CiviCRM Community Forums (archive)

A client asked me to look at this today - he was displaying CiviCRM information in a view, and the HTML content was being escaped, so you'd end up with <p>Blah blah.</p> in the page.

By inspecting the view using theme_devel module, I found that views was using views-view-fields.tpl.php to display each field.

I added some debugging to identify the field ID which contained the HTML, and then inspected the $field variable which is where views gets the information from. This revealed that the raw HTML was stored in $field->raw, while views was using $field->content.

For security, I applied Drupal's default input filter to the HTML before display using check_markup(). The second parameter to check_markup() is the ID of the Drupal input filter to use; you should check that the input filter you use is appropriately restrictive, ESPECIALLY if accepting submitted data from users and displaying it in a view.

Here's the resulting code for views-view-fields.tpl.php that we used:

<?php
// $Id: views-view-fields.tpl.php,v 1.6 2008/09/24 22:48:21 merlinofchaos Exp $
/**
 * @file views-view-fields.tpl.php
 * Default simple view template to all the fields as a row.
 *
 * - $view: The view in use.
 * - $fields: an array of $field objects. Each one contains:
 *   - $field->content: The output of the field.
 *   - $field->raw: The raw data for the field, if it exists. This is NOT output safe.
 *   - $field->class: The safe class id to use.
 *   - $field->handler: The Views field handler object controlling this field. Do not use
 *     var_export to dump this object, as it can't handle the recursion.
 *   - $field->inline: Whether or not the field should be inline.
 *   - $field->inline_html: either div or span based on the above flag.
 *   - $field->separator: an optional separator that may appear before a field.
 * - $row: The raw result object from the query, with all data it fetched.
 *
 * @ingroup views_templates
 */
?>
<?php foreach ($fields as $id => $field): ?>
  <?php if (!empty($field->separator)): ?>
    <?php print $field->separator; ?>
  <?php endif; ?>

  <<?php print $field->inline_html;?> class="views-field-<?php print $field->class; ?>">
    <?php if ($field->label): ?>
      <label class="views-label-<?php print $field->class; ?>">
        <?php print $field->label; ?>:
      </label>
    <?php endif; ?>
      <?php
      // $field->element_type is either SPAN or DIV depending upon whether or not
      // the field is a 'block' element type or 'inline' element type.
      ?>
      <<?php print $field->element_type; ?> class="field-content">
        <?php if ( $id == 'description' ) : ?>
          <?php
            /**
             * to enable HTML in more fields, update the test above - eg to
             * also allow field "myotherfield", you'd replace the if() above 
             * with
             *
             *   if ( $id == 'description' || $id == 'myotherfield' ) :
             * 
             * this is description which is HTML text - we want to extract
             * the raw HTML version (which is in $field->raw instead of 
             * $field->content), then run it through check_markup() to strip
             * any disallowed HTML tags or other HTML naughties
             *
             * the second param to check_markup() is the ID of the filter
             * format to use (from filter_formats DB table)
             */
            print check_markup($field->raw,1) ; 
           ?>       
        <?php else : ?>
          <?php print $field->content; ?>
        <?php endif ; ?>
      </<?php print $field->element_type; ?>>
  </<?php print $field->inline_html;?>>
<?php endforeach; ?>


I had better luck overriding just the description field.  But thanks for your code as I couldn't have done it without.

views-view-field--civi-events2--description.tpl.php
<?php
// $Id: views-view-field.tpl.php,v 1.1 2008/05/16 22:22:32 merlinofchaos Exp $
 /**
  * This template is used to print a single field in a view. It is not
  * actually used in default Views, as this is registered as a theme
  * function which has better performance. For single overrides, the
  * template is perfectly okay.
  *
  * Variables available:
  * - $view: The view object
  * - $field: The field handler object that can process the input
  * - $row: The raw SQL result that can be used
  * - $output: The processed output that will normally be used.
  *
  * When fetching output from the $row, this construct should be used:
  * $data = $row->{$field->field_alias}
  *
  * The above will guarantee that you'll always get the correct data,
  * regardless of any changes in the aliasing that might happen if
  * the view is modified.
  */
?>
<?php print check_markup($row->civicrm_event_description,1) ; ?>