Commit 2aba929c authored by dsnopek's avatar dsnopek Committed by dsnopek

Issue #3064316 by dsnopek: [advanced_forum] Add D6LTS patch for SA-CONTRIB-2019-054

parent df8b0400
diff --git a/includes/advanced_forum_preprocess_forum_list.inc b/includes/advanced_forum_preprocess_forum_list.inc
index 550d8d4..592a758 100644
--- a/includes/advanced_forum_preprocess_forum_list.inc
+++ b/includes/advanced_forum_preprocess_forum_list.inc
@@ -265,9 +265,10 @@ function advanced_forum_process_forum($forum) {
$forum->link = url("forum/$forum->tid");
// Sanitise the name and description so they can be safely printed.
- // We don't do this for subforum names because that is sent through l()
- // in the theme function which runs it through check_plain().
- $forum->name = empty($forum->parents[0]) ? check_plain($forum->name) : $forum->name;
+ // We don't do check_plain() for subforum names because those should go
+ // through l() in the advanced_forum_subforum_list theme function and l()
+ // includes check_plain().
+ $forum->name = empty($forum->parents[0]) ? check_plain($forum->name) : filter_xss_admin($forum->name);
$forum->description = !empty($forum->description) ? filter_xss_admin($forum->description) : '';
// Initialize these variables to avoid notices later since not all forums
diff --git a/includes/template_preprocess_advanced_forum_topic_list_view.inc b/includes/template_preprocess_advanced_forum_topic_list_view.inc
index 6bccba5..12d4452 100644
--- a/includes/template_preprocess_advanced_forum_topic_list_view.inc
+++ b/includes/template_preprocess_advanced_forum_topic_list_view.inc
@@ -75,7 +75,7 @@ function _template_preprocess_advanced_forum_topic_list_view(&$variables) {
// Shadow (moved) topics.
if ($forum && !in_array($row->topic_actual_forum, $forum)) {
$term = taxonomy_get_term($row->topic_actual_forum);
- $variables['shadow'][$count] = theme('advanced_forum_shadow_topic', $row->node_title, $row->nid, $term->name);
+ $variables['shadow'][$count] = theme('advanced_forum_shadow_topic', check_plain($row->node_title), $row->nid, empty($term->name) ? "" : check_plain($term->name));
}
else {
$variables['shadow'][$count] = FALSE;
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment