As designed HTML In Phrase Variables Not Being Parsed

Snog

Well-known member
If you format a phrase variable with HTML, that HTML is not parsed.

IE:
Code:
<p>item 1</p><p>item 2</p><p>item 3</p>

Is displayed as plain unformatted text.
 
Although it was stated at the beginning that phrases support HTML, they don't in all cases so that was removed a while ago.

Some do, some don't.
 
Odd it would be removed. It comes in handy when throwing an error that applies to multiple items in say the inline mod system.

Without it, it looks like you have to throw a single error until all errors are cleared.
 
To clarify, only the text stating that html can be used in phrases was removed.

As far as I am aware, nothing changed functionally.
 
It's not really a bug if we weren't using or expecting HTML in that context. When it comes to translations, the rule of thumb is that if the English version doesn't use HTML, a translation shouldn't because we can't guarantee it'll work. It's more difficult when it comes to add-ons, but if you try to use HTML in a place we're not expecting it, then that would generally be how it's designed.

We'd need specific reproduction steps, but it's unlikely a particular context would change at this point.
 
The reproduction steps are pretty simple.

Create a phrase with a variable. Call it threads_x_error
Code:
The threads below:{titles}Contain X and can not be deleted.

Then populate the variable and send it to the phrase:
Code:
$titles = array('ABC','DEF','GHI');
    
$sendTitles = '';
foreach($titles as $title)
{
      $sendTitles .= '<br/>' . $title . '<br />';
}
    
return $this->responseError(new XenForo_Phrase('threads_x_error',array('titles' => $sendTitles)));

And the result will be:
noformat.webp

The expected result is:
expected.webp
 
Last edited:
Just to add a little twist, if you format the variable using standard \r\n, the system also completely strips that formatting making it impossible to have line feeds in a phrase variable.
 
Try this:
Code:
return $this->responseError(new XenForo_Phrase('threads_x_error',array('titles' => $sendTitles), false));
 
Indeed, the issue here is that you're trying to pass HTML in a parameter. Parameters are HTML escaped by default. Without this, you'd basically have XSSes everywhere. The "false" mentioned by @Arty disables the escaping, which means you'd be responsible for it (escaping the parts other than the HTML you're trying to inject).

So this is very much as designed.
 
Thanks @Arty and @Mike, I had completely forgotten about the false parameter because in 99.99% of the cases it's not needed.

And of course I was also ignoring the fact that Eclipse was giving me the answer all along.:rolleyes:
Oops.webp
 
Top Bottom