- Patch #162381 by Heine et al: properly escape strings.

7a47bef5 · Dries · 673aba15 · 7a47bef5 · 7a47bef5 · 7a47bef5
Commit 7a47bef5 authored Nov 28, 2007 by Dries
15 changed files
--- a/modules/blogapi/blogapi.module
+++ b/modules/blogapi/blogapi.module
@@ -537,7 +537,7 @@ function blogapi_blogger_title(&$contents) {
 }

 function blogapi_admin_settings() {
-  $node_types = node_get_types('names');
+  $node_types = array_map('check_plain', node_get_types('names'));
  $defaults = isset($node_types['blog']) ? array('blog' => 1) : array();
  $form['blogapi_node_types'] = array(
    '#type' => 'checkboxes',

--- a/modules/filter/filter.install
+++ b/modules/filter/filter.install
@@ -17,7 +17,7 @@ function filter_schema() {
        'type' => 'int',
        'not null' => TRUE,
        'default' => 0,
-        'description' => t('Foreign Key: The {filter_formats}.format to which this filter is assigned.'),
+        'description' => t('Foreign key: The {filter_formats}.format to which this filter is assigned.'),
      ),
      'module' => array(
        'type' => 'varchar',

--- a/modules/node/content_types.inc
+++ b/modules/node/content_types.inc
@@ -18,7 +18,6 @@ function node_overview_types() {
  foreach ($names as $key => $name) {
    $type = $types[$key];
    if (node_hook($type, 'form')) {
-      $name = check_plain($name);
      $type_url_str = str_replace('_', '-', $type->type);
      $row = array(
        l($name, 'admin/content/types/'. $type_url_str),

--- a/modules/node/node.admin.inc
+++ b/modules/node/node.admin.inc
@@ -385,7 +385,7 @@ function node_admin_nodes() {
  while ($node = db_fetch_object($result)) {
    $nodes[$node->nid] = '';
    $form['title'][$node->nid] = array('#value' => l($node->title, 'node/'. $node->nid) .' '. theme('mark', node_mark($node->nid, $node->changed)));
-    $form['name'][$node->nid] =  array('#value' => node_get_types('name', $node));
+    $form['name'][$node->nid] =  array('#value' => check_plain(node_get_types('name', $node)));
    $form['username'][$node->nid] = array('#value' => theme('username', $node));
    $form['status'][$node->nid] =  array('#value' =>  ($node->status ? t('published') : t('not published')));
    if ($multilanguage) {

--- a/modules/node/node.module
+++ b/modules/node/node.module
@@ -1078,7 +1078,7 @@ function node_search($op = 'search', $keys = NULL) {
      $form = array();
      // Output form for defining rank factor weights.
      $form['content_ranking'] = array(
-        '#type' => 'fieldset', 
+        '#type' => 'fieldset',
        '#title' => t('Content ranking'),
      );
      $form['content_ranking']['#theme'] = 'node_search_admin';
@@ -1099,9 +1099,9 @@ function node_search($op = 'search', $keys = NULL) {
      $options = drupal_map_assoc(range(0, 10));
      foreach ($ranking as $var => $title) {
        $form['content_ranking']['factors'][$var] = array(
-          '#title' => $title, 
-          '#type' => 'select', 
-          '#options' => $options, 
+          '#title' => $title,
+          '#type' => 'select',
+          '#options' => $options,
          '#default_value' => variable_get($var, 5),
        );
      }
@@ -1199,7 +1199,7 @@ function node_search($op = 'search', $keys = NULL) {

        $extra = node_invoke_nodeapi($node, 'search result');
        $results[] = array('link' => url('node/'. $item->sid, array('absolute' => TRUE)),
-                           'type' => node_get_types('name', $node),
+                           'type' => check_plain(node_get_types('name', $node)),
                           'title' => $node->title,
                           'user' => theme('username', $node),
                           'date' => $node->changed,
@@ -1699,7 +1699,7 @@ function node_form_alter(&$form, $form_state, $form_id) {
    }

    // Node types:
-    $types = node_get_types('names');
+    $types = array_map('check_plain', node_get_types('names'));
    $form['advanced']['type'] = array(
      '#type' => 'checkboxes',
      '#title' => t('Only of the type(s)'),

--- a/modules/node/node.pages.inc
+++ b/modules/node/node.pages.inc
@@ -116,14 +116,14 @@ function node_form(&$form_state, $node) {
   */
  foreach (array('nid', 'vid', 'uid', 'created', 'type', 'language') as $key) {
    $form[$key] = array(
-      '#type' => 'value', 
+      '#type' => 'value',
      '#value' => isset($node->$key) ? $node->$key : NULL,
    );
  }

  // Changed must be sent to the client, for later overwrite error checking.
  $form['changed'] = array(
-    '#type' => 'hidden', 
+    '#type' => 'hidden',
    '#default_value' => isset($node->changed) ? $node->changed : NULL,
  );
  // Get the node-specific bits.
@@ -171,18 +171,18 @@ function node_form(&$form_state, $node) {
    '#weight' => 20,
  );
  $form['author']['name'] = array(
-    '#type' => 'textfield', 
-    '#title' => t('Authored by'), 
-    '#maxlength' => 60, 
-    '#autocomplete_path' => 'user/autocomplete', 
-    '#default_value' => $node->name ? $node->name : '', 
-    '#weight' => -1, 
+    '#type' => 'textfield',
+    '#title' => t('Authored by'),
+    '#maxlength' => 60,
+    '#autocomplete_path' => 'user/autocomplete',
+    '#default_value' => $node->name ? $node->name : '',
+    '#weight' => -1,
    '#description' => t('Leave blank for %anonymous.', array('%anonymous' => variable_get('anonymous', t('Anonymous')))),
  );
  $form['author']['date'] = array(
-    '#type' => 'textfield', 
-    '#title' => t('Authored on'), 
-    '#maxlength' => 25, 
+    '#type' => 'textfield',
+    '#title' => t('Authored on'),
+    '#maxlength' => 25,
    '#description' => t('Format: %time. Leave blank to use the time of form submission.', array('%time' => !empty($node->date) ? $node->date : format_date($node->created, 'custom', 'Y-m-d H:i:s O'))),
  );

@@ -200,25 +200,25 @@ function node_form(&$form_state, $node) {
    '#weight' => 25,
  );
  $form['options']['status'] = array(
-    '#type' => 'checkbox', 
-    '#title' => t('Published'), 
+    '#type' => 'checkbox',
+    '#title' => t('Published'),
    '#default_value' => $node->status,
  );
  $form['options']['promote'] = array(
-    '#type' => 'checkbox', 
-    '#title' => t('Promoted to front page'), 
+    '#type' => 'checkbox',
+    '#title' => t('Promoted to front page'),
    '#default_value' => $node->promote,
  );
  $form['options']['sticky'] = array(
-    '#type' => 'checkbox', 
-    '#title' => t('Sticky at top of lists'), 
+    '#type' => 'checkbox',
+    '#title' => t('Sticky at top of lists'),
    '#default_value' => $node->sticky,
  );

  // These values are used when the user has no administrator access.
  foreach (array('uid', 'created') as $key) {
    $form[$key] = array(
-      '#type' => 'value', 
+      '#type' => 'value',
      '#value' => $node->$key,
    );
  }
@@ -465,7 +465,7 @@ function node_form_submit_build_node($form, &$form_state) {
 */
 function node_delete_confirm(&$form_state, $node) {
  $form['nid'] = array(
-    '#type' => 'value', 
+    '#type' => 'value',
    '#value' => $node->nid,
  );

@@ -473,7 +473,7 @@ function node_delete_confirm(&$form_state, $node) {
    t('Are you sure you want to delete %title?', array('%title' => $node->title)),
    isset($_GET['destination']) ? $_GET['destination'] : 'node/'. $node->nid,
    t('This action cannot be undone.'),
-    t('Delete'), 
+    t('Delete'),
    t('Cancel')
  );
 }

--- a/modules/poll/poll.module
+++ b/modules/poll/poll.module
@@ -522,7 +522,9 @@ function poll_teaser($node) {
  $teaser = NULL;
  if (is_array($node->choice)) {
    foreach ($node->choice as $k => $choice) {
-      $teaser .= '* '. $choice['chtext'] .'\n';
+      if ($choice['chtext'] != '') {
+        $teaser .= '* '. check_plain($choice['chtext']) ."\n";
+      }
    }
  }
  return $teaser;

--- a/modules/profile/profile.admin.inc
+++ b/modules/profile/profile.admin.inc
@@ -14,7 +14,7 @@ function profile_admin_overview() {
  $result = db_query('SELECT title, name, type, category, fid FROM {profile_fields} ORDER BY category, weight');
  $rows = array();
  while ($field = db_fetch_object($result)) {
-    $rows[] = array(check_plain($field->title), $field->name, _profile_field_types($field->type), $field->category, l(t('edit'), "admin/user/profile/edit/$field->fid"), l(t('delete'), "admin/user/profile/delete/$field->fid"));
+    $rows[] = array(check_plain($field->title), check_plain($field->name), _profile_field_types($field->type), check_plain($field->category), l(t('edit'), "admin/user/profile/edit/$field->fid"), l(t('delete'), "admin/user/profile/delete/$field->fid"));
  }
  if (count($rows) == 0) {
    $rows[] = array(array('data' => t('No fields defined.'), 'colspan' => '6'));

--- a/modules/profile/profile.module
+++ b/modules/profile/profile.module
@@ -140,7 +140,7 @@ function profile_block($op = 'list', $delta = 0, $edit = array()) {
    $fields = array();
    $result = db_query('SELECT name, title, weight, visibility FROM {profile_fields} WHERE visibility IN (%d, %d) ORDER BY weight', PROFILE_PUBLIC, PROFILE_PUBLIC_LISTINGS);
    while ($record = db_fetch_object($result)) {
-      $fields[$record->name] = $record->title;
+      $fields[$record->name] = check_plain($record->title);
    }
    $fields['user_profile'] = t('Link to full user profile');
    $form['profile_block_author_fields'] = array('#type' => 'checkboxes',
@@ -342,7 +342,7 @@ function profile_form_profile($edit, $user, $category, $register = FALSE) {
  while ($field = db_fetch_object($result)) {
    $category = $field->category;
    if (!isset($fields[$category])) {
-      $fields[$category] = array('#type' => 'fieldset', '#title' => $category, '#weight' => $weight++);
+      $fields[$category] = array('#type' => 'fieldset', '#title' => check_plain($category), '#weight' => $w++);
    }
    switch ($field->type) {
      case 'textfield':
@@ -482,7 +482,7 @@ function template_preprocess_profile_block(&$variables) {
  // Supply filtered version of $fields that have values.
  foreach ($variables['fields'] as $field) {
    if ($field->value) {
-      $variables['profile'][$field->name]->title = $field->title;
+      $variables['profile'][$field->name]->title = check_plain($field->title);
      $variables['profile'][$field->name]->value = $field->value;
      $variables['profile'][$field->name]->type = $field->type;
    }

--- a/modules/system/system-rtl.css
+++ b/modules/system/system-rtl.css
 /* $Id$ */

 thead th {
-  text-align: right; 
-  padding-left: 1em; 
+  text-align: right;
+  padding-left: 1em;
  padding-right: 0.5em;
 }


--- a/modules/taxonomy/taxonomy.admin.inc
+++ b/modules/taxonomy/taxonomy.admin.inc
@@ -8,7 +8,7 @@

 /**
 * Form builder to list and manage vocabularies.
- * 
+ *
 * @ingroup forms
 * @see taxonomy_overview_vocabularies_submit().
 * @see theme_taxonomy_overview_vocabularies().
@@ -20,7 +20,7 @@ function taxonomy_overview_vocabularies() {
    $types = array();
    foreach ($vocabulary->nodes as $type) {
      $node_type = node_get_types('name', $type);
-      $types[] = $node_type ? $node_type : $type;
+      $types[] = $node_type ? check_plain($node_type) : check_plain($type);
    }
    $form[$vocabulary->vid]['#vocabulary'] = (array)$vocabulary;
    $form[$vocabulary->vid]['name'] = array('#value' => check_plain($vocabulary->name));
@@ -44,7 +44,7 @@ function taxonomy_overview_vocabularies() {

 /**
 * Submit handler for vocabularies overview. Updates changed vocabulary weights.
- * 
+ *
 * @see taxonomy_overview_vocabularies().
 */
 function taxonomy_overview_vocabularies_submit($form, &$form_state) {
@@ -58,7 +58,7 @@ function taxonomy_overview_vocabularies_submit($form, &$form_state) {

 /**
 * Theme the vocabulary overview as a sortable list of vocabularies.
- * 
+ *
 * @ingroup themeable
 * @see taxonomy_overview_vocabularies().
 */
@@ -91,7 +91,7 @@ function theme_taxonomy_overview_vocabularies($form) {
    drupal_add_tabledrag('taxonomy', 'order', 'sibling', 'vocabulary-weight');
  }
  $header[] = array('data' => t('Operations'), 'colspan' => '3');
-  return theme('table', $header, $rows, array('id' => 'taxonomy')) . drupal_render($form);  
+  return theme('table', $header, $rows, array('id' => 'taxonomy')) . drupal_render($form);
 }

 /**
@@ -144,7 +144,7 @@ function taxonomy_form_vocabulary(&$form_state, $edit = array()) {
  $form['content_types']['nodes'] = array('#type' => 'checkboxes',
    '#title' => t('Content types'),
    '#default_value' => $edit['nodes'],
-    '#options' => node_get_types('names'),
+    '#options' => array_map('check_plain', node_get_types('names')),
    '#description' => t('Select content types to categorize using this vocabulary.'),
  );
  $form['settings'] = array(
@@ -235,10 +235,10 @@ function taxonomy_admin_term_edit($tid) {

 /**
 * Form builder for the taxonomy terms overview.
- * 
+ *
 * Display a tree of all the terms in a vocabulary, with options to edit
 * each one. The form is made drag and drop by the theme function.
- * 
+ *
 * @ingroup forms
 * @see taxonomy_overview_terms_submit().
 * @see theme_taxonomy_overview_terms().
@@ -428,17 +428,17 @@ function taxonomy_overview_terms(&$form_state, $vocabulary) {

 /**
 * Submit handler for terms overview form.
- * 
+ *
 * Rather than using a textfield or weight field, this form depends entirely
 * upon the order of form elements on the page to determine new weights.
- * 
+ *
 * Because there might be hundreds or thousands of taxonomy terms that need to
 * be ordered, terms are weighted from 0 to the number of terms in the
 * vocabulary, rather than the standard -10 to 10 scale. Numbers are sorted
 * lowest to highest, but are not necessarily sequential. Numbers may be skipped
 * when a term has children so that reordering is minimal when a child is
 * added or removed from a term.
- * 
+ *
 * @see taxonomy_overview_terms().
 */
 function taxonomy_overview_terms_submit($form, &$form_state) {
@@ -533,7 +533,7 @@ function taxonomy_overview_terms_submit($form, &$form_state) {

 /**
 * Theme the terms overview as a sortable list of terms.
- * 
+ *
 * @ingroup themeable
 * @see taxonomy_overview_terms().
 */
@@ -732,7 +732,7 @@ function taxonomy_form_term(&$form_state, $vocabulary, $edit = array()) {

 /**
 * Validation handler for the term edit form. Ensure numeric weight values.
- * 
+ *
 * @see taxonomy_form_term().
 */
 function taxonomy_form_term_validate($form, &$form_state) {
@@ -743,7 +743,7 @@ function taxonomy_form_term_validate($form, &$form_state) {

 /**
 * Submit handler to insert or update a term.
- * 
+ *
 * @see taxonomy_form_term().
 */
 function taxonomy_form_term_submit($form, &$form_state) {
@@ -783,7 +783,7 @@ function taxonomy_form_term_submit($form, &$form_state) {
      $current_parent_count = 0;
      $form_state['values']['parent'] = array();
    }
-  
+
    // If the number of parents has been reduced to one or none, do a check on the
    // parents of every term in the vocabulary value.
    if ($current_parent_count < $previous_parent_count && $current_parent_count < 2) {
@@ -804,7 +804,7 @@ function taxonomy_form_term_submit($form, &$form_state) {

 /**
 * Form builder for the confirmation of multiple term parents.
- * 
+ *
 * @ingroup forms
 * @see taxonomy_form_term().
 */
@@ -846,7 +846,7 @@ function taxonomy_term_confirm_delete(&$form_state, $tid) {

 /**
 * Submit handler to delete a term after confirmation.
- * 
+ *
 * @see taxonomy_term_confirm_delete().
 */
 function taxonomy_term_confirm_delete_submit($form, &$form_state) {
@@ -881,7 +881,7 @@ function taxonomy_vocabulary_confirm_delete(&$form_state, $vid) {

 /**
 * Submit handler to delete a vocabulary after confirmation.
- * 
+ *
 * @see taxonomy_vocabulary_confirm_delete().
 */
 function taxonomy_vocabulary_confirm_delete_submit($form, &$form_state) {
@@ -894,7 +894,7 @@ function taxonomy_vocabulary_confirm_delete_submit($form, &$form_state) {

 /**
 * Form builder to confirm reseting a vocabulary to alphabetical order.
- * 
+ *
 * @ingroup forms
 * @see taxonomy_vocabulary_confirm_reset_alphabetical_submit().
 */
@@ -916,7 +916,7 @@ function taxonomy_vocabulary_confirm_reset_alphabetical(&$form_state, $vid) {

 /**
 * Submit handler to reset a vocabulary to alphabetical order after confirmation.
- * 
+ *
 * @see taxonomy_vocabulary_confirm_reset_alphabetical().
 */
 function taxonomy_vocabulary_confirm_reset_alphabetical_submit($form, &$form_state) {

--- a/modules/taxonomy/taxonomy.module
+++ b/modules/taxonomy/taxonomy.module
@@ -250,14 +250,14 @@ function taxonomy_del_vocabulary($vid) {

 /**
 * Dynamicly check and update the hierarachy flag of a vocabulary.
- * 
+ *
 * Checks the current parents of all terms in a vocabulary and updates the
 * vocabularies hierarchy setting to the lowest possible level. A hierarchy with
 * no parents in any of its terms will be given a hierarchy of 0. If terms
 * contain at most a single parent, the vocabulary will be given a hierarchy of
 * 1. If any term contain multiple parents, the vocabulary will be given a
 * hieararchy of 2.
- * 
+ *
 * @param $vocabulary
 *   An array of the vocabulary structure.
 * @param $changed_term

--- a/modules/tracker/tracker.pages.inc
+++ b/modules/tracker/tracker.pages.inc
@@ -50,7 +50,7 @@ function tracker_page($account = NULL, $set_title = FALSE) {
    }

    $rows[] = array(
-      node_get_types('name', $node->type),
+      check_plain(node_get_types('name', $node->type)),
      l($node->title, "node/$node->nid") .' '. theme('mark', node_mark($node->nid, $node->changed)),
      theme('username', $node),
      array('class' => 'replies', 'data' => $comments),

--- a/modules/user/user.pages.inc
+++ b/modules/user/user.pages.inc
@@ -206,7 +206,7 @@ function template_preprocess_user_profile_item(&$variables) {
 * @see user-profile-category.tpl.php
 */
 function template_preprocess_user_profile_category(&$variables) {
-  $variables['title'] = $variables['element']['#title'];
+  $variables['title'] = check_plain($variables['element']['#title']);
  $variables['profile_items'] = $variables['element']['#children'];
  $variables['attributes'] = '';
  if (isset($variables['element']['#attributes'])) {

--- a/themes/pushbutton/style-rtl.css
+++ b/themes/pushbutton/style-rtl.css
@@ -20,11 +20,11 @@ td#home {
 }

 td#home a:link img, td#home a:visited img {
-  background: transparent url(logo-active-rtl.jpg) repeat; 
+  background: transparent url(logo-active-rtl.jpg) repeat;
 }

 td#home a:hover img {
-  background: transparent url(logo-hover-rtl.jpg) repeat; 
+  background: transparent url(logo-hover-rtl.jpg) repeat;
 }

 #primary-menu .primary-links   {
@@ -47,7 +47,7 @@ ul.links li {
 }

 .tabs ul.primary {
-  padding: 0 10px 3px 0; 
+  padding: 0 10px 3px 0;
  height: 1.2em; /* FF hack, see float below */
  line-height: 1em; /* FF hack, see float below */
 }
@@ -57,13 +57,13 @@ ul.links li {
 /* @end FF hacks */

 .tabs ul.primary li a {
-  background: #fff url(tabs-off-rtl.png) right top no-repeat; 
-  border-style: none none none solid; 
+  background: #fff url(tabs-off-rtl.png) right top no-repeat;
+  border-style: none none none solid;
  margin-left: 10px;
  margin-right: 0;
 }
 .tabs ul.primary li.active a {
-  background: #369 url(tabs-on-rtl.png) right top no-repeat; 
+  background: #369 url(tabs-on-rtl.png) right top no-repeat;
  border-right: none;
  border-left: 2px solid #369;
 }
@@ -89,7 +89,7 @@ ul.links li {
 }

 .tabs ul.secondary li a.active {
-  background: #fff url(tabs-option-on.png) right center no-repeat; 
+  background: #fff url(tabs-option-on.png) right center no-repeat;
 }

 .tabs ul.secondary li a:hover {
@@ -97,11 +97,11 @@ ul.links li {
 }

 #menu {
-  text-align: left; 
+  text-align: left;
 }

 .node .content {
-  text-align: right; 
+  text-align: right;
 }

 .comment .content {
@@ -110,7 +110,7 @@ ul.links li {

 .block .title h3 {
  padding: 10px 30px 10px 5px;
-  background: transparent url(icon-block-rtl.png) right center no-repeat;  
+  background: transparent url(icon-block-rtl.png) right center no-repeat;
 }

 .node .picture {
@@ -128,7 +128,7 @@ ul.links li {
 }

 .comment .picture {
-  float: left; 
+  float: left;
 }

 .nav .links .next a:link {