Loading common/contrib/webform/SA-CONTRIB-2019-096.patch 0 → 100644 +15 −0 Original line number Diff line number Diff line diff --git a/webform.module b/webform.module index 93e649e..6a258a9 100644 --- a/webform.module +++ b/webform.module @@ -2890,6 +2890,10 @@ function _webform_filter_values($string, $node = NULL, $submission = NULL, $emai $replacement = webform_strtodate(webform_date_format(), $value['month'] . '/' . $value['day'] . '/' . $value['year'], 'UTC'); } else { + // Apply XSS filtering, but only when the value is a string; + // since filter_xss() expects a string as parameter. + $value = is_string($value) ? filter_xss($value) : $value; + // Checking for complex types (arrays and objects) fails here with // incomplete objects (see http://php.net/is_object), so we check // for simple types instead. Loading
common/contrib/webform/SA-CONTRIB-2019-096.patch 0 → 100644 +15 −0 Original line number Diff line number Diff line diff --git a/webform.module b/webform.module index 93e649e..6a258a9 100644 --- a/webform.module +++ b/webform.module @@ -2890,6 +2890,10 @@ function _webform_filter_values($string, $node = NULL, $submission = NULL, $emai $replacement = webform_strtodate(webform_date_format(), $value['month'] . '/' . $value['day'] . '/' . $value['year'], 'UTC'); } else { + // Apply XSS filtering, but only when the value is a string; + // since filter_xss() expects a string as parameter. + $value = is_string($value) ? filter_xss($value) : $value; + // Checking for complex types (arrays and objects) fails here with // incomplete objects (see http://php.net/is_object), so we check // for simple types instead.
