Commit 7a47bef5 authored by Dries's avatar Dries

- Patch #162381 by Heine et al: properly escape strings.

parent 673aba15
...@@ -537,7 +537,7 @@ function blogapi_blogger_title(&$contents) { ...@@ -537,7 +537,7 @@ function blogapi_blogger_title(&$contents) {
} }
function blogapi_admin_settings() { function blogapi_admin_settings() {
$node_types = node_get_types('names'); $node_types = array_map('check_plain', node_get_types('names'));
$defaults = isset($node_types['blog']) ? array('blog' => 1) : array(); $defaults = isset($node_types['blog']) ? array('blog' => 1) : array();
$form['blogapi_node_types'] = array( $form['blogapi_node_types'] = array(
'#type' => 'checkboxes', '#type' => 'checkboxes',
......
...@@ -17,7 +17,7 @@ function filter_schema() { ...@@ -17,7 +17,7 @@ function filter_schema() {
'type' => 'int', 'type' => 'int',
'not null' => TRUE, 'not null' => TRUE,
'default' => 0, 'default' => 0,
'description' => t('Foreign Key: The {filter_formats}.format to which this filter is assigned.'), 'description' => t('Foreign key: The {filter_formats}.format to which this filter is assigned.'),
), ),
'module' => array( 'module' => array(
'type' => 'varchar', 'type' => 'varchar',
......
...@@ -18,7 +18,6 @@ function node_overview_types() { ...@@ -18,7 +18,6 @@ function node_overview_types() {
foreach ($names as $key => $name) { foreach ($names as $key => $name) {
$type = $types[$key]; $type = $types[$key];
if (node_hook($type, 'form')) { if (node_hook($type, 'form')) {
$name = check_plain($name);
$type_url_str = str_replace('_', '-', $type->type); $type_url_str = str_replace('_', '-', $type->type);
$row = array( $row = array(
l($name, 'admin/content/types/'. $type_url_str), l($name, 'admin/content/types/'. $type_url_str),
......
...@@ -385,7 +385,7 @@ function node_admin_nodes() { ...@@ -385,7 +385,7 @@ function node_admin_nodes() {
while ($node = db_fetch_object($result)) { while ($node = db_fetch_object($result)) {
$nodes[$node->nid] = ''; $nodes[$node->nid] = '';
$form['title'][$node->nid] = array('#value' => l($node->title, 'node/'. $node->nid) .' '. theme('mark', node_mark($node->nid, $node->changed))); $form['title'][$node->nid] = array('#value' => l($node->title, 'node/'. $node->nid) .' '. theme('mark', node_mark($node->nid, $node->changed)));
$form['name'][$node->nid] = array('#value' => node_get_types('name', $node)); $form['name'][$node->nid] = array('#value' => check_plain(node_get_types('name', $node)));
$form['username'][$node->nid] = array('#value' => theme('username', $node)); $form['username'][$node->nid] = array('#value' => theme('username', $node));
$form['status'][$node->nid] = array('#value' => ($node->status ? t('published') : t('not published'))); $form['status'][$node->nid] = array('#value' => ($node->status ? t('published') : t('not published')));
if ($multilanguage) { if ($multilanguage) {
......
...@@ -1199,7 +1199,7 @@ function node_search($op = 'search', $keys = NULL) { ...@@ -1199,7 +1199,7 @@ function node_search($op = 'search', $keys = NULL) {
$extra = node_invoke_nodeapi($node, 'search result'); $extra = node_invoke_nodeapi($node, 'search result');
$results[] = array('link' => url('node/'. $item->sid, array('absolute' => TRUE)), $results[] = array('link' => url('node/'. $item->sid, array('absolute' => TRUE)),
'type' => node_get_types('name', $node), 'type' => check_plain(node_get_types('name', $node)),
'title' => $node->title, 'title' => $node->title,
'user' => theme('username', $node), 'user' => theme('username', $node),
'date' => $node->changed, 'date' => $node->changed,
...@@ -1699,7 +1699,7 @@ function node_form_alter(&$form, $form_state, $form_id) { ...@@ -1699,7 +1699,7 @@ function node_form_alter(&$form, $form_state, $form_id) {
} }
// Node types: // Node types:
$types = node_get_types('names'); $types = array_map('check_plain', node_get_types('names'));
$form['advanced']['type'] = array( $form['advanced']['type'] = array(
'#type' => 'checkboxes', '#type' => 'checkboxes',
'#title' => t('Only of the type(s)'), '#title' => t('Only of the type(s)'),
......
...@@ -522,7 +522,9 @@ function poll_teaser($node) { ...@@ -522,7 +522,9 @@ function poll_teaser($node) {
$teaser = NULL; $teaser = NULL;
if (is_array($node->choice)) { if (is_array($node->choice)) {
foreach ($node->choice as $k => $choice) { foreach ($node->choice as $k => $choice) {
$teaser .= '* '. $choice['chtext'] .'\n'; if ($choice['chtext'] != '') {
$teaser .= '* '. check_plain($choice['chtext']) ."\n";
}
} }
} }
return $teaser; return $teaser;
......
...@@ -14,7 +14,7 @@ function profile_admin_overview() { ...@@ -14,7 +14,7 @@ function profile_admin_overview() {
$result = db_query('SELECT title, name, type, category, fid FROM {profile_fields} ORDER BY category, weight'); $result = db_query('SELECT title, name, type, category, fid FROM {profile_fields} ORDER BY category, weight');
$rows = array(); $rows = array();
while ($field = db_fetch_object($result)) { while ($field = db_fetch_object($result)) {
$rows[] = array(check_plain($field->title), $field->name, _profile_field_types($field->type), $field->category, l(t('edit'), "admin/user/profile/edit/$field->fid"), l(t('delete'), "admin/user/profile/delete/$field->fid")); $rows[] = array(check_plain($field->title), check_plain($field->name), _profile_field_types($field->type), check_plain($field->category), l(t('edit'), "admin/user/profile/edit/$field->fid"), l(t('delete'), "admin/user/profile/delete/$field->fid"));
} }
if (count($rows) == 0) { if (count($rows) == 0) {
$rows[] = array(array('data' => t('No fields defined.'), 'colspan' => '6')); $rows[] = array(array('data' => t('No fields defined.'), 'colspan' => '6'));
......
...@@ -140,7 +140,7 @@ function profile_block($op = 'list', $delta = 0, $edit = array()) { ...@@ -140,7 +140,7 @@ function profile_block($op = 'list', $delta = 0, $edit = array()) {
$fields = array(); $fields = array();
$result = db_query('SELECT name, title, weight, visibility FROM {profile_fields} WHERE visibility IN (%d, %d) ORDER BY weight', PROFILE_PUBLIC, PROFILE_PUBLIC_LISTINGS); $result = db_query('SELECT name, title, weight, visibility FROM {profile_fields} WHERE visibility IN (%d, %d) ORDER BY weight', PROFILE_PUBLIC, PROFILE_PUBLIC_LISTINGS);
while ($record = db_fetch_object($result)) { while ($record = db_fetch_object($result)) {
$fields[$record->name] = $record->title; $fields[$record->name] = check_plain($record->title);
} }
$fields['user_profile'] = t('Link to full user profile'); $fields['user_profile'] = t('Link to full user profile');
$form['profile_block_author_fields'] = array('#type' => 'checkboxes', $form['profile_block_author_fields'] = array('#type' => 'checkboxes',
...@@ -342,7 +342,7 @@ function profile_form_profile($edit, $user, $category, $register = FALSE) { ...@@ -342,7 +342,7 @@ function profile_form_profile($edit, $user, $category, $register = FALSE) {
while ($field = db_fetch_object($result)) { while ($field = db_fetch_object($result)) {
$category = $field->category; $category = $field->category;
if (!isset($fields[$category])) { if (!isset($fields[$category])) {
$fields[$category] = array('#type' => 'fieldset', '#title' => $category, '#weight' => $weight++); $fields[$category] = array('#type' => 'fieldset', '#title' => check_plain($category), '#weight' => $w++);
} }
switch ($field->type) { switch ($field->type) {
case 'textfield': case 'textfield':
...@@ -482,7 +482,7 @@ function template_preprocess_profile_block(&$variables) { ...@@ -482,7 +482,7 @@ function template_preprocess_profile_block(&$variables) {
// Supply filtered version of $fields that have values. // Supply filtered version of $fields that have values.
foreach ($variables['fields'] as $field) { foreach ($variables['fields'] as $field) {
if ($field->value) { if ($field->value) {
$variables['profile'][$field->name]->title = $field->title; $variables['profile'][$field->name]->title = check_plain($field->title);
$variables['profile'][$field->name]->value = $field->value; $variables['profile'][$field->name]->value = $field->value;
$variables['profile'][$field->name]->type = $field->type; $variables['profile'][$field->name]->type = $field->type;
} }
......
...@@ -20,7 +20,7 @@ function taxonomy_overview_vocabularies() { ...@@ -20,7 +20,7 @@ function taxonomy_overview_vocabularies() {
$types = array(); $types = array();
foreach ($vocabulary->nodes as $type) { foreach ($vocabulary->nodes as $type) {
$node_type = node_get_types('name', $type); $node_type = node_get_types('name', $type);
$types[] = $node_type ? $node_type : $type; $types[] = $node_type ? check_plain($node_type) : check_plain($type);
} }
$form[$vocabulary->vid]['#vocabulary'] = (array)$vocabulary; $form[$vocabulary->vid]['#vocabulary'] = (array)$vocabulary;
$form[$vocabulary->vid]['name'] = array('#value' => check_plain($vocabulary->name)); $form[$vocabulary->vid]['name'] = array('#value' => check_plain($vocabulary->name));
...@@ -144,7 +144,7 @@ function taxonomy_form_vocabulary(&$form_state, $edit = array()) { ...@@ -144,7 +144,7 @@ function taxonomy_form_vocabulary(&$form_state, $edit = array()) {
$form['content_types']['nodes'] = array('#type' => 'checkboxes', $form['content_types']['nodes'] = array('#type' => 'checkboxes',
'#title' => t('Content types'), '#title' => t('Content types'),
'#default_value' => $edit['nodes'], '#default_value' => $edit['nodes'],
'#options' => node_get_types('names'), '#options' => array_map('check_plain', node_get_types('names')),
'#description' => t('Select content types to categorize using this vocabulary.'), '#description' => t('Select content types to categorize using this vocabulary.'),
); );
$form['settings'] = array( $form['settings'] = array(
......
...@@ -50,7 +50,7 @@ function tracker_page($account = NULL, $set_title = FALSE) { ...@@ -50,7 +50,7 @@ function tracker_page($account = NULL, $set_title = FALSE) {
} }
$rows[] = array( $rows[] = array(
node_get_types('name', $node->type), check_plain(node_get_types('name', $node->type)),
l($node->title, "node/$node->nid") .' '. theme('mark', node_mark($node->nid, $node->changed)), l($node->title, "node/$node->nid") .' '. theme('mark', node_mark($node->nid, $node->changed)),
theme('username', $node), theme('username', $node),
array('class' => 'replies', 'data' => $comments), array('class' => 'replies', 'data' => $comments),
......
...@@ -206,7 +206,7 @@ function template_preprocess_user_profile_item(&$variables) { ...@@ -206,7 +206,7 @@ function template_preprocess_user_profile_item(&$variables) {
* @see user-profile-category.tpl.php * @see user-profile-category.tpl.php
*/ */
function template_preprocess_user_profile_category(&$variables) { function template_preprocess_user_profile_category(&$variables) {
$variables['title'] = $variables['element']['#title']; $variables['title'] = check_plain($variables['element']['#title']);
$variables['profile_items'] = $variables['element']['#children']; $variables['profile_items'] = $variables['element']['#children'];
$variables['attributes'] = ''; $variables['attributes'] = '';
if (isset($variables['element']['#attributes'])) { if (isset($variables['element']['#attributes'])) {
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment