Issue #1919338 by catch, bradjones1, mpdonadio, David_Rothstein, Cottser, Jalandhar, shnark, das-peter, swentel, bblake, JvE, dewalt, Damien Tournoud, jwilson3: Select widget (from the options module) prone to double encoding

3 files changed, 15 insertions, 2 deletions

diff --git a/CHANGELOG.txt b/CHANGELOG.txt
index 73d4bc2b7..a00ec9101 100644
--- a/CHANGELOG.txt
+++ b/CHANGELOG.txt
@@ -1,6 +1,10 @@
 
 Drupal 7.42, xxxx-xx-xx (development version)
 -----------------------
+- Fixed double-encoding bugs in select field widgets provided by the Options
+  module. The fix deprecates the 'strip_tags' property on option widgets and
+  replaces it with a new 'strip_tags_and_unescape' property (minor data
+  structure change).
 - Improved MySQL 5.7 support by changing the MySQL database driver to stop
   using the ANSI SQL mode alias, which has different meanings for different
   MySQL versions.
diff --git a/modules/field/modules/options/options.module b/modules/field/modules/options/options.module
index 3862ba778..041b84a66 100644
--- a/modules/field/modules/options/options.module
+++ b/modules/field/modules/options/options.module
@@ -185,6 +185,7 @@ function _options_properties($type, $multiple, $required, $has_value) {
   $base = array(
     'filter_xss' => FALSE,
     'strip_tags' => FALSE,
+    'strip_tags_and_unescape' => FALSE,
     'empty_option' => FALSE,
     'optgroups' => FALSE,
   );
@@ -195,7 +196,7 @@ function _options_properties($type, $multiple, $required, $has_value) {
     case 'select':
       $properties = array(
         // Select boxes do not support any HTML tag.
-        'strip_tags' => TRUE,
+        'strip_tags_and_unescape' => TRUE,
         'optgroups' => TRUE,
       );
       if ($multiple) {
@@ -271,9 +272,16 @@ function _options_prepare_options(&$options, $properties) {
       _options_prepare_options($options[$value], $properties);
     }
     else {
+      // The 'strip_tags' option is deprecated. Use 'strip_tags_and_unescape'
+      // when plain text is required (and where the output will be run through
+      // check_plain() before being inserted back into HTML) or 'filter_xss'
+      // when HTML is required.
       if ($properties['strip_tags']) {
         $options[$value] = strip_tags($label);
       }
+      if ($properties['strip_tags_and_unescape']) {
+        $options[$value] = decode_entities(strip_tags($label));
+      }
       if ($properties['filter_xss']) {
         $options[$value] = field_filter_xss($label);
       }
diff --git a/modules/field/modules/options/options.test b/modules/field/modules/options/options.test
index 7183311b2..0e19f52ff 100644
--- a/modules/field/modules/options/options.test
+++ b/modules/field/modules/options/options.test
@@ -24,7 +24,7 @@ class OptionsWidgetsTestCase extends FieldTestCase {
       'cardinality' => 1,
       'settings' => array(
         // Make sure that 0 works as an option.
-        'allowed_values' => array(0 => 'Zero', 1 => 'One', 2 => 'Some <script>dangerous</script> & unescaped <strong>markup</strong>'),
+        'allowed_values' => array(0 => 'Zero', 1 => 'One', 2 => 'Some <script>dangerous</script> & unescaped <strong>markup</strong>',  3 => 'Some HTML encoded markup with &lt; &amp; &gt;'),
       ),
     );
     $this->card_1 = field_create_field($this->card_1);
@@ -233,6 +233,7 @@ class OptionsWidgetsTestCase extends FieldTestCase {
     $this->assertNoOptionSelected("edit-card-1-$langcode", 1);
     $this->assertNoOptionSelected("edit-card-1-$langcode", 2);
     $this->assertRaw('Some dangerous &amp; unescaped markup', 'Option text was properly filtered.');
+    $this->assertRaw('Some HTML encoded markup with &lt; &amp; &gt;', 'HTML entities in option text were properly handled and not double-encoded');
 
     // Submit form: select invalid 'none' option.
     $edit = array("card_1[$langcode]" => '_none');