[development] Full HTML output in profile fields of type textarea

Jon Antoine antoinesolutions at gmail.com
Mon Sep 8 16:19:23 UTC 2008


That was exactly what I needed.  I was able to add a few tags to the
default role and revert the changes made to core.  Thanks so much, and
also for the great links.


Jon Antoine

On Mon, Sep 8, 2008 at 8:03 AM, Greg Knaddison - GVS
<Greg at growingventuresolutions.com> wrote:
> On Sat, Sep 6, 2008 at 12:27 AM, Jon Antoine <antoinesolutions at gmail.com> wrote:
>> I am trying to crate profile fields that allow full HTML output.  I
>> have struggled with this for a long time and finally came up with a
>> solution I am not happy with.  After tracking it down, I found on line
>> 560 in the profile.module file that the field value is being passed
>> through check_markup function which is filtering out a lot of the
>> HTML.  I ended up replacing the check_markup call with a
>> filter_xss_admin call, but I hate that I had to modify core to
>> accomplish this.  Can anyone suggest a better workaround to this
>> problem?  I would greatly appreciate it.
> The call to check_markup without a specified filter (as it is in
> profile.module) will use whichever filter format is the default for
> the site.  So, if you wish to change which tags are filtered or not
> you can modify your default input filter.
> I will caution you that bad configuration and improper use of input
> formats can lead to security holes.  Two resources on the subject:
> http://drupal.org/node/224921 and
> http://heine.familiedeelstra.com/input-formats-beware
> Regards,
> Greg
> --
> Greg Knaddison
> Denver, CO | http://knaddison.com | 303-800-5623
> Growing Venture Solutions, LLC | http://growingventuresolutions.com

More information about the development mailing list