summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorYves Chedemois2007-08-13 19:11:36 (GMT)
committer Yves Chedemois2007-08-13 19:11:36 (GMT)
commitf145c275a782df9b668a8517c3267716ecece08a (patch)
tree81cfbcb13c0052568f43a6d6ec4680e561caf1ca
parentfa98968dba4a346b5a0ed9a74cb5d639249c49c2 (diff)
security fix - missing check_plain's in noderef module5.x-1.6
-rw-r--r--CHANGELOG.txt20
-rw-r--r--nodereference.module18
2 files changed, 24 insertions, 14 deletions
diff --git a/CHANGELOG.txt b/CHANGELOG.txt
index f925ace..a58e3c6 100644
--- a/CHANGELOG.txt
+++ b/CHANGELOG.txt
@@ -1,7 +1,16 @@
// $Id$
-5--1.x-dev
-==========
+5--1.6
+======
+
+IMPORTANT : this release fixes two cross-site scripting (XSS) vulnerabilities
+in nodereference.module :
+- when a nodereference field is displayed using the 'plain' formatter
+- when a nodereference field is edited using the 'autocomplete text field' widget
+ (only when _not_ using the 'advanced options - Views.module' for the field)
+
+All sites using CCK / nodereference.module should consider upgrading to this release
+as soon as possible.
Features
--------
@@ -16,7 +25,7 @@ General
Field / widget modules
- #152892 Optionwidgets : Better help text for 'single on/off checkbox' widget label.
- #65133 / #152016 Nodereference : Added 'full node' and 'teaser' formatters.
-- #126926 Skip node_load in noderef formatter.
+- #126926 Nodereference : Skip node_load in 'title'-based formatters.
Bugfix
------
@@ -28,16 +37,17 @@ General
- #157786 Fix capitalization on fieldgroup edit form.
- #136229 Fieldgroup weights not correctly imported when using content_copy.module.
- #149832 Use 'plain' format for views argument handler ($op = 'title').
-- Added whitespace after field labels on node display
+- #137900 Added whitespace after field labels on node display
Field / widget modules
+- Nodereference : Fixed XSS vulnerabilities (missing check_plain's around node titles).
- #147205 Nodereference : Fixed 'advanced settings - view arguments' not working.
- #155327 Nodereference : Added missing "n." table aliases in 'referenceable nodes' query.
- #153284 Nodereference : Fix unneeded and repeating {view_view} queries when
'advanced (Views) node selection' is *not* used.
- #150297 Nodereference : Fix encoded raw htmlentities appearing in select widgets when using
'advanced (Views) node selection' is used.
-- #129016 Nodereference : Prevent possible errors when formatter gets called with non numeric 'nid'.
+- #129016 Nodereference : Prevent possible errors if formatter is called with non numeric 'nid'.
5--1.5
======
diff --git a/nodereference.module b/nodereference.module
index 5e4ae88..8085a6a 100644
--- a/nodereference.module
+++ b/nodereference.module
@@ -97,13 +97,13 @@ function nodereference_field_settings($op, $field) {
case 'filters':
return array(
'default' => array(
- 'list' => '_nodereference_filter_handler',
- 'list-type' => 'list',
- 'operator' => 'views_handler_operator_or',
- 'value-type' => 'array',
- 'extra' => array('field' => $field),
- ),
- );
+ 'list' => '_nodereference_filter_handler',
+ 'list-type' => 'list',
+ 'operator' => 'views_handler_operator_or',
+ 'value-type' => 'array',
+ 'extra' => array('field' => $field),
+ ),
+ );
}
}
@@ -199,7 +199,7 @@ function nodereference_field_formatter($field, $item, $formatter, $node) {
return node_view($referenced_node, TRUE);
case 'plain':
- return $titles[$item['nid']];
+ return check_plain($titles[$item['nid']]);
default:
return l($titles[$item['nid']], 'node/'. $item['nid']);
@@ -517,7 +517,7 @@ function theme_nodereference_item_advanced($item, $view) {
}
function theme_nodereference_item_simple($item) {
- return $item->node_title;
+ return check_plain($item->node_title);
}
/**