From 0d89f29a3fd72e328346eb3e06dbb4b4b99bc403 Mon Sep 17 00:00:00 2001
From: Steven Wittens <steven@10.no-reply.drupal.org>
Date: Thu, 9 Feb 2006 08:28:53 +0000
Subject: [PATCH] - #48616: check_plain() incorrectly applies to page titles in
 statistics

---
 modules/statistics.module            | 2 +-
 modules/statistics/statistics.module | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/modules/statistics.module b/modules/statistics.module
index 13342f6a3c8d..18df4d783928 100644
--- a/modules/statistics.module
+++ b/modules/statistics.module
@@ -78,7 +78,7 @@ function statistics_exit() {
   }
   if ((variable_get('statistics_enable_access_log', 0)) && (module_invoke('throttle', 'status') == 0)) {
     // Log this page access.
-    db_query("INSERT INTO {accesslog} (title, path, url, hostname, uid, sid, timer, timestamp) values('%s', '%s', '%s', '%s', %d, '%s', %d, %d)", drupal_get_title(), $_GET['q'], referer_uri(), $_SERVER['REMOTE_ADDR'], $user->uid, session_id(), timer_read('page'), time());
+    db_query("INSERT INTO {accesslog} (title, path, url, hostname, uid, sid, timer, timestamp) values('%s', '%s', '%s', '%s', %d, '%s', %d, %d)", decode_entities(strip_tags(drupal_get_title())), $_GET['q'], referer_uri(), $_SERVER['REMOTE_ADDR'], $user->uid, session_id(), timer_read('page'), time());
   }
 }
 
diff --git a/modules/statistics/statistics.module b/modules/statistics/statistics.module
index 13342f6a3c8d..18df4d783928 100644
--- a/modules/statistics/statistics.module
+++ b/modules/statistics/statistics.module
@@ -78,7 +78,7 @@ function statistics_exit() {
   }
   if ((variable_get('statistics_enable_access_log', 0)) && (module_invoke('throttle', 'status') == 0)) {
     // Log this page access.
-    db_query("INSERT INTO {accesslog} (title, path, url, hostname, uid, sid, timer, timestamp) values('%s', '%s', '%s', '%s', %d, '%s', %d, %d)", drupal_get_title(), $_GET['q'], referer_uri(), $_SERVER['REMOTE_ADDR'], $user->uid, session_id(), timer_read('page'), time());
+    db_query("INSERT INTO {accesslog} (title, path, url, hostname, uid, sid, timer, timestamp) values('%s', '%s', '%s', '%s', %d, '%s', %d, %d)", decode_entities(strip_tags(drupal_get_title())), $_GET['q'], referer_uri(), $_SERVER['REMOTE_ADDR'], $user->uid, session_id(), timer_read('page'), time());
   }
 }
 
-- 
GitLab