Commit be142035 authored by Steven Wittens's avatar Steven Wittens

- #18817: Clean up plain-text checking (see drupal-devel!)

parent 99233a9c
......@@ -393,7 +393,7 @@ function drupal_get_title() {
if (!isset($title)) {
// during a bootstrap, menu.inc is not included and thus we cannot provide a title
if (function_exists('menu_get_active_title')) {
$title = menu_get_active_title();
$title = check_plain(menu_get_active_title());
}
}
......@@ -509,7 +509,7 @@ function drupal_unpack($obj, $field = 'data') {
*/
function referer_uri() {
if (isset($_SERVER['HTTP_REFERER'])) {
return check_url($_SERVER['HTTP_REFERER']);
return $_SERVER['HTTP_REFERER'];
}
}
......@@ -537,14 +537,14 @@ function arg($index) {
}
/**
* Prepare user input for use in a URI.
* Prepare a URL for use in an HTML attribute.
*
* We replace ( and ) with their entity equivalents to prevent XSS attacks.
* We replace ( and ) with their url-encoded equivalents to prevent XSS attacks.
*/
function check_url($uri) {
$uri = htmlspecialchars($uri, ENT_QUOTES);
$uri = strtr($uri, array('(' => '&040;', ')' => '&041;'));
$uri = strtr($uri, array('(' => '%28', ')' => '%29'));
return $uri;
}
......@@ -567,7 +567,7 @@ function request_uri() {
}
}
return check_url($uri);
return $uri;
}
/**
......
This diff is collapsed.
......@@ -76,11 +76,11 @@ function file_check_directory(&$directory, $mode = 0, $form_item = NULL) {
// Check if directory exists.
if (!is_dir($directory)) {
if (($mode & FILE_CREATE_DIRECTORY) && @mkdir($directory, 0760)) {
drupal_set_message(t('Created directory %directory.', array('%directory' => "<em>$directory</em>")));
drupal_set_message(t('Created directory %directory.', array('%directory' => theme('placeholder', $directory))));
}
else {
if ($form_item) {
form_set_error($form_item, t('The directory %directory does not exist.', array('%directory' => "<em>$directory</em>")));
form_set_error($form_item, t('The directory %directory does not exist.', array('%directory' => theme('placeholder', $directory))));
}
return false;
}
......@@ -89,10 +89,10 @@ function file_check_directory(&$directory, $mode = 0, $form_item = NULL) {
// Check to see if the directory is writable.
if (!is_writable($directory)) {
if (($mode & FILE_MODIFY_PERMISSIONS) && @chmod($directory, 0760)) {
drupal_set_message(t('Modified permissions on directory %directory.', array('%directory' => "<em>$directory</em>")));
drupal_set_message(t('Modified permissions on directory %directory.', array('%directory' => theme('placeholder', $directory))));
}
else {
form_set_error($form_item, t('The directory %directory is not writable.', array('%directory' => "<em>$directory</em>")));
form_set_error($form_item, t('The directory %directory is not writable.', array('%directory' => theme('placeholder', $directory))));
return false;
}
}
......
This diff is collapsed.
......@@ -384,19 +384,19 @@ function pager_link($from_new, $element, $attributes = array()) {
$q = $_GET['q'];
$from = array_key_exists('from', $_GET) ? $_GET['from'] : '';
foreach($attributes as $key => $value) {
foreach ($attributes as $key => $value) {
$query[] = $key .'='. $value;
}
$from_new = pager_load_array($from_new[$element], $element, explode(',', $from));
if (count($attributes)) {
$url = url($q, 'from='. implode($from_new, ',') .'&amp;'. implode('&amp;', $query));
$url = url($q, 'from='. implode($from_new, ',') .'&'. implode('&', $query));
}
else {
$url = url($q, 'from='. implode($from_new, ','));
}
return $url;
return check_url($url);
}
function pager_load_array($value, $element, $old_array) {
......
......@@ -87,7 +87,7 @@ function tablesort_header($cell, $header, $ts) {
$ts['sort'] = 'asc';
$image = '';
}
$cell['data'] = l($cell['data'] . $image, $_GET['q'], array('title' => $title), 'sort='. $ts['sort'] .'&amp;order='. urlencode($cell['data']). $ts['query_string']);
$cell['data'] = l($cell['data'] . $image, $_GET['q'], array('title' => $title), 'sort='. $ts['sort'] .'&order='. urlencode($cell['data']). $ts['query_string'], NULL, FALSE, TRUE);
unset($cell['field'], $cell['sort']);
}
......@@ -139,7 +139,7 @@ function tablesort_get_querystring() {
$query_string = '';
foreach ($cgi as $key => $val) {
if ($key != 'order' && $key != 'sort' && $key != 'q') {
$query_string .= '&amp;'. $key .'='. $val;
$query_string .= '&'. $key .'='. $val;
}
}
return $query_string;
......
......@@ -225,8 +225,8 @@ function path_to_theme() {
*/
function theme_get_settings($key = NULL) {
$defaults = array(
'primary_links' => l('edit primary links', 'admin/themes/settings'),
'secondary_links' => l('edit secondary links', 'admin/themes/settings'),
'primary_links' => l(t('edit primary links'), 'admin/themes/settings'),
'secondary_links' => l(t('edit secondary links'), 'admin/themes/settings'),
'mission' => '',
'default_logo' => 1,
'logo_path' => '',
......@@ -348,6 +348,20 @@ function theme_get_styles() {
*
* The theme system is described and defined in theme.inc.
*/
/**
* Format a dynamic text string for emphasised display in a placeholder.
*
* E.g. t('Added term %term', array('%term' => theme('placeholder', $term)))
*
* @param $text
* The text to format (plain-text).
* @return
* The formatted text (html).
*/
function theme_placeholder($text) {
return '<em>'. check_plain($text) .'</em>';
}
/**
* Return an entire Drupal page displaying the supplied content.
......@@ -361,7 +375,7 @@ function theme_page($content) {
$output = "<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Transitional//EN\" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd\">\n";
$output .= '<html xmlns="http://www.w3.org/1999/xhtml">';
$output .= '<head>';
$output .= ' <title>'. (drupal_get_title() ? drupal_get_title() : variable_get('site_name', 'drupal')) .'</title>';
$output .= ' <title>'. (drupal_get_title() ? strip_tags(drupal_get_title()) : variable_get('site_name', 'drupal')) .'</title>';
$output .= drupal_get_html_head();
$output .= theme_get_styles();
......@@ -500,7 +514,7 @@ function theme_node($node, $teaser = FALSE, $page = FALSE) {
}
if ($page == 0) {
$output = '<h2 class="title">'. $node->title .'</h2> by '. format_name($node);
$output = '<h2 class="title">'. check_plain($node->title) .'</h2> by '. format_name($node);
}
else {
$output = 'by '. format_name($node);
......
This diff is collapsed.
This diff is collapsed.
......@@ -91,7 +91,7 @@ function archive_calendar($original = 0) {
$output .= "\n<!-- calendar -->\n";
$output .= '<div class="calendar">';
$output .= '<table summary="'. t('A calendar to browse the archives') .".\">\n";
$output .= ' <caption>'. l('&laquo;', 'archive/'. date('Y/m/d', $prev), array('title' => t('Previous month'))) .' '. format_date($requested, 'custom', 'F') . date(' Y', $requested) .' '. ($nextmonth <= time() ? l('&raquo;', 'archive/'. date('Y/m/d', $next), array('title' => t('Next month'))) : '&nbsp;') ."</caption>\n";
$output .= ' <caption>'. l('«', 'archive/'. date('Y/m/d', $prev), array('title' => t('Previous month'))) .' '. format_date($requested, 'custom', 'F') . date(' Y', $requested) .' '. ($nextmonth <= time() ? l('»', 'archive/'. date('Y/m/d', $next), array('title' => t('Next month'))) : ') ."</caption>\n";
// First day of week (0 => Sunday, 1 => Monday, ...)
$weekstart = variable_get('date_first_day', 0);
......
......@@ -91,7 +91,7 @@ function archive_calendar($original = 0) {
$output .= "\n<!-- calendar -->\n";
$output .= '<div class="calendar">';
$output .= '<table summary="'. t('A calendar to browse the archives') .".\">\n";
$output .= ' <caption>'. l('&laquo;', 'archive/'. date('Y/m/d', $prev), array('title' => t('Previous month'))) .' '. format_date($requested, 'custom', 'F') . date(' Y', $requested) .' '. ($nextmonth <= time() ? l('&raquo;', 'archive/'. date('Y/m/d', $next), array('title' => t('Next month'))) : '&nbsp;') ."</caption>\n";
$output .= ' <caption>'. l('«', 'archive/'. date('Y/m/d', $prev), array('title' => t('Previous month'))) .' '. format_date($requested, 'custom', 'F') . date(' Y', $requested) .' '. ($nextmonth <= time() ? l('»', 'archive/'. date('Y/m/d', $next), array('title' => t('Next month'))) : ') ."</caption>\n";
// First day of week (0 => Sunday, 1 => Monday, ...)
$weekstart = variable_get('date_first_day', 0);
......
......@@ -86,7 +86,7 @@ function block_block($op = 'list', $delta = 0, $edit = array()) {
case 'list':
$result = db_query('SELECT bid, title, info FROM {boxes} ORDER BY title');
while ($block = db_fetch_object($result)) {
$blocks[$block->bid]['info'] = $block->info ? $block->info : $block->title;
$blocks[$block->bid]['info'] = $block->info ? check_plain($block->info) : check_plain($block->title);
}
return $blocks;
......@@ -103,7 +103,7 @@ function block_block($op = 'list', $delta = 0, $edit = array()) {
case 'view':
$block = db_fetch_object(db_query('SELECT * FROM {boxes} WHERE bid = %d', $delta));
$data['subject'] = $block->title;
$data['subject'] = check_plain($block->title);
$data['content'] = check_output($block->body, $block->format);
return $data;
}
......@@ -335,13 +335,13 @@ function block_box_delete($bid = 0) {
if ($_POST['edit']['confirm']) {
db_query('DELETE FROM {boxes} WHERE bid = %d', $bid);
drupal_set_message(t('The block %name has been deleted.', array('%name' => '<em>'. $info .'</em>')));
drupal_set_message(t('The block %name has been deleted.', array('%name' => theme('placeholder', $info))));
cache_clear_all();
drupal_goto('admin/block');
}
else {
$output = theme('confirm',
t('Are you sure you want to delete the block %name?', array('%name' => '<em>'. $info .'</em>')),
t('Are you sure you want to delete the block %name?', array('%name' => theme('placeholder', $info))),
'admin/block',
NULL,
t('Delete'));
......
......@@ -86,7 +86,7 @@ function block_block($op = 'list', $delta = 0, $edit = array()) {
case 'list':
$result = db_query('SELECT bid, title, info FROM {boxes} ORDER BY title');
while ($block = db_fetch_object($result)) {
$blocks[$block->bid]['info'] = $block->info ? $block->info : $block->title;
$blocks[$block->bid]['info'] = $block->info ? check_plain($block->info) : check_plain($block->title);
}
return $blocks;
......@@ -103,7 +103,7 @@ function block_block($op = 'list', $delta = 0, $edit = array()) {
case 'view':
$block = db_fetch_object(db_query('SELECT * FROM {boxes} WHERE bid = %d', $delta));
$data['subject'] = $block->title;
$data['subject'] = check_plain($block->title);
$data['content'] = check_output($block->body, $block->format);
return $data;
}
......@@ -335,13 +335,13 @@ function block_box_delete($bid = 0) {
if ($_POST['edit']['confirm']) {
db_query('DELETE FROM {boxes} WHERE bid = %d', $bid);
drupal_set_message(t('The block %name has been deleted.', array('%name' => '<em>'. $info .'</em>')));
drupal_set_message(t('The block %name has been deleted.', array('%name' => theme('placeholder', $info))));
cache_clear_all();
drupal_goto('admin/block');
}
else {
$output = theme('confirm',
t('Are you sure you want to delete the block %name?', array('%name' => '<em>'. $info .'</em>')),
t('Are you sure you want to delete the block %name?', array('%name' => theme('placeholder', $info))),
'admin/block',
NULL,
t('Delete'));
......
......@@ -153,7 +153,7 @@ function blogapi_new_post($req_params) {
$nid = node_save($node);
if ($nid) {
watchdog('content', t('%type: added %title using blog API.', array('%type' => '<em>'. t($node->type) .'</em>', '%title' => "<em>$node->title</em>")), WATCHDOG_NOTICE, l(t('view'), "node/$nid"));
watchdog('content', t('%type: added %title using blog API.', array('%type' => '<em>'. t($node->type) .'</em>', '%title' => theme('placeholder', $node->title))), WATCHDOG_NOTICE, l(t('view'), "node/$nid"));
return new xmlrpcresp(new xmlrpcval($nid, 'string'));
}
......@@ -215,7 +215,7 @@ function blogapi_edit_post($req_params) {
}
$nid = node_save($node);
if ($nid) {
watchdog('content', t('%type: updated %title using blog API.', array('%type' => '<em>'. t($node->type) .'</em>', '%title' => "<em>$node->title</em>")), WATCHDOG_NOTICE, l(t('view'), "node/$nid"));
watchdog('content', t('%type: updated %title using blog API.', array('%type' => '<em>'. t($node->type) .'</em>', '%title' => theme('placeholder', $node->title))), WATCHDOG_NOTICE, l(t('view'), "node/$nid"));
return new xmlrpcresp(new xmlrpcval(true, 'boolean'));
}
......
......@@ -153,7 +153,7 @@ function blogapi_new_post($req_params) {
$nid = node_save($node);
if ($nid) {
watchdog('content', t('%type: added %title using blog API.', array('%type' => '<em>'. t($node->type) .'</em>', '%title' => "<em>$node->title</em>")), WATCHDOG_NOTICE, l(t('view'), "node/$nid"));
watchdog('content', t('%type: added %title using blog API.', array('%type' => '<em>'. t($node->type) .'</em>', '%title' => theme('placeholder', $node->title))), WATCHDOG_NOTICE, l(t('view'), "node/$nid"));
return new xmlrpcresp(new xmlrpcval($nid, 'string'));
}
......@@ -215,7 +215,7 @@ function blogapi_edit_post($req_params) {
}
$nid = node_save($node);
if ($nid) {
watchdog('content', t('%type: updated %title using blog API.', array('%type' => '<em>'. t($node->type) .'</em>', '%title' => "<em>$node->title</em>")), WATCHDOG_NOTICE, l(t('view'), "node/$nid"));
watchdog('content', t('%type: updated %title using blog API.', array('%type' => '<em>'. t($node->type) .'</em>', '%title' => theme('placeholder', $node->title))), WATCHDOG_NOTICE, l(t('view'), "node/$nid"));
return new xmlrpcresp(new xmlrpcval(true, 'boolean'));
}
......
......@@ -148,7 +148,7 @@ function book_block($op = 'list', $delta = 0) {
$expand[] = $node->nid;
}
$block['subject'] = $path[0]->title;
$block['subject'] = check_plain($path[0]->title);
$block['content'] = book_tree($expand[0], 5, $expand);
}
}
......@@ -287,7 +287,7 @@ function book_outline() {
$output .= form_submit(t('Add to book outline'));
}
drupal_set_title($node->title);
drupal_set_title(check_plain($node->title));
print theme('page', form($output));
}
}
......@@ -477,7 +477,7 @@ function theme_book_navigation($node) {
$links .= '<div class="prev">';
$links .= l(t('previous'), 'node/'. $prev->nid, array('title' => t('View the previous page.')));
$links .= '</div>';
$titles .= '<div class="prev">'. $prev->title .'</div>';
$titles .= '<div class="prev">'. check_plain($prev->title) .'</div>';
}
else {
$links .= '<div class="prev">&nbsp;</div>'; // Make an empty div to fill the space.
......@@ -486,7 +486,7 @@ function theme_book_navigation($node) {
$links .= '<div class="next">';
$links .= l(t('next'), 'node/'. $next->nid, array('title' => t('View the next page.')));
$links .= '</div>';
$titles .= '<div class="next">'. $next->title .'</div>';
$titles .= '<div class="next">'. check_plain($next->title) .'</div>';
}
else {
$links .= '<div class="next">&nbsp;</div>'; // Make an empty div to fill the space.
......@@ -633,7 +633,7 @@ function book_print($nid = 0, $depth = 1) {
// Allow modules to change $node->body before viewing.
node_invoke_nodeapi($node, 'view', $node->body, false);
$output .= '<h1 id="'. $node->nid .'" name="'. $node->nid .'" class="book-h'. $depth .'">'. $node->title .'</h1>';
$output .= '<h1 id="'. $node->nid .'" name="'. $node->nid .'" class="book-h'. $depth .'">'. check_plain($node->title) .'</h1>';
if ($node->body) {
$output .= $node->body;
......@@ -643,7 +643,7 @@ function book_print($nid = 0, $depth = 1) {
$output .= book_print_recurse($nid, $depth);
$html = '<html><head><title>'. $node->title .'</title>';
$html = '<html><head><title>'. check_plain($node->title) .'</title>';
$html .= '<base href="'. $base_url .'/" />';
$html .= "<style type=\"text/css\">\n@import url(misc/print.css);\n</style>";
$html .= '</head><body>'. $output .'</body></html>';
......@@ -671,7 +671,7 @@ function book_print_recurse($parent = '', $depth = 1) {
// Allow modules to change $node->body before viewing.
node_invoke_nodeapi($node, 'view', $node->body, false);
$output .= '<h1 id="'. $node->nid .'" name="'. $node->nid .'" class="book-h'. $depth .'">'. $node->title .'</h1>';
$output .= '<h1 id="'. $node->nid .'" name="'. $node->nid .'" class="book-h'. $depth .'">'. check_plain($node->title) .'</h1>';
if ($node->body) {
$output .= '<ul>'. $node->body .'</ul>';
......@@ -707,7 +707,7 @@ function book_admin_view($nid, $depth = 0) {
if ($nid) {
$node = node_load(array('nid' => $nid));
$output .= '<h3>'. $node->title .'</h3>';
$output .= '<h3>'. check_plain($node->title) .'</h3>';
$header = array(t('Title'), t('Weight'), array('data' => t('Operations'), 'colspan' => '3'));
$rows[] = book_admin_view_line($node);
......@@ -738,7 +738,7 @@ function book_admin_save($nid, $edit = array()) {
}
}
$message = t('Updated book %title.', array('%title' => "<em>$book->title</em>"));
$message = t('Updated book %title.', array('%title' => theme('placeholder', $book->title)));
watchdog('content', $message);
return $message;
......
......@@ -148,7 +148,7 @@ function book_block($op = 'list', $delta = 0) {
$expand[] = $node->nid;
}
$block['subject'] = $path[0]->title;
$block['subject'] = check_plain($path[0]->title);
$block['content'] = book_tree($expand[0], 5, $expand);
}
}
......@@ -287,7 +287,7 @@ function book_outline() {
$output .= form_submit(t('Add to book outline'));
}
drupal_set_title($node->title);
drupal_set_title(check_plain($node->title));
print theme('page', form($output));
}
}
......@@ -477,7 +477,7 @@ function theme_book_navigation($node) {
$links .= '<div class="prev">';
$links .= l(t('previous'), 'node/'. $prev->nid, array('title' => t('View the previous page.')));
$links .= '</div>';
$titles .= '<div class="prev">'. $prev->title .'</div>';
$titles .= '<div class="prev">'. check_plain($prev->title) .'</div>';
}
else {
$links .= '<div class="prev">&nbsp;</div>'; // Make an empty div to fill the space.
......@@ -486,7 +486,7 @@ function theme_book_navigation($node) {
$links .= '<div class="next">';
$links .= l(t('next'), 'node/'. $next->nid, array('title' => t('View the next page.')));
$links .= '</div>';
$titles .= '<div class="next">'. $next->title .'</div>';
$titles .= '<div class="next">'. check_plain($next->title) .'</div>';
}
else {
$links .= '<div class="next">&nbsp;</div>'; // Make an empty div to fill the space.
......@@ -633,7 +633,7 @@ function book_print($nid = 0, $depth = 1) {
// Allow modules to change $node->body before viewing.
node_invoke_nodeapi($node, 'view', $node->body, false);
$output .= '<h1 id="'. $node->nid .'" name="'. $node->nid .'" class="book-h'. $depth .'">'. $node->title .'</h1>';
$output .= '<h1 id="'. $node->nid .'" name="'. $node->nid .'" class="book-h'. $depth .'">'. check_plain($node->title) .'</h1>';
if ($node->body) {
$output .= $node->body;
......@@ -643,7 +643,7 @@ function book_print($nid = 0, $depth = 1) {
$output .= book_print_recurse($nid, $depth);
$html = '<html><head><title>'. $node->title .'</title>';
$html = '<html><head><title>'. check_plain($node->title) .'</title>';
$html .= '<base href="'. $base_url .'/" />';
$html .= "<style type=\"text/css\">\n@import url(misc/print.css);\n</style>";
$html .= '</head><body>'. $output .'</body></html>';
......@@ -671,7 +671,7 @@ function book_print_recurse($parent = '', $depth = 1) {
// Allow modules to change $node->body before viewing.
node_invoke_nodeapi($node, 'view', $node->body, false);
$output .= '<h1 id="'. $node->nid .'" name="'. $node->nid .'" class="book-h'. $depth .'">'. $node->title .'</h1>';
$output .= '<h1 id="'. $node->nid .'" name="'. $node->nid .'" class="book-h'. $depth .'">'. check_plain($node->title) .'</h1>';
if ($node->body) {
$output .= '<ul>'. $node->body .'</ul>';
......@@ -707,7 +707,7 @@ function book_admin_view($nid, $depth = 0) {
if ($nid) {
$node = node_load(array('nid' => $nid));
$output .= '<h3>'. $node->title .'</h3>';
$output .= '<h3>'. check_plain($node->title) .'</h3>';
$header = array(t('Title'), t('Weight'), array('data' => t('Operations'), 'colspan' => '3'));
$rows[] = book_admin_view_line($node);
......@@ -738,7 +738,7 @@ function book_admin_save($nid, $edit = array()) {
}
}
$message = t('Updated book %title.', array('%title' => "<em>$book->title</em>"));
$message = t('Updated book %title.', array('%title' => theme('placeholder', $book->title)));
watchdog('content', $message);
return $message;
......
......@@ -274,7 +274,7 @@ function comment_nodeapi(&$node, $op, $arg = 0) {
$text = '';
$comments = db_query('SELECT subject, comment, format FROM {comments} WHERE nid = %d AND status = 0', $node->nid);
while ($comment = db_fetch_object($comments)) {
$text .= '<h2>'. $comment->subject .'</h2>'. check_output($comment->comment, $comment->format);
$text .= '<h2>'. check_plain($comment->subject) .'</h2>'. check_output($comment->comment, $comment->format);
}
return $text;
......@@ -431,9 +431,12 @@ function comment_validate_form($edit) {
// Validate the comment's subject. If not specified, extract
// one from the comment's body.
$edit['subject'] = strip_tags($edit['subject']);
if ($edit['subject'] == '') {
$edit['subject'] = truncate_utf8(strip_tags($edit['comment']), 29, TRUE);
if (trim($edit['subject']) == '') {
// The body may be in any format, so we:
// 1) Filter it into HTML
// 2) Strip out all HTML tags
// 3) Convert entities back to plain-text.
$edit['subject'] = truncate_utf8(decode_entities(strip_tags(check_output($edit['comment'], $edit['format']))), 29, TRUE);
}
// Validate the comment's body.
......@@ -450,7 +453,7 @@ function comment_validate_form($edit) {
if (!$user->uid) {
if (variable_get('comment_anonymous', 0) > 0) {
if ($edit['name']) {
$taken = db_result(db_query("SELECT COUNT(uid) FROM {users} WHERE LOWER(name) = '%s'", strip_tags($edit['name'])), 0);
$taken = db_result(db_query("SELECT COUNT(uid) FROM {users} WHERE LOWER(name) = '%s'", $edit['name']), 0);
if ($taken != 0) {
form_set_error('name', t('The name you used belongs to a registered user.'));
......@@ -494,7 +497,7 @@ function comment_preview($edit) {
// Attach the user and time information.
$comment->uid = $user->uid;
$comment->timestamp = time();
$comment->name = $user->name ? $user->name : $comment->name;
$comment->name = check_plain($user->name ? $user->name : $comment->name);
// Preview the comment.
$output .= theme('comment_view', $comment, theme('links', module_invoke_all('link', 'comment', $comment, 1)));
......@@ -523,7 +526,7 @@ function comment_post($edit) {
// validated/filtered data to perform such check.
$duplicate = db_result(db_query("SELECT COUNT(cid) FROM {comments} WHERE pid = %d AND nid = %d AND subject = '%s' AND comment = '%s'", $edit['pid'], $edit['nid'], $edit['subject'], $edit['comment']), 0);
if ($duplicate != 0) {
watchdog('content', t('Comment: duplicate %subject.', array('%subject' => '<em>'. $edit['subject'] .'</em>')), WATCHDOG_WARNING);
watchdog('content', t('Comment: duplicate %subject.', array('%subject' => theme('placeholder', $edit['subject']))), WATCHDOG_WARNING);
}
if ($edit['cid']) {
......@@ -538,7 +541,7 @@ function comment_post($edit) {
module_invoke_all('comment', 'update', $edit);
// Add an entry to the watchdog log.
watchdog('content', t('Comment: updated %subject.', array('%subject' => '<em>'. $edit['subject'] .'</em>')), WATCHDOG_NOTICE, l(t('view'), 'node/'. $edit['nid'], NULL, NULL, 'comment-'. $edit['cid']));
watchdog('content', t('Comment: updated %subject.', array('%subject' => theme('placeholder', $edit['subject']))), WATCHDOG_NOTICE, l(t('view'), 'node/'. $edit['nid'], NULL, NULL, 'comment-'. $edit['cid']));
}
else {
// Add the comment to database.
......@@ -641,7 +644,7 @@ function comment_post($edit) {
module_invoke_all('comment', 'insert', $edit);
// Add an entry to the watchdog log.
watchdog('content', t('Comment: added %subject.', array('%subject' => '<em>'. $edit['subject'] .'</em>')), WATCHDOG_NOTICE, l(t('view'), 'node/'. $edit['nid'], NULL, NULL, 'comment-'. $edit['cid']));
watchdog('content', t('Comment: added %subject.', array('%subject' => theme('placeholder', $edit['subject']))), WATCHDOG_NOTICE, l(t('view'), 'node/'. $edit['nid'], NULL, NULL, 'comment-'. $edit['cid']));
}
// Clear the cache so an anonymous user can see his comment being added.
......@@ -662,7 +665,7 @@ function comment_post($edit) {
}
}
else {
watchdog('content', t('Comment: unauthorized comment submitted or comment submitted to a closed node %subject.', array('%subject' => '<em>'. $edit['subject'] .'</em>')), WATCHDOG_WARNING);
watchdog('content', t('Comment: unauthorized comment submitted or comment submitted to a closed node (%subject).', array('%subject' => theme('placeholder', $edit['subject']))), WATCHDOG_WARNING);
}
}
......@@ -974,7 +977,7 @@ function comment_delete($cid) {
}
else if ($comment->cid) {
$output = theme('confirm',
t('Are you sure you want to delete the comment %title?', array('%title' => '<em>'. $comment->subject .'</em>')),
t('Are you sure you want to delete the comment %title?', array('%title' => theme('placeholder', $comment->subject))),
'node/'. $comment->nid,
t('Any replies to this comment will be lost. This action cannot be undone.'),
t('Delete'));
......@@ -992,7 +995,7 @@ function comment_delete($cid) {
function comment_save($id, $edit) {
db_query("UPDATE {comments} SET subject = '%s', comment = '%s', status = %d, format = '%s', name = '%s', mail = '%s', homepage = '%s' WHERE cid = %d", $edit['subject'], $edit['comment'], $edit['status'], $edit['format'], $edit['name'], $edit['mail'], $edit['homepage'], $id);
watchdog('content', t('Comment: modified %subject.', array('%subject' => '<em>'. $edit['subject'] .'</em>')));
watchdog('content', t('Comment: modified %subject.', array('%subject' => theme('placeholder', $edit['subject']))));
drupal_set_message(t('The comment has been saved.'));
_comment_update_node_statistics($edit['nid']);
......@@ -1023,7 +1026,7 @@ function comment_admin_overview($type = 'new') {
while ($comment = db_fetch_object($result)) {
$comment->name = $comment->uid ? $comment->registered_name : $comment->name;
$rows[] = array(
l($comment->subject, "node/$comment->nid", array('title' => htmlspecialchars(truncate_utf8($comment->comment, 128))), NULL, "comment-$comment->cid") ." ". theme('mark', node_mark($comment->nid, $comment->timestamp)),
l($comment->subject, "node/$comment->nid", array('title' => truncate_utf8($comment->comment, 128)), NULL, "comment-$comment->cid") ." ". theme('mark', node_mark($comment->nid, $comment->timestamp)),
format_name($comment),
($comment->status == 0 ? t('Published') : t('Not published')),
format_date($comment->timestamp, 'small'),
......@@ -1624,7 +1627,7 @@ function theme_comment_post_forbidden() {
function _comment_delete_thread($comment) {
// Delete the comment:
db_query('DELETE FROM {comments} WHERE cid = %d', $comment->cid);
watchdog('content', t('Comment: deleted %subject.', array('%subject' => "<em>$comment->subject</em>")));
watchdog('content', t('Comment: deleted %subject.', array('%subject' => theme('placeholder', $comment->subject))));
module_invoke_all('comment', 'delete', $comment);
......
......@@ -274,7 +274,7 @@ function comment_nodeapi(&$node, $op, $arg = 0) {
$text = '';
$comments = db_query('SELECT subject, comment, format FROM {comments} WHERE nid = %d AND status = 0', $node->nid);
while ($comment = db_fetch_object($comments)) {
$text .= '<h2>'. $comment->subject .'</h2>'. check_output($comment->comment, $comment->format);
$text .= '<h2>'. check_plain($comment->subject) .'</h2>'. check_output($comment->comment, $comment->format);
}
return $text;
......@@ -431,9 +431,12 @@ function comment_validate_form($edit) {
// Validate the comment's subject. If not specified, extract
// one from the comment's body.
$edit['subject'] = strip_tags($edit['subject']);
if ($edit['subject'] == '') {
$edit['subject'] = truncate_utf8(strip_tags($edit['comment']), 29, TRUE);
if (trim($edit['subject']) == '') {
// The body may be in any format, so we:
// 1) Filter it into HTML
// 2) Strip out all HTML tags
// 3) Convert entities back to plain-text.
$edit['subject'] = truncate_utf8(decode_entities(strip_tags(check_output($edit['comment'], $edit['format']))), 29, TRUE);
}
// Validate the comment's body.
......@@ -450,7 +453,7 @@ function comment_validate_form($edit) {
if (!$user->uid) {
if (variable_get('comment_anonymous', 0) > 0) {
if ($edit['name']) {
$taken = db_result(db_query("SELECT COUNT(uid) FROM {users} WHERE LOWER(name) = '%s'", strip_tags($edit['name'])), 0);
$taken = db_result(db_query("SELECT COUNT(uid) FROM {users} WHERE LOWER(name) = '%s'", $edit['name']), 0);
if ($taken != 0) {
form_set_error('name', t('The name you used belongs to a registered user.'));
......@@ -494,7 +497,7 @@ function comment_preview($edit) {
// Attach the user and time information.
$comment->uid = $user->uid;
$comment->timestamp = time();
$comment->name = $user->name ? $user->name : $comment->name;
$comment->name = check_plain($user->name ? $user->name : $comment->name);
// Preview the comment.
$output .= theme('comment_view', $comment, theme('links', module_invoke_all('link', 'comment', $comment, 1)));
......@@ -523,7 +526,7 @@ function comment_post($edit) {
// validated/filtered data to perform such check.
$duplicate = db_result(db_query("SELECT COUNT(cid) FROM {comments} WHERE pid = %d AND nid = %d AND subject = '%s' AND comment = '%s'", $edit['pid'], $edit['nid'], $edit['subject'], $edit['comment']), 0);
if ($duplicate != 0) {
watchdog('content', t('Comment: duplicate %subject.', array('%subject' => '<em>'. $edit['subject'] .'</em>')), WATCHDOG_WARNING);
watchdog('content', t('Comment: duplicate %subject.', array('%subject' => theme('placeholder', $edit['subject']))), WATCHDOG_WARNING);
}
if ($edit['cid']) {
......@@ -538,7 +541,7 @@ function comment_post($edit) {
module_invoke_all('comment', 'update', $edit);
// Add an entry to the watchdog log.
watchdog('content', t('Comment: updated %subject.', array('%subject' => '<em>'. $edit['subject'] .'</em>')), WATCHDOG_NOTICE, l(t('view'), 'node/'. $edit['nid'], NULL, NULL, 'comment-'. $edit['cid']));
watchdog('content', t('Comment: updated %subject.', array('%subject' => theme('placeholder', $edit['subject']))), WATCHDOG_NOTICE, l(t('view'), 'node/'. $edit['nid'], NULL, NULL, 'comment-'. $edit['cid']));
}
else {
// Add the comment to database.
......@@ -641,7 +644,7 @@ function comment_post($edit) {
module_invoke_all('comment', 'insert', $edit);
// Add an entry to the watchdog log.
watchdog('content', t('Comment: added %subject.', array('%subject' => '<em>'. $edit['subject'] .'</em>')), WATCHDOG_NOTICE, l(t('view'), 'node/'. $edit['nid'], NULL, NULL, 'comment-'. $edit['cid']));
watchdog('content', t('Comment: added %subject.', array('%subject' => theme('placeholder', $edit['subject']))), WATCHDOG_NOTICE, l(t('view'), 'node/'. $edit['nid'], NULL, NULL, 'comment-'. $edit['cid']));
}
// Clear the cache so an anonymous user can see his comment being added.
......@@ -662,7 +665,7 @@ function comment_post($edit) {
}
}
else {
watchdog('content', t('Comment: unauthorized comment submitted or comment submitted to a closed node %subject.', array('%subject' => '<em>'. $edit['subject'] .'</em>')), WATCHDOG_WARNING);
watchdog('content', t('Comment: unauthorized comment submitted or comment submitted to a closed node (%subject).', array('%subject' => theme('placeholder', $edit['subject']))), WATCHDOG_WARNING);
}
}
......@@ -974,7 +977,7 @@ function comment_delete($cid) {
}
else if ($comment->cid) {
$output = theme('confirm',
t('Are you sure you want to delete the comment %title?', array('%title' => '<em>'. $comment->subject .'</em>')),
t('Are you sure you want to delete the comment %title?', array('%title' => theme('placeholder', $comment->subject))),
'node/'. $comment->nid,
t('Any replies to this comment will be lost. This action cannot be undone.'),
t('Delete'));
......@@ -992,7 +995,7 @@ function comment_delete($cid) {
function comment_save($id, $edit) {
db_query("UPDATE {comments} SET subject = '%s', comment = '%s', status = %d, format = '%s', name = '%s', mail = '%s', homepage = '%s' WHERE cid = %d", $edit['subject'], $edit['comment'], $edit['status'], $edit['format'], $edit['name'], $edit['mail'], $edit['homepage'], $id);
watchdog('content', t('Comment: modified %subject.', array('%subject' => '<em>'. $edit['subject'] .'</em>')));
watchdog('content', t('Comment: modified %subject.', array('%subject' => theme('placeholder', $edit['subject']))));
drupal_set_message(t('The comment has been saved.'));
_comment_update_node_statistics($edit['nid']);
......@@ -1023,7 +1026,7 @@ function comment_admin_overview($type = 'new') {
while ($comment = db_fetch_object($result)) {
$comment->name = $comment->uid ? $comment->registered_name : $comment->name;
$rows[] = array(
l($comment->subject, "node/$comment->nid", array('title' => htmlspecialchars(truncate_utf8($comment->comment, 128))), NULL, "comment-$comment->cid") ." ". theme('mark', node_mark($comment->nid, $comment->timestamp)),
l($comment->subject, "node/$comment->nid", array('title' => truncate_utf8($comment->comment, 128)), NULL, "comment-$comment->cid") ." ". theme('mark', node_mark($comment->nid, $comment->timestamp)),