[#46108] - Article display should be unescaped e.g. in Category List
- Closed
- 17 Sep 2025
- Medium
- Build: 5.3-dev
- # 46108
Is your feature request related to a problem? Please describe.
It is impossible to display a image (e.g. GIF) in front of the article title in the Category List.
Inserting an image now displays the path of the image rather than the image itself.
Describe the solution you'd like
The display of the image should be possible. See attachment
This can be realised with a template override, but I do not understand why the title display is escaped.
Additional context
Solution
In components\com_content\tmpl\categories\default-articles.php:
<?php echo $this->escape($article->title); ?> --> <?php echo $this->$article->title; ?>
joomla-cms-bot
- | Labels |
Added:
No Code Attached Yet
|
||
So, if i understand you correctly, you are strong an img-Tag in the article title?
Hello, the image is placed before the article title. In case an article is new (or updated) it is marked. The mark is automaticly removed after e.g. 3 days after the creation (or modification) date. This is done using an updated version of plugin ContentNotifier. That's why I asked for this feature.
Regards, Peter
The question is how are you inserting the image? Are you manually entering the code for the image in the article title field or as you now hint at is it done automatically by a plugin?
If its the former then that will not be changing as that would be removing a level of content security.
If its the latter then instead of modifying the article title in the plugin you need to have the plugin insert/append the image before echo-ing the title. See how the item state badges are inserted
It's the latter.
The image is automaticly added before the title using a plugin
(e.g. $article->title = $newhtml.$article->title;
with: $newimghtml = HTMLHelper::image(
"contentnotifier/new.gif", "new.gif",'class="pch_contentnotifier_new"',true);
)
Where can I find: 'See how the item state badges are inserted' ??
@peterhulst In that case, the issue is not the Joomla core approach but your approach: the Joomla core assumes that "normal" input fields are plaintext and do not contain any HTML markup; that's a fundamental assumption in the architecture - and because that's the case, escaping the output can be safely performed. As you break that assumption, you run into issues.
Proper workaround would be to implement an override for the mentioned module that checks the article date and outputs the image inline in the override.
@SniperSister But the article title does not contain any HTML markup but only plaintext.
I see no reason to escape the output in default_articles.php, so <?php echo $this->escape($article->title); ?> can safely also be replaced by <?php echo$article->title; ?>
Or do I overlook something?
I already have used an override solution for that modification.
But the article title does not contain any HTML markup but only plaintext.
Correct! And because that's the case, it can be safely escaped. Security 1x1: all user input is evil - so you always handle it as potentially malicious (and therefore escape it) until proven otherwise.
@SniperSister I agree that the INPUT should be escaped properly, to prevent evil input, but when properly escaped I see no extra protection in escaping the OUTPUT. So in my opinion, <?php echo $article->title; ?> is completely safe and <?php echo $this->escape($article->title); ?> is useless and redundant coding.
See https://top10proactive.owasp.org/archive/2018/c4-encode-escape-data/
Output encoding is best applied just before the content is passed to the target interpreter
It's neither useless nor redundant, it's an industry best practice.
@SniperSister Thank you for the reference.
I'm from the generation that less coding is better with equivalent functionality.
I am convinced and will make a template override.
| Status | New | ⇒ | Closed |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2025-09-17 12:24:24 |
| Closed_By | ⇒ | SniperSister |
So, if i understand you correctly, you are strong an img-Tag in the article title?