Why is HTML being escaped when using Drupal tokens?

Date Published: October 2, 2020

HTML is escaped when using Drupal tokens in Site studio as a security measure, this follows Drupal core.

If HTML is input into something like a node title field and then a token such as [node:title] is used within a Site studio component the HTML inside the field will be escaped and render as a string. This follows Drupal core.

If you require the HTML to not be escaped for specific tokens you can use the below hook_tokens_alter() in your custom code:

This example alters the menu link title value token to allow HTML.

/**
 * Implements hook_tokens_alter().
 **/
function cohesion_tokens_alter(array &$replacements, array $context,\Drupal\Core\Render\BubbleableMetadata $bubbleable_metadata) {
  if(isset($replacements['[menu_link_content:title:value]'])) {
    $replacements['[menu_link_content:title:value]'] = \Drupal\Core\Render\Markup::create(Drupal\Component\Utility\Html::decodeEntities($replacements['[menu_link_content:title:value]']));
  }
}