As designed HTML In Phrase Variables Not Being Parsed

Snog

Well-known member
If you format a phrase variable with HTML, that HTML is not parsed.

IE:
Code:
<p>item 1</p><p>item 2</p><p>item 3</p>
Is displayed as plain unformatted text.
 

Brogan

XenForo moderator
Staff member
Although it was stated at the beginning that phrases support HTML, they don't in all cases so that was removed a while ago.

Some do, some don't.
 

Snog

Well-known member
Odd it would be removed. It comes in handy when throwing an error that applies to multiple items in say the inline mod system.

Without it, it looks like you have to throw a single error until all errors are cleared.
 

Brogan

XenForo moderator
Staff member
To clarify, only the text stating that html can be used in phrases was removed.

As far as I am aware, nothing changed functionally.
 

Mike

XenForo developer
Staff member
It's not really a bug if we weren't using or expecting HTML in that context. When it comes to translations, the rule of thumb is that if the English version doesn't use HTML, a translation shouldn't because we can't guarantee it'll work. It's more difficult when it comes to add-ons, but if you try to use HTML in a place we're not expecting it, then that would generally be how it's designed.

We'd need specific reproduction steps, but it's unlikely a particular context would change at this point.
 

Snog

Well-known member
The reproduction steps are pretty simple.

Create a phrase with a variable. Call it threads_x_error
Code:
The threads below:{titles}Contain X and can not be deleted.
Then populate the variable and send it to the phrase:
Code:
$titles = array('ABC','DEF','GHI');
    
$sendTitles = '';
foreach($titles as $title)
{
      $sendTitles .= '<br/>' . $title . '<br />';
}
    
return $this->responseError(new XenForo_Phrase('threads_x_error',array('titles' => $sendTitles)));
And the result will be:
noformat.png

The expected result is:
expected.png
 
Last edited:

Snog

Well-known member
Just to add a little twist, if you format the variable using standard \r\n, the system also completely strips that formatting making it impossible to have line feeds in a phrase variable.
 

Arty

Well-known member
Try this:
Code:
return $this->responseError(new XenForo_Phrase('threads_x_error',array('titles' => $sendTitles), false));
 

Mike

XenForo developer
Staff member
Indeed, the issue here is that you're trying to pass HTML in a parameter. Parameters are HTML escaped by default. Without this, you'd basically have XSSes everywhere. The "false" mentioned by @Arty disables the escaping, which means you'd be responsible for it (escaping the parts other than the HTML you're trying to inject).

So this is very much as designed.
 

Snog

Well-known member
Thanks @Arty and @Mike, I had completely forgotten about the false parameter because in 99.99% of the cases it's not needed.

And of course I was also ignoring the fact that Eclipse was giving me the answer all along.:rolleyes:
Oops.png
 
Top