#58641, filter inserted locale strings, patch by myself.

includes/locale.inc

@@ -405,6 +405,7 @@ function _locale_string_edit($lid) {
 function _locale_string_edit_submit($form_id, $form_values) {
   $lid = $form_values['lid'];
   foreach ($form_values as $key => $value) {
+    $value = filter_xss_admin($value);
     $trans = db_fetch_object(db_query("SELECT translation FROM {locales_target} WHERE lid = %d AND locale = '%s'", $lid, $key));
     if (isset($trans->translation)) {
       db_query("UPDATE {locales_target} SET translation = '%s' WHERE lid = %d AND locale = '%s'", $value, $lid, $key);
@@ -645,7 +646,7 @@ function _locale_import_one_string($value, $mode, $lang = NULL) {
   }
   // Some real string to import
   else {
-    $comments = _locale_import_shorten_comments($value['#']);
+    $comments = filter_xss_admin(_locale_import_shorten_comments($value['#']));
 
     // Handle a translation for some plural string
     if (strpos($value['msgid'], "\0")) {
@@ -667,11 +668,11 @@ function _locale_import_one_string($value, $mode, $lang = NULL) {
           db_query("UPDATE {locales_source} SET location = '%s' WHERE lid = %d", $comments, $lid);
           $trans2 = db_fetch_object(db_query("SELECT lid, translation, plid, plural FROM {locales_target} WHERE lid = %d AND locale = '%s'", $lid, $lang));
           if (!$trans2->lid) { // no translation in current language
-            db_query("INSERT INTO {locales_target} (lid, locale, translation, plid, plural) VALUES (%d, '%s', '%s', %d, %d)", $lid, $lang, $trans, $plid, $key);
+            db_query("INSERT INTO {locales_target} (lid, locale, translation, plid, plural) VALUES (%d, '%s', '%s', %d, %d)", $lid, $lang, filter_xss_admin($trans), $plid, $key);
             $additions++;
           } // translation exists
           else if ($mode == 'overwrite' || $trans2->translation == '') {
-            db_query("UPDATE {locales_target} SET translation = '%s', plid = %d, plural = %d WHERE locale = '%s' AND lid = %d", $trans, $plid, $key, $lang, $lid);
+            db_query("UPDATE {locales_target} SET translation = '%s', plid = %d, plural = %d WHERE locale = '%s' AND lid = %d", filter_xss_admin($trans), $plid, $key, $lang, $lid);
             if ($trans2->translation == '') {
               $additions++;
             }
@@ -681,10 +682,10 @@ function _locale_import_one_string($value, $mode, $lang = NULL) {
           }
         }
         else { // no string
-          db_query("INSERT INTO {locales_source} (location, source) VALUES ('%s', '%s')", $comments, $english[$key]);
+          db_query("INSERT INTO {locales_source} (location, source) VALUES ('%s', '%s')", $comments, filter_xss_admin($english[$key]));
           $loc = db_fetch_object(db_query("SELECT lid FROM {locales_source} WHERE source = '%s'", $english[$key]));
           $lid = $loc->lid;
-          db_query("INSERT INTO {locales_target} (lid, locale, translation, plid, plural) VALUES (%d, '%s', '%s', %d, %d)", $lid, $lang, $trans, $plid, $key);
+          db_query("INSERT INTO {locales_target} (lid, locale, translation, plid, plural) VALUES (%d, '%s', '%s', %d, %d)", $lid, $lang, filter_xss_admin($trans), $plid, $key);
           if ($trans != '') {
             $additions++;
           }
@@ -704,11 +705,11 @@ function _locale_import_one_string($value, $mode, $lang = NULL) {
         db_query("UPDATE {locales_source} SET location = '%s' WHERE source = '%s'", $comments, $english);
         $trans = db_fetch_object(db_query("SELECT lid, translation FROM {locales_target} WHERE lid = %d AND locale = '%s'", $lid, $lang));
         if (!$trans->lid) { // no translation in current language
-          db_query("INSERT INTO {locales_target} (lid, locale, translation) VALUES (%d, '%s', '%s')", $lid, $lang, $translation);
+          db_query("INSERT INTO {locales_target} (lid, locale, translation) VALUES (%d, '%s', '%s')", $lid, $lang, filter_xss_admin($translation));
           $additions++;
         } // translation exists
         else if ($mode == 'overwrite') { //overwrite in any case
-          db_query("UPDATE {locales_target} SET translation = '%s' WHERE locale = '%s' AND lid = %d", $translation, $lang, $lid);
+          db_query("UPDATE {locales_target} SET translation = '%s' WHERE locale = '%s' AND lid = %d", filter_xss_admin($translation), $lang, $lid);
           if ($trans->translation == '') {
             $additions++;
           }
@@ -725,7 +726,7 @@ function _locale_import_one_string($value, $mode, $lang = NULL) {
         db_query("INSERT INTO {locales_source} (location, source) VALUES ('%s', '%s')", $comments, $english);
         $loc = db_fetch_object(db_query("SELECT lid FROM {locales_source} WHERE source = '%s'", $english));
         $lid = $loc->lid;
-        db_query("INSERT INTO {locales_target} (lid, locale, translation) VALUES (%d, '%s', '%s')", $lid, $lang, $translation);
+        db_query("INSERT INTO {locales_target} (lid, locale, translation) VALUES (%d, '%s', '%s')", $lid, $lang, filter_xss_admin($translation));
         if ($translation != '') {
           $additions++;
         }