security issue #1207 (SA-CONTRIB-2010-023): filter [workflow-current-state-log-entry] token

workflow.module

@@ -2204,11 +2204,11 @@ function workflow_token_values($type, $object = NULL) {
       $values['workflow-current-state-date-tstamp']               =  $row->stamp;
       $values['workflow-current-state-date-formatted']            =  date('M d, Y h:i:s', $row->stamp);
 
-      $values['workflow-current-state-updating-user-name']        = $account->uid ? $account->name : variable_get('anonymous', 'Anonymous');
+      $values['workflow-current-state-updating-user-name']        = $account->uid ? check_plain($account->name) : variable_get('anonymous', 'Anonymous');
       $values['workflow-current-state-updating-user-uid']         = $account->uid;
-      $values['workflow-current-state-updating-user-mail']        = $account->uid ? $account->mail : '';
+      $values['workflow-current-state-updating-user-mail']        = $account->uid ? check_plain($account->mail) : '';
 
-      $values['workflow-current-state-log-entry']                 = $row->comment;
+      $values['workflow-current-state-log-entry']                 = filter_xss($row->comment, array('a', 'em', 'strong'));
       break;
   }