Commit 94c484c9 authored by yched's avatar yched

security fix - missing check_plain's in noderef module

parent aafdf621
// $Id$
4.7--1.x-dev
============
4.7--1.6
========
IMPORTANT : this release fixes two cross-site scripting (XSS) vulnerabilities
in nodereference.module :
- when a nodereference field is displayed using the 'plain' formatter
- when a nodereference field is edited using the 'autocomplete text field' widget
(only when _not_ using the 'advanced options - Views.module' for the field)
All sites using CCK / nodereference.module should consider upgrading to this release
as soon as possible.
Features
--------
......@@ -15,7 +24,7 @@ General
Field / widget modules
- #152892 Optionwidgets : Better help text for 'single on/off checkbox' widget label.
- #65133 / #152016 Nodereference : Added 'full node' and 'teaser' formatters.
- #126926 Skip node_load in noderef formatter.
- #126926 Nodereference : Skip node_load in 'title'-based formatters.
Bugfix
------
......@@ -23,16 +32,17 @@ Bugfix
General
- #155416 Limit non standard CSS (transparency) to the field overview page.
- #149832 Use 'plain' format for views argument handler ($op = 'title').
- Added whitespace after field labels on node display
- #137900 Added whitespace after field labels on node display
Field / widget modules
- Nodereference : Fixed XSS vulnerabilities (missing check_plain's around node titles).
- #147205 Nodereference : Fixed 'advanced settings - view arguments' not working.
- #155327 Nodereference : Added missing "n." table aliases in 'referenceable nodes' query.
- #153284 Nodereference : Fix unneeded and repeating {view_view} queries when
'advanced (Views) node selection' is *not* used.
- #150297 Nodereference : Fix encoded raw htmlentities appearing in select widgets when using
'advanced (Views) node selection' is used.
- #129016 Nodereference : Prevent possible errors when formatter gets called with non numeric 'nid'.
- #153284 Nodereference : Fix unneeded and repeating {view_view} queries
when 'advanced (Views) node selection' is *not* used.
- #150297 Nodereference : Fix encoded raw htmlentities appearing in select widgets
when 'advanced (Views) node selection' is used.
- #129016 Nodereference : Prevent possible errors if formatter is called with non numeric 'nid'.
4.7--1.5-1
==========
......
......@@ -105,13 +105,13 @@ function nodereference_field_settings($op, $field) {
case 'filters':
return array(
'default' => array(
'list' => '_nodereference_filter_handler',
'list-type' => 'list',
'operator' => 'views_handler_operator_or',
'value-type' => 'array',
'extra' => array('field' => $field),
),
);
'list' => '_nodereference_filter_handler',
'list-type' => 'list',
'operator' => 'views_handler_operator_or',
'value-type' => 'array',
'extra' => array('field' => $field),
),
);
}
}
......@@ -207,7 +207,7 @@ function nodereference_field_formatter($field, $item, $formatter, $node) {
return node_view($referenced_node, TRUE);
case 'plain':
return $titles[$item['nid']];
return check_plain($titles[$item['nid']]);
default:
return l($titles[$item['nid']], 'node/'. $item['nid']);
......@@ -524,7 +524,7 @@ function theme_nodereference_item_advanced($item, $view) {
}
function theme_nodereference_item_simple($item) {
return $item->node_title;
return check_plain($item->node_title);
}
/**
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment