Commit d45f1589 authored by jvandyk's avatar jvandyk
Browse files

security issue #1207 (SA-CONTRIB-2010-023): filter [workflow-current-state-log-entry] token

parent 9507ec22
...@@ -2204,11 +2204,11 @@ function workflow_token_values($type, $object = NULL) { ...@@ -2204,11 +2204,11 @@ function workflow_token_values($type, $object = NULL) {
$values['workflow-current-state-date-tstamp'] = $row->stamp; $values['workflow-current-state-date-tstamp'] = $row->stamp;
$values['workflow-current-state-date-formatted'] = date('M d, Y h:i:s', $row->stamp); $values['workflow-current-state-date-formatted'] = date('M d, Y h:i:s', $row->stamp);
$values['workflow-current-state-updating-user-name'] = $account->uid ? $account->name : variable_get('anonymous', 'Anonymous'); $values['workflow-current-state-updating-user-name'] = $account->uid ? check_plain($account->name) : variable_get('anonymous', 'Anonymous');
$values['workflow-current-state-updating-user-uid'] = $account->uid; $values['workflow-current-state-updating-user-uid'] = $account->uid;
$values['workflow-current-state-updating-user-mail'] = $account->uid ? $account->mail : ''; $values['workflow-current-state-updating-user-mail'] = $account->uid ? check_plain($account->mail) : '';
$values['workflow-current-state-log-entry'] = $row->comment; $values['workflow-current-state-log-entry'] = filter_xss($row->comment, array('a', 'em', 'strong'));
break; break;
} }
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment