Commit 16fd8c89 authored by Steven Wittens's avatar Steven Wittens

- sa-2006-002: XSS issues with username log and mission

parent 2fb572d0
...@@ -958,7 +958,7 @@ function theme_username($object) { ...@@ -958,7 +958,7 @@ function theme_username($object) {
$output = l($name, 'user/'. $object->uid, array('title' => t('View user profile.'))); $output = l($name, 'user/'. $object->uid, array('title' => t('View user profile.')));
} }
else { else {
$output = $name; $output = check_plain($name);
} }
} }
else if ($object->name) { else if ($object->name) {
...@@ -967,10 +967,10 @@ function theme_username($object) { ...@@ -967,10 +967,10 @@ function theme_username($object) {
// aggregator modules). This clause enables modules to display // aggregator modules). This clause enables modules to display
// the true author of the content. // the true author of the content.
if ($object->homepage) { if ($object->homepage) {
$output = '<a href="'. $object->homepage .'">'. $object->name .'</a>'; $output = l($object->name, $object->homepage);
} }
else { else {
$output = $object->name; $output = check_plain($object->name);
} }
$output .= ' ('. t('not verified') .')'; $output .= ' ('. t('not verified') .')';
......
...@@ -143,7 +143,7 @@ function phptemplate_page($content) { ...@@ -143,7 +143,7 @@ function phptemplate_page($content) {
/* Set title and breadcrumb to declared values */ /* Set title and breadcrumb to declared values */
if (drupal_get_path_alias($_GET['q']) == variable_get('site_frontpage', 'node')) { if (drupal_get_path_alias($_GET['q']) == variable_get('site_frontpage', 'node')) {
$mission = theme_get_setting('mission'); $mission = filter_xss(theme_get_setting('mission'));
} }
/* Add favicon */ /* Add favicon */
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment