Commit 6c75ac1f authored by stefan.r's avatar stefan.r

Issue #2393461 by David_Rothstein, mpv, maciej.zgadzaj, Sagar Ramgade, davic,...

Issue #2393461 by David_Rothstein, mpv, maciej.zgadzaj, Sagar Ramgade, davic, Fabianx: format_xml_elements() does not allow unencoded values
parent 5e71caeb
......@@ -150,6 +150,8 @@ Drupal 7.40, 2015-10-14
against SQL injection (API change: https://www.drupal.org/node/2463973).
- Fixed a bug in the Drupal 6 to Drupal 7 upgrade path which caused the upgrade
to fail when there were multiple file records pointing to the same file.
- Added a a new option to format_xml_elections() to allow for already encoded
values.
- Numerous small bug fixes.
- Numerous API documentation improvements.
- Additional automated test coverage.
......
......@@ -1770,9 +1770,15 @@ function format_rss_item($title, $link, $description, $args = array()) {
* - 'key': element name
* - 'value': element contents
* - 'attributes': associative array of element attributes
* - 'encoded': TRUE if 'value' is already encoded
*
* In both cases, 'value' can be a simple string, or it can be another array
* with the same format as $array itself for nesting.
*
* If 'encoded' is TRUE it is up to the caller to ensure that 'value' is either
* entity-encoded or CDATA-escaped. Using this option is not recommended when
* working with untrusted user input, since failing to escape the data
* correctly has security implications.
*/
function format_xml_elements($array) {
$output = '';
......@@ -1785,7 +1791,7 @@ function format_xml_elements($array) {
}
if (isset($value['value']) && $value['value'] != '') {
$output .= '>' . (is_array($value['value']) ? format_xml_elements($value['value']) : check_plain($value['value'])) . '</' . $value['key'] . ">\n";
$output .= '>' . (is_array($value['value']) ? format_xml_elements($value['value']) : (!empty($value['encoded']) ? $value['value'] : check_plain($value['value']))) . '</' . $value['key'] . ">\n";
}
else {
$output .= " />\n";
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment