Commit 948f3ff9 authored by yched's avatar yched

Security fix http://drupal.org/node/406520

+ #319778 Optionwidgets: Fix double encoding issues for &, >, <,... chars in select lists.
parent 1b39d666
//$Id$
CCK 6.x-2.x
CCK 6.x-2.2
===========
IMPORTANT:
This release fixes a security issue (XSS vulnerability) in nodereference and userreference modules.
All sites are using CCK for Drupal 6 are strongly encouraged to upgrade to CCK 2.2.
Note that the Drupal 5 versions are not affected.
See the Security Annoucement on http://drupal.org/node/406520 for more informations.
Features:
- #361311 Add poll settings forms to Manage fields screen.
- Add book form to Manage fields screen.
......@@ -50,6 +57,7 @@ should be enough, though.
- #360712 by tombigel - CSS tweaks for RTL languages.
- #375316 Nodereference/Userreference: Ensure allowed values always return at least an empty array.
- #368155 Nodereference/Userreference: Fix performance issue on large sites when validating empty noderef/userref fields.
- #319778 Optionwidgets: Fix double encoding issues for &, >, <,... chars in select lists.
CCK 6.x-2.1
===========
......
......@@ -697,9 +697,7 @@ function nodereference_allowed_values($field) {
$options = array();
foreach ($references as $key => $value) {
// Views theming runs check_plain (htmlentities) on the values.
// We reverse that with html_entity_decode.
$options[$key] = html_entity_decode(strip_tags($value['rendered']), ENT_QUOTES);
$options[$key] = $value['rendered'];
}
return $options;
}
......@@ -881,7 +879,7 @@ function _nodereference_potential_references_standard($field, $string = '', $mat
while ($node = db_fetch_object($result)) {
$references[$node->nid] = array(
'title' => $node->node_title,
'rendered' => $node->node_title,
'rendered' => check_plain($node->node_title),
);
}
......
......@@ -233,6 +233,10 @@ function optionwidgets_select_process($element, $edit, &$form_state, $form) {
}
$options = optionwidgets_options($field);
// For this specific widget, HTML should be filtered out and entities left unencoded.
// See content_allowed_values / content_filter_xss / filter_xss.
$options = array_map(create_function('$opt', 'return html_entity_decode(strip_tags($opt), ENT_QUOTES);'), $options);
$element[$field_key] = array(
'#type' => 'select',
'#title' => $element['#title'],
......
......@@ -608,9 +608,7 @@ function userreference_allowed_values($field) {
$options = array();
foreach ($references as $key => $value) {
// Views theming runs check_plain (htmlentities) on the values.
// We reverse that with html_entity_decode.
$options[$key] = html_entity_decode(strip_tags($value['rendered']), ENT_QUOTES);
$options[$key] = $value['rendered'];
}
return $options;
}
......@@ -805,7 +803,7 @@ function _userreference_potential_references_standard($field, $string = '', $mat
while ($user = db_fetch_object($result)) {
$users[$user->uid] = array(
'title' => $user->name,
'rendered' => $user->name,
'rendered' => check_plain($user->name),
);
}
return $users;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment