Placeholders get translated to <div id="PLACEHOLDER">. The value of PLACEHOLDER must begin with a letter ([A-Za-z]) and may be followed by any number of letters, digits ([0-9]), hyphens (“-”), underscores (“_”), colons (“:”), and periods (“.”) to comply with HTML 4.01.

Up to r5262 we didn’t check this at all (when expressions are used for placeholders).

In r5262 filtering is added to be html compliant, but it still allows symbols like ‘+’.

Still needs to be fixed with correct filtering.

Submitted by Elmer van Chastelet on 19 July 2012 at 15:48