Skip to content
GitLab
Projects
Groups
Snippets
Help
Loading...
Help
What's new
7
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Sign in
Toggle navigation
Open sidebar
project
views
Commits
a001325d
Commit
a001325d
authored
Sep 07, 2006
by
merlinofchaos
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
more check_plain on arguments to ensure safety.
parent
8fec1ada
Changes
4
Hide whitespace changes
Inline
Side-by-side
Showing
4 changed files
with
9 additions
and
10 deletions
+9
-10
modules/views_book.inc
modules/views_book.inc
+1
-1
modules/views_node.inc
modules/views_node.inc
+5
-5
modules/views_taxonomy.inc
modules/views_taxonomy.inc
+1
-2
modules/views_user.inc
modules/views_user.inc
+2
-2
No files found.
modules/views_book.inc
View file @
a001325d
...
@@ -110,7 +110,7 @@ function views_handler_arg_book_parent($op, & $query, $argtype, $arg = '') {
...
@@ -110,7 +110,7 @@ function views_handler_arg_book_parent($op, & $query, $argtype, $arg = '') {
if
(
$query
)
if
(
$query
)
{
{
$term
=
db_fetch_object
(
db_query
(
"SELECT title FROM
{
node
}
WHERE nid = '%d'"
,
$query
));
$term
=
db_fetch_object
(
db_query
(
"SELECT title FROM
{
node
}
WHERE nid = '%d'"
,
$query
));
return
$term
->
title
;
return
check_plain
(
$term
->
title
)
;
}
}
}
}
}
}
...
...
modules/views_node.inc
View file @
a001325d
...
@@ -476,7 +476,7 @@ function views_handler_arg_nodeletter($op, &$query, $argtype, $arg = '') {
...
@@ -476,7 +476,7 @@ function views_handler_arg_nodeletter($op, &$query, $argtype, $arg = '') {
case
'link'
:
case
'link'
:
return
l
(
strtoupper
(
$query
->
letter
),
"
$arg
/
$query->letter
"
);
return
l
(
strtoupper
(
$query
->
letter
),
"
$arg
/
$query->letter
"
);
case
'title'
:
case
'title'
:
return
strtoupper
(
$query
);
return
check_plain
(
strtoupper
(
$query
)
)
;
}
}
}
}
...
@@ -500,7 +500,7 @@ function views_handler_arg_year($op, &$query, $argtype, $arg = '') {
...
@@ -500,7 +500,7 @@ function views_handler_arg_year($op, &$query, $argtype, $arg = '') {
case
'link'
:
case
'link'
:
return
l
(
$query
->
year
,
"
$arg
/
$query->year
"
);
return
l
(
$query
->
year
,
"
$arg
/
$query->year
"
);
case
'title'
:
case
'title'
:
return
$query
;
return
check_plain
(
$query
)
;
}
}
}
}
function
views_handler_arg_month
(
$op
,
&
$query
,
$argtype
,
$arg
=
''
)
{
function
views_handler_arg_month
(
$op
,
&
$query
,
$argtype
,
$arg
=
''
)
{
...
@@ -549,7 +549,7 @@ function views_handler_arg_week($op, &$query, $argtype, $arg = '') {
...
@@ -549,7 +549,7 @@ function views_handler_arg_week($op, &$query, $argtype, $arg = '') {
case
'link'
:
case
'link'
:
return
l
(
"Week
$query->name
"
,
"
$arg
/
$query->name
"
);
return
l
(
"Week
$query->name
"
,
"
$arg
/
$query->name
"
);
case
'title'
:
case
'title'
:
return
$query
;
return
check_plain
(
$query
)
;
}
}
}
}
function
views_handler_arg_monthyear
(
$op
,
&
$query
,
$argtype
,
$arg
=
''
)
{
function
views_handler_arg_monthyear
(
$op
,
&
$query
,
$argtype
,
$arg
=
''
)
{
...
@@ -614,7 +614,7 @@ function views_handler_arg_nid($op, &$query, $argtype, $arg = '') {
...
@@ -614,7 +614,7 @@ function views_handler_arg_nid($op, &$query, $argtype, $arg = '') {
return
l
(
$query
->
title
,
"
$arg
/
$query->nid
"
);
return
l
(
$query
->
title
,
"
$arg
/
$query->nid
"
);
case
'title'
:
case
'title'
:
$node
=
db_fetch_object
(
db_query
(
"SELECT title FROM
{
node
}
WHERE nid=%d"
,
$query
));
$node
=
db_fetch_object
(
db_query
(
"SELECT title FROM
{
node
}
WHERE nid=%d"
,
$query
));
return
$node
->
title
;
return
check_plain
(
$node
->
title
)
;
}
}
}
}
...
@@ -714,7 +714,7 @@ function views_handler_arg_node_feed($op, &$query, $argtype, $arg = '') {
...
@@ -714,7 +714,7 @@ function views_handler_arg_node_feed($op, &$query, $argtype, $arg = '') {
case
'title'
:
case
'title'
:
break
;
break
;
case
'filter'
:
case
'filter'
:
// Can't use node_invoke_all because we're using a reference to
// Can't use node_invoke_all because we're using a reference to
// $view.
// $view.
foreach
(
module_implements
(
'views_feed_argument'
)
as
$name
)
{
foreach
(
module_implements
(
'views_feed_argument'
)
as
$name
)
{
$function
=
$name
.
'_views_feed_argument'
;
$function
=
$name
.
'_views_feed_argument'
;
...
...
modules/views_taxonomy.inc
View file @
a001325d
...
@@ -340,8 +340,7 @@ function views_handler_arg_vocid($op, &$query, $argtype, $arg = '') {
...
@@ -340,8 +340,7 @@ function views_handler_arg_vocid($op, &$query, $argtype, $arg = '') {
case
'title'
:
case
'title'
:
$result
=
db_query
(
"SELECT name FROM
{
vocabulary
}
WHERE vid = %d"
,
$query
);
$result
=
db_query
(
"SELECT name FROM
{
vocabulary
}
WHERE vid = %d"
,
$query
);
$voc
=
db_fetch_object
(
$result
);
$voc
=
db_fetch_object
(
$result
);
$title
=
check_plain
(
$voc
->
name
);
return
check_plain
(
$voc
->
name
);
return
$title
;
}
}
}
}
...
...
modules/views_user.inc
View file @
a001325d
...
@@ -225,7 +225,7 @@ function views_handler_arg_uid($op, &$query, $argtype, $arg = '') {
...
@@ -225,7 +225,7 @@ function views_handler_arg_uid($op, &$query, $argtype, $arg = '') {
return
variable_get
(
'anonymous'
,
'Anonymous'
);
return
variable_get
(
'anonymous'
,
'Anonymous'
);
}
}
$user
=
db_fetch_object
(
db_query
(
"SELECT name FROM
{
users
}
WHERE uid = '%d'"
,
$query
));
$user
=
db_fetch_object
(
db_query
(
"SELECT name FROM
{
users
}
WHERE uid = '%d'"
,
$query
));
return
$user
->
name
;
return
check_plain
(
$user
->
name
)
;
}
}
}
}
...
@@ -260,7 +260,7 @@ function views_handler_arg_uid_touch($op, &$query, $argtype, $arg = '') {
...
@@ -260,7 +260,7 @@ function views_handler_arg_uid_touch($op, &$query, $argtype, $arg = '') {
return
variable_get
(
'anonymous'
,
'Anonymous'
);
return
variable_get
(
'anonymous'
,
'Anonymous'
);
}
}
$user
=
db_fetch_object
(
db_query
(
"SELECT name FROM
{
users
}
WHERE uid = '%d'"
,
$query
));
$user
=
db_fetch_object
(
db_query
(
"SELECT name FROM
{
users
}
WHERE uid = '%d'"
,
$query
));
return
$user
->
name
;
return
check_plain
(
$user
->
name
)
;
}
}
}
}
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
.
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment
