From 98a5fb14193b598be05a20e1f14cf171534bfae7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=A1bor=20Hojtsy?= <gabor@hojtsy.hu>
Date: Sun, 4 Nov 2007 14:18:56 +0000
Subject: #186963 by JirkaRybka: remove HTML from link titles (attribute
 values) if it seems we have tags included

---
 includes/common.inc | 7 +++++++
 1 file changed, 7 insertions(+)

(limited to 'includes')

diff --git a/includes/common.inc b/includes/common.inc
index 0524982c4..1850e96e1 100644
--- a/includes/common.inc
+++ b/includes/common.inc
@@ -1396,6 +1396,13 @@ function l($text, $path, $options = array()) {
       $options['attributes']['class'] = 'active';
     }
   }
+
+  // Remove all HTML and PHP tags from a tooltip. For best performance, we act only
+  // if a quick strpos() pre-check gave a suspicion (because strip_tags() is expensive).
+  if (isset($options['attributes']['title']) && strpos($options['attributes']['title'], '<') !== FALSE) {
+    $options['attributes']['title'] = strip_tags($options['attributes']['title']);
+  }
+
   return '<a href="'. check_url(url($path, $options)) .'"'. drupal_attributes($options['attributes']) .'>'. ($options['html'] ? $text : check_plain($text)) .'</a>';
 }
 
-- 
cgit v1.2.3