Commit ac4e6d49 authored by quicksketch's avatar quicksketch

Sanitizing file names before output in tokens and formatters.

parent 07083e2f
......@@ -38,9 +38,9 @@ function filefield_token_values($type, $object = NULL) {
if ($type == 'field' && isset($object[0]['fid'])) {
$item = $object[0];
$tokens['filefield-fid'] = $item['fid'];
$tokens['filefield-description'] = isset($item['data']['description']) ? $item['data']['description'] : '';
$tokens['filefield-filename'] = $item['filename'];
$tokens['filefield-filepath'] = $item['filepath'];
$tokens['filefield-description'] = isset($item['data']['description']) ? check_plain($item['data']['description']) : '';
$tokens['filefield-filename'] = check_plain($item['filename']);
$tokens['filefield-filepath'] = check_plain($item['filepath']);
$tokens['filefield-filemime'] = $item['filemime'];
$tokens['filefield-filesize'] = $item['filesize'];
$tokens['filefield-filesize_formatted'] = format_size($item['filesize']);
......
......@@ -39,8 +39,7 @@ function theme_filefield_formatter_path_plain($element) {
if (empty($item['filepath']) && !empty($item['fid'])) {
$item = array_merge($item, field_file_load($item['fid']));
}
return empty($item['filepath']) ? '' : file_create_path($item['filepath']);
return empty($item['filepath']) ? '' : check_plain(file_create_path($item['filepath']));
}
/**
......@@ -63,7 +62,21 @@ function theme_filefield_formatter_url_plain($element) {
$item = array_merge($item, field_file_load($item['fid']));
}
return empty($item['filepath']) ? '' : file_create_url($item['filepath']);
if (empty($item['filepath'])) {
return '';
}
// Encode the parts of the path to ensure URLs operate within href attributes.
// Private file paths are urlencoded for us inside of file_create_url().
if (variable_get('file_downloads', FILE_DOWNLOADS_PUBLIC) == FILE_DOWNLOADS_PUBLIC) {
$parts = explode('/', $item['filepath']);
foreach ($parts as $index => $part) {
$parts[$index] = rawurlencode($part);
}
$item['filepath'] = implode('/', $parts);
}
return file_create_url($item['filepath']);
}
/**
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment