From a001325d18341c12355ecfc17cc3f08728bfeace Mon Sep 17 00:00:00 2001 From: Earl Miles Date: Thu, 7 Sep 2006 17:42:26 +0000 Subject: [PATCH] more check_plain on arguments to ensure safety. --- modules/views_book.inc | 2 +- modules/views_node.inc | 10 +++++----- modules/views_taxonomy.inc | 3 +-- modules/views_user.inc | 4 ++-- 4 files changed, 9 insertions(+), 10 deletions(-) diff --git a/modules/views_book.inc b/modules/views_book.inc index 39f747db3..241381647 100644 --- a/modules/views_book.inc +++ b/modules/views_book.inc @@ -110,7 +110,7 @@ function views_handler_arg_book_parent($op, & $query, $argtype, $arg = '') { if ($query) { $term = db_fetch_object(db_query("SELECT title FROM {node} WHERE nid = '%d'", $query)); - return $term->title; + return check_plain($term->title); } } } diff --git a/modules/views_node.inc b/modules/views_node.inc index 42ff3ca02..39833d2f3 100644 --- a/modules/views_node.inc +++ b/modules/views_node.inc @@ -476,7 +476,7 @@ function views_handler_arg_nodeletter($op, &$query, $argtype, $arg = '') { case 'link': return l(strtoupper($query->letter), "$arg/$query->letter"); case 'title': - return strtoupper($query); + return check_plain(strtoupper($query)); } } @@ -500,7 +500,7 @@ function views_handler_arg_year($op, &$query, $argtype, $arg = '') { case 'link': return l($query->year, "$arg/$query->year"); case 'title': - return $query; + return check_plain($query); } } function views_handler_arg_month($op, &$query, $argtype, $arg = '') { @@ -549,7 +549,7 @@ function views_handler_arg_week($op, &$query, $argtype, $arg = '') { case 'link': return l("Week $query->name", "$arg/$query->name"); case 'title': - return $query; + return check_plain($query); } } function views_handler_arg_monthyear($op, &$query, $argtype, $arg = '') { @@ -614,7 +614,7 @@ function views_handler_arg_nid($op, &$query, $argtype, $arg = '') { return l($query->title, "$arg/$query->nid"); case 'title': $node = db_fetch_object(db_query("SELECT title FROM {node} WHERE nid=%d", $query)); - return $node->title; + return check_plain($node->title); } } @@ -714,7 +714,7 @@ function views_handler_arg_node_feed($op, &$query, $argtype, $arg = '') { case 'title': break; case 'filter': - // Can't use node_invoke_all because we're using a reference to + // Can't use node_invoke_all because we're using a reference to // $view. foreach (module_implements('views_feed_argument') as $name) { $function = $name .'_views_feed_argument'; diff --git a/modules/views_taxonomy.inc b/modules/views_taxonomy.inc index 9040e468d..d7e7223e9 100644 --- a/modules/views_taxonomy.inc +++ b/modules/views_taxonomy.inc @@ -340,8 +340,7 @@ function views_handler_arg_vocid($op, &$query, $argtype, $arg = '') { case 'title': $result = db_query("SELECT name FROM {vocabulary} WHERE vid = %d", $query); $voc = db_fetch_object($result); - $title = check_plain($voc->name); - return $title; + return check_plain($voc->name); } } diff --git a/modules/views_user.inc b/modules/views_user.inc index 32a37e618..857ca9b3f 100644 --- a/modules/views_user.inc +++ b/modules/views_user.inc @@ -225,7 +225,7 @@ function views_handler_arg_uid($op, &$query, $argtype, $arg = '') { return variable_get('anonymous', 'Anonymous'); } $user = db_fetch_object(db_query("SELECT name FROM {users} WHERE uid = '%d'", $query)); - return $user->name; + return check_plain($user->name); } } @@ -260,7 +260,7 @@ function views_handler_arg_uid_touch($op, &$query, $argtype, $arg = '') { return variable_get('anonymous', 'Anonymous'); } $user = db_fetch_object(db_query("SELECT name FROM {users} WHERE uid = '%d'", $query)); - return $user->name; + return check_plain($user->name); } } -- GitLab