- Updated Drupal to use "on output" filters.  Derived from Gerhard's patch.

includes/common.inc

@@ -555,6 +555,10 @@ function rewrite_old_urls($text) {
 
 function check_output($text) {
   if (isset($text)) {
+    // filter content on output:
+    $text = filter($text);
+
+    // get the line breaks right:
     if (strip_tags($text, "<a><i><b><u><tt><code><cite><strong><img>") == $text) {
       $text = nl2br($text);
     }

modules/blog.module

@@ -254,10 +254,4 @@ function blog_block($op = "list", $delta = 0) {
   }
 }
 
-function blog_validate(&$node) {
-  // Make sure all fields are set properly:
-  $node->body = filter($node->body);
-  $node->teaser = filter($node->teaser);
-}
-
 ?>

modules/blog/blog.module

@@ -254,10 +254,4 @@ function blog_block($op = "list", $delta = 0) {
   }
 }
 
-function blog_validate(&$node) {
-  // Make sure all fields are set properly:
-  $node->body = filter($node->body);
-  $node->teaser = filter($node->teaser);
-}
-
 ?>

modules/book.module

@@ -149,8 +149,6 @@ function book_validate(&$node) {
   }
   else {
     $node->format = 0;
-    $node->body = filter($node->body);
-    $node->teaser = filter($node->teaser);
   }
 
   // Set default values for non administrators:
@@ -363,7 +361,7 @@ function book_body($node) {
     ob_end_clean();
   }
   else {
-    $output = check_output(filter($node->body));
+    $output = check_output($node->body);
   }
 
   return $output;

modules/book/book.module

@@ -149,8 +149,6 @@ function book_validate(&$node) {
   }
   else {
     $node->format = 0;
-    $node->body = filter($node->body);
-    $node->teaser = filter($node->teaser);
   }
 
   // Set default values for non administrators:
@@ -363,7 +361,7 @@ function book_body($node) {
     ob_end_clean();
   }
   else {
-    $output = check_output(filter($node->body));
+    $output = check_output($node->body);
   }
 
   return $output;

modules/comment.module

@@ -58,7 +58,7 @@ function comment_user($type, $edit, &$user) {
       return form_textarea(t("Signature"), "signature", $edit["signature"], 70, 3, t("Your signature will be publicly displayed at the end of your comments.") ."<br />". t("Allowed HTML tags") .": ". htmlspecialchars(variable_get("allowed_html", "<a> <b> <dd> <dl> <dt> <i> <li> <ol> <u> <ul>")));
     case "edit_validate":
       // validate user data editing
-      return array("signature" => filter($edit["signature"]));
+      return array("signature" => $edit["signature"]);
   }
 }
 
@@ -160,10 +160,6 @@ function comment_reply($pid, $nid) {
 function comment_preview($edit) {
   global $user;
 
-  foreach ($edit as $key => $value) {
-    $comment->$key = filter($value);
-  }
-
   /*
   ** Attach the user and time information:
   */
@@ -210,8 +206,6 @@ function comment_post($edit) {
     ** Validate the comment's body.
     */
 
-    $edit["comment"] = filter($edit["comment"]);
-
     if ($edit["comment"] == "") {
       return array(t("Empty comment"), t("The comment you submitted is empty."));
     }
@@ -791,7 +785,7 @@ function comment_delete($edit) {
 }
 
 function comment_save($id, $edit) {
-  db_query("UPDATE comments SET subject = '%s', comment = '%s', status = %d WHERE cid = %d", filter($edit["subject"]), filter($edit["comment"]), $edit["status"], $id);
+  db_query("UPDATE comments SET subject = '%s', comment = '%s', status = %d WHERE cid = %d", $edit["subject"], $edit["comment"], $edit["status"], $id);
   watchdog("special", "comment: modified '". $edit["subject"] ."'");
   return "updated comment.";
 }

modules/comment/comment.module

@@ -58,7 +58,7 @@ function comment_user($type, $edit, &$user) {
       return form_textarea(t("Signature"), "signature", $edit["signature"], 70, 3, t("Your signature will be publicly displayed at the end of your comments.") ."<br />". t("Allowed HTML tags") .": ". htmlspecialchars(variable_get("allowed_html", "<a> <b> <dd> <dl> <dt> <i> <li> <ol> <u> <ul>")));
     case "edit_validate":
       // validate user data editing
-      return array("signature" => filter($edit["signature"]));
+      return array("signature" => $edit["signature"]);
   }
 }
 
@@ -160,10 +160,6 @@ function comment_reply($pid, $nid) {
 function comment_preview($edit) {
   global $user;
 
-  foreach ($edit as $key => $value) {
-    $comment->$key = filter($value);
-  }
-
   /*
   ** Attach the user and time information:
   */
@@ -210,8 +206,6 @@ function comment_post($edit) {
     ** Validate the comment's body.
     */
 
-    $edit["comment"] = filter($edit["comment"]);
-
     if ($edit["comment"] == "") {
       return array(t("Empty comment"), t("The comment you submitted is empty."));
     }
@@ -791,7 +785,7 @@ function comment_delete($edit) {
 }
 
 function comment_save($id, $edit) {
-  db_query("UPDATE comments SET subject = '%s', comment = '%s', status = %d WHERE cid = %d", filter($edit["subject"]), filter($edit["comment"]), $edit["status"], $id);
+  db_query("UPDATE comments SET subject = '%s', comment = '%s', status = %d WHERE cid = %d", $edit["subject"], $edit["comment"], $edit["status"], $id);
   watchdog("special", "comment: modified '". $edit["subject"] ."'");
   return "updated comment.";
 }

modules/forum.module

@@ -171,8 +171,6 @@ function forum_view($node, $main = 0) {
 
 function forum_validate(&$node) {
   // Make sure all fields are set properly:
-  $node->body = filter($node->body);
-  $node->teaser = filter($node->teaser);
   $node->icon = $node->icon ? $node->icon : "";
   $node->shadow = $node->shadow ? $node->shadow : 0;
   $node->tid = $node->tid ? $node->tid : 0;

modules/forum/forum.module

@@ -171,8 +171,6 @@ function forum_view($node, $main = 0) {
 
 function forum_validate(&$node) {
   // Make sure all fields are set properly:
-  $node->body = filter($node->body);
-  $node->teaser = filter($node->teaser);
   $node->icon = $node->icon ? $node->icon : "";
   $node->shadow = $node->shadow ? $node->shadow : 0;
   $node->tid = $node->tid ? $node->tid : 0;

modules/node.module

@@ -125,7 +125,7 @@ function node_teaser($body) {
   */
 
   $delimiter = strpos($body, "<!--break-->");
-  if ($delimiter > 0 && $delimiter < $size * 2) {
+  if ($delimiter > 0) {
     return substr($body, 0, $delimiter);
   }
 
@@ -884,6 +884,8 @@ function node_validate($node, &$error) {
   ** Validate the title field:
   */
 
+  $node->title = strip_tags($node->title);
+
   if (isset($node->title) && !$node->title) {
     $error["title"] = theme("theme_error", t("You have to specify a valid title."));
   }
@@ -1222,7 +1224,7 @@ function node_preview($node, $error = NULL) {
     if ($view->teaser && $view->teaser != $view->body) {
       print "<h3>". t("Preview trimmed version") ."</h3>";
       node_view($view, 1);
-      print "<p><i>". t("The trimmed version of your post shows how your post looks like when promoted to the main page or when exported for syndication.  You can insert a delimiter '&lt;!--break--&gt' (without the quotes) to fine-tune where your post gets split.  However note that delimiter will be ignored when misplaced.") ."</i></p>";
+      print "<p><i>". t("The trimmed version of your post shows how your post looks like when promoted to the main page or when exported for syndication.  You can insert a delimiter '&lt;!--break--&gt' (without the quotes) to fine-tune where your post gets split.") ."</i></p>";
       print "<h3>". t("Preview full version") ."</h3>";
       node_view($view, 0);
     }

modules/node/node.module

@@ -125,7 +125,7 @@ function node_teaser($body) {
   */
 
   $delimiter = strpos($body, "<!--break-->");
-  if ($delimiter > 0 && $delimiter < $size * 2) {
+  if ($delimiter > 0) {
     return substr($body, 0, $delimiter);
   }
 
@@ -884,6 +884,8 @@ function node_validate($node, &$error) {
   ** Validate the title field:
   */
 
+  $node->title = strip_tags($node->title);
+
   if (isset($node->title) && !$node->title) {
     $error["title"] = theme("theme_error", t("You have to specify a valid title."));
   }
@@ -1222,7 +1224,7 @@ function node_preview($node, $error = NULL) {
     if ($view->teaser && $view->teaser != $view->body) {
       print "<h3>". t("Preview trimmed version") ."</h3>";
       node_view($view, 1);
-      print "<p><i>". t("The trimmed version of your post shows how your post looks like when promoted to the main page or when exported for syndication.  You can insert a delimiter '&lt;!--break--&gt' (without the quotes) to fine-tune where your post gets split.  However note that delimiter will be ignored when misplaced.") ."</i></p>";
+      print "<p><i>". t("The trimmed version of your post shows how your post looks like when promoted to the main page or when exported for syndication.  You can insert a delimiter '&lt;!--break--&gt' (without the quotes) to fine-tune where your post gets split.") ."</i></p>";
       print "<h3>". t("Preview full version") ."</h3>";
       node_view($view, 0);
     }

modules/page.module

@@ -139,8 +139,6 @@ function page_validate(&$node) {
   }
   else {
     $node->format = 0;
-    $node->body = filter($node->body);
-    $node->teaser = filter($node->teaser);
   }
 }
 

modules/page/page.module

@@ -139,8 +139,6 @@ function page_validate(&$node) {
   }
   else {
     $node->format = 0;
-    $node->body = filter($node->body);
-    $node->teaser = filter($node->teaser);
   }
 }
 

modules/poll.module

@@ -146,7 +146,7 @@ function poll_insert($node) {
 
   for ($i = 0; $i < $node->choices; $i++) {
     if ($node->choice[$i] != "") {
-      db_query("INSERT INTO poll_choices (nid, chtext, chvotes, chorder) VALUES (%d, '%s', %d, %d)", $node->nid, filter($node->choice[$i]), $node->chvotes[$i], $i);
+      db_query("INSERT INTO poll_choices (nid, chtext, chvotes, chorder) VALUES (%d, '%s', %d, %d)", $node->nid, $node->choice[$i], $node->chvotes[$i], $i);
     }
   }
 }
@@ -263,7 +263,7 @@ function poll_view_voting(&$node, $main, $block, $links) {
   if ($node->choice) {
     foreach ($node->choice as $key => $value) {
       if ($value != "") {
-        $output .= "<input type=\"radio\" name=\"pollvote[$node->nid]\" value=\"$key\" /> $value<br />";
+        $output .= "<input type=\"radio\" name=\"pollvote[$node->nid]\" value=\"$key\" />". filter($value) ."<br />";
       }
     }
   }
@@ -306,7 +306,7 @@ function poll_view_results(&$node, $main, $block, $links) {
         $width = round($node->chvotes[$key] * 100 / $votesmax);
         $percentage = round($node->chvotes[$key] * 100 / max($votestotal, 1));
 
-        $output .= "<div class=\"poll-text\">$value</div>";
+        $output .= "<div class=\"poll-text\">". filter($value) ."</div>";
         $output .= "<div style=\"float:left; width:". $width ."%; height: 1em;\" class=\"poll-foreground\"></div>";
         $output .= "<div style=\"float:left; width:". (100 - $width) ."%; height: 1em;\" class=\"poll-background\"></div>";
         $output .= "<div align=\"right\"> $percentage%". (!$block ? " (". format_plural($node->chvotes[$key], "1 vote", "%count votes") .")" : "") ."</div>";
@@ -379,7 +379,7 @@ function poll_update($node) {
 
   db_query("DELETE FROM poll_choices WHERE nid = %d", $node->nid);
   for ($i = 0; $i < $node->choices; $i++) {
-    $choice->chtext = filter($node->choice[$i]);
+    $choice->chtext = $node->choice[$i];
     $choice->chvotes = (int)$node->chvotes[$i];
     $choice->chorder = $i;
 

modules/poll/poll.module

@@ -146,7 +146,7 @@ function poll_insert($node) {
 
   for ($i = 0; $i < $node->choices; $i++) {
     if ($node->choice[$i] != "") {
-      db_query("INSERT INTO poll_choices (nid, chtext, chvotes, chorder) VALUES (%d, '%s', %d, %d)", $node->nid, filter($node->choice[$i]), $node->chvotes[$i], $i);
+      db_query("INSERT INTO poll_choices (nid, chtext, chvotes, chorder) VALUES (%d, '%s', %d, %d)", $node->nid, $node->choice[$i], $node->chvotes[$i], $i);
     }
   }
 }
@@ -263,7 +263,7 @@ function poll_view_voting(&$node, $main, $block, $links) {
   if ($node->choice) {
     foreach ($node->choice as $key => $value) {
       if ($value != "") {
-        $output .= "<input type=\"radio\" name=\"pollvote[$node->nid]\" value=\"$key\" /> $value<br />";
+        $output .= "<input type=\"radio\" name=\"pollvote[$node->nid]\" value=\"$key\" />". filter($value) ."<br />";
       }
     }
   }
@@ -306,7 +306,7 @@ function poll_view_results(&$node, $main, $block, $links) {
         $width = round($node->chvotes[$key] * 100 / $votesmax);
         $percentage = round($node->chvotes[$key] * 100 / max($votestotal, 1));
 
-        $output .= "<div class=\"poll-text\">$value</div>";
+        $output .= "<div class=\"poll-text\">". filter($value) ."</div>";
         $output .= "<div style=\"float:left; width:". $width ."%; height: 1em;\" class=\"poll-foreground\"></div>";
         $output .= "<div style=\"float:left; width:". (100 - $width) ."%; height: 1em;\" class=\"poll-background\"></div>";
         $output .= "<div align=\"right\"> $percentage%". (!$block ? " (". format_plural($node->chvotes[$key], "1 vote", "%count votes") .")" : "") ."</div>";
@@ -379,7 +379,7 @@ function poll_update($node) {
 
   db_query("DELETE FROM poll_choices WHERE nid = %d", $node->nid);
   for ($i = 0; $i < $node->choices; $i++) {
-    $choice->chtext = filter($node->choice[$i]);
+    $choice->chtext = $node->choice[$i];
     $choice->chvotes = (int)$node->chvotes[$i];
     $choice->chorder = $i;
 

modules/story.module

@@ -81,10 +81,4 @@ function story_form(&$node, &$help, &$error) {
   return $output;
 }
 
-
-function story_validate(&$node) {
-  // Make sure all fields are set properly:
-  $node->body = filter($node->body);
-  $node->teaser = filter($node->teaser);
-}
 ?>

modules/story/story.module

@@ -81,10 +81,4 @@ function story_form(&$node, &$help, &$error) {
   return $output;
 }
 
-
-function story_validate(&$node) {
-  // Make sure all fields are set properly:
-  $node->body = filter($node->body);
-  $node->teaser = filter($node->teaser);
-}
 ?>