
> The only way to get "Hello <em>world</em>" to be *output* as HTML when
> the node is rendered is to hack *a lot* of places in core to remove the
> security filtering in place to prevent XSS attacks, which is generally
> a very bad idea for all sorts of reasons.  If you do that, then you
> have to trust every user with permission to create nodes that they're
> not going to input "Hello <script>badness10000</script> world" as node
> titles.
> Cheers,
> -Derek (dww)

More information about the development mailing list