summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorGerhard Killesreiter2006-08-02 18:13:05 +0000
committerGerhard Killesreiter2006-08-02 18:13:05 +0000
commit4d5cd9f5d08eb847e3a0bd0e5ee1bb03da11cac3 (patch)
treeb366df1d8d1837ce04c76306895a3c12b4af4eaf
parentb97a673f45a6e242f329e861a238215898fccbdc (diff)
SA-2006-0114.6.9
-rw-r--r--CHANGELOG.txt4
-rw-r--r--modules/user.module2
2 files changed, 5 insertions, 1 deletions
diff --git a/CHANGELOG.txt b/CHANGELOG.txt
index 1dcb4ad..8f0c8a8 100644
--- a/CHANGELOG.txt
+++ b/CHANGELOG.txt
@@ -1,3 +1,7 @@
+Drupal 4.6.9, 2006-08-02
+------------------------
+- fixed security issue (XSS), see SA-2006-011
+
Drupal 4.6.8, 2006-06-01
------------------------
- fixed critical upload issue, see SA-2006-007
diff --git a/modules/user.module b/modules/user.module
index e7aa2a0..7cfd400 100644
--- a/modules/user.module
+++ b/modules/user.module
@@ -835,7 +835,7 @@ function user_login($edit = array(), $msg = '') {
// Display login form:
if ($msg) {
- $output .= "<p>$msg</p>";
+ $output .= '<p>'. check_plain($msg) .'</p>';
}
if (count(user_auth_help_links()) > 0) {
$output .= form_textfield(t('Username'), 'name', $edit['name'], 30, 64, t('Enter your %s username, or an ID from one of our affiliates: %a.', array('%s' => variable_get('site_name', 'local'), '%a' => implode(', ', user_auth_help_links()))));