diff --git a/CHANGELOG.txt b/CHANGELOG.txt
index feb121163975d16a01e2f9129ed2aacb59a263c9..84f108b9243154ba187ac3603873454378539915 100644
--- a/CHANGELOG.txt
+++ b/CHANGELOG.txt
@@ -1,9 +1,11 @@
// $Id$
-Drupal 5.2, xxxx-xx-xx
+Drupal 5.2, 2007-07-26
----------------------
- changed hook_link() $teaser argument to match documentation.
- fixed a variety of small bugs.
+- fixed a security issue (cross-site request forgery), see SA-2007-017
+- fixed a security issue (cross-site scripting), see SA-2007-018
Drupal 5.1, 2007-01-29
----------------------
@@ -87,6 +89,10 @@ Drupal 5.0, 2007-01-15
* added nested lists generation.
* added a self-clearing block class.
+Drupal 4.7.7, 2007-07-26
+------------------------
+- fixed security issue (XSS), see SA-2007-018
+
Drupal 4.7.6, 2007-01-29
------------------------
- fixed security issue (code execution), see SA-2007-005
diff --git a/includes/bootstrap.inc b/includes/bootstrap.inc
index c930c344a86ec13078351997922b2828f67bcf21..9e05377a9f8d23f906ed93babe62d04343134a61 100644
--- a/includes/bootstrap.inc
+++ b/includes/bootstrap.inc
@@ -200,7 +200,7 @@ function conf_path() {
}
$confdir = 'sites';
- $uri = explode('/', $_SERVER['PHP_SELF'] ? $_SERVER['PHP_SELF'] : $_SERVER['SCRIPT_FILENAME']);
+ $uri = explode('/', $_SERVER['SCRIPT_NAME'] ? $_SERVER['SCRIPT_NAME'] : $_SERVER['SCRIPT_FILENAME']);
$server = explode('.', implode('.', array_reverse(explode(':', rtrim($_SERVER['HTTP_HOST'], '.')))));
for ($i = count($uri) - 1; $i > 0; $i--) {
for ($j = count($server); $j > 0; $j--) {
@@ -255,8 +255,14 @@ function conf_init() {
else {
// Create base URL
$base_root = (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == 'on') ? 'https' : 'http';
- $base_url = $base_root .= '://'. $_SERVER['HTTP_HOST'];
- if ($dir = trim(dirname($_SERVER['PHP_SELF']), '\,/')) {
+
+ // As $_SERVER['HTTP_HOST'] is user input, ensure it only contains
+ // characters allowed in hostnames.
+ $base_url = $base_root .= '://'. preg_replace('/[^a-z0-9-:._]/i', '', $_SERVER['HTTP_HOST']);
+
+ // $_SERVER['SCRIPT_NAME'] can, in contrast to $_SERVER['PHP_SELF'], not
+ // be modified by a visitor.
+ if ($dir = trim(dirname($_SERVER['SCRIPT_NAME']), '\,/')) {
$base_path = "/$dir";
$base_url .= $base_path;
$base_path .= '/';
@@ -279,8 +285,9 @@ function conf_init() {
// to use the same session identifiers across http and https.
list( , $session_name) = explode('://', $base_url, 2);
// We try to set the cookie domain to the hostname.
+ // We escape the hostname because it can be modified by a visitor.
if (!empty($_SERVER['HTTP_HOST'])) {
- $cookie_domain = $_SERVER['HTTP_HOST'];
+ $cookie_domain = check_plain($_SERVER['HTTP_HOST']);
}
}
// Strip leading periods, www., and port numbers from cookie domain.
@@ -635,10 +642,10 @@ function request_uri() {
}
else {
if (isset($_SERVER['argv'])) {
- $uri = $_SERVER['PHP_SELF'] .'?'. $_SERVER['argv'][0];
+ $uri = $_SERVER['SCRIPT_NAME'] .'?'. $_SERVER['argv'][0];
}
else {
- $uri = $_SERVER['PHP_SELF'] .'?'. $_SERVER['QUERY_STRING'];
+ $uri = $_SERVER['SCRIPT_NAME'] .'?'. $_SERVER['QUERY_STRING'];
}
}
diff --git a/includes/common.inc b/includes/common.inc
index 574fb3282709346660feb42d43eaa368b38f501e..534272caac0adea80d47947e4d91c06f932259ef 100644
--- a/includes/common.inc
+++ b/includes/common.inc
@@ -548,7 +548,7 @@ function error_handler($errno, $message, $filename, $line) {
$entry = $types[$errno] .': '. $message .' in '. $filename .' on line '. $line .'.';
// Force display of error messages in update.php
- if (variable_get('error_level', 1) == 1 || strstr($_SERVER['PHP_SELF'], 'update.php')) {
+ if (variable_get('error_level', 1) == 1 || strstr($_SERVER['SCRIPT_NAME'], 'update.php')) {
drupal_set_message($entry, 'error');
}
diff --git a/includes/form.inc b/includes/form.inc
index 812c6428cf59f6697a5f02ff4973b6a11d473e3e..a6ee48936c277fbea1b7d9a10f252bd50ca886f9 100644
--- a/includes/form.inc
+++ b/includes/form.inc
@@ -248,7 +248,7 @@ function drupal_process_form($form_id, &$form) {
$form_button_counter = array(0, 0);
drupal_prepare_form($form_id, $form);
- if (($form['#programmed']) || (!empty($_POST) && (($_POST['form_id'] == $form_id) || ($_POST['form_id'] == $form['#base'])))) {
+ if (($form['#programmed']) || (!empty($_POST) && (($_POST['form_id'] == $form_id)))) {
drupal_validate_form($form_id, $form);
// IE does not send a button value when there is only one submit button (and no non-submit buttons)
// and you submit by pressing enter.
diff --git a/includes/session.inc b/includes/session.inc
index 76dde80fdf40c15eb8c1e2e60019158ee6d16f80..2531dfa0e96087fd14acac9c3c552dc3af993399 100644
--- a/includes/session.inc
+++ b/includes/session.inc
@@ -56,8 +56,9 @@ function sess_read($key) {
function sess_write($key, $value) {
global $user;
- // If the client doesn't have a session, and one isn't being created ($value), do nothing.
- if (empty($_COOKIE[session_name()]) && empty($value)) {
+ // If saving of session data is disabled or if the client doesn't have a session,
+ // and one isn't being created ($value), do nothing.
+ if (!session_save_session() || (empty($_COOKIE[session_name()]) && empty($value))) {
return TRUE;
}
@@ -152,3 +153,23 @@ function sess_gc($lifetime) {
return TRUE;
}
+
+/**
+ * Determine whether to save session data of the current request.
+ *
+ * This function allows the caller to temporarily disable writing of session data,
+ * should the request end while performing potentially dangerous operations, such as
+ * manipulating the global $user object.
+ *
+ * @param $status
+ * Disables writing of session data when FALSE, (re-)enables writing when TRUE.
+ *
+ * @return FALSE if writing session data has been disabled. Otherwise, TRUE.
+ */
+function session_save_session($status = NULL) {
+ static $save_session = TRUE;
+ if (isset($status)) {
+ $save_session = $status;
+ }
+ return ($save_session);
+}
diff --git a/modules/blogapi/blogapi.module b/modules/blogapi/blogapi.module
index 0ede8d66419e0b9f121bbbfbd32314e31d89dc9a..7d2e67a8fb6d07ebabeea3e537c3ca8711fe1672 100644
--- a/modules/blogapi/blogapi.module
+++ b/modules/blogapi/blogapi.module
@@ -537,7 +537,7 @@ function blogapi_blogger_title(&$contents) {
}
function blogapi_admin_settings() {
- $node_types = node_get_types('names');
+ $node_types = array_map('check_plain', node_get_types('names'));
$defaults = isset($node_types['blog']) ? array('blog' => 1) : array();
$form['blogapi_node_types'] = array(
'#type' => 'checkboxes',
diff --git a/modules/comment/comment.module b/modules/comment/comment.module
index f28b6c88b9bc8edd1351467944ed595311ef1091..34232adbcdf30391400b651b0a1f3c047eea6e55 100644
--- a/modules/comment/comment.module
+++ b/modules/comment/comment.module
@@ -1075,23 +1075,8 @@ function comment_delete($cid = NULL) {
$output = '';
- // We'll only delete if the user has confirmed the
- // deletion using the form in our else clause below.
- if (is_object($comment) && is_numeric($comment->cid) && $_POST['confirm']) {
- drupal_set_message(t('The comment and all its replies have been deleted.'));
-
- // Delete comment and its replies.
- _comment_delete_thread($comment);
-
- _comment_update_node_statistics($comment->nid);
-
- // Clear the cache so an anonymous user sees that his comment was deleted.
- cache_clear_all();
-
- drupal_goto("node/$comment->nid");
- }
- else if (is_object($comment) && is_numeric($comment->cid)) {
- $output = drupal_get_form('comment_confirm_delete', $comment->subject, $comment->nid);
+ if (is_object($comment) && is_numeric($comment->cid)) {
+ $output = drupal_get_form('comment_confirm_delete', $comment);
}
else {
drupal_set_message(t('The comment no longer exists.'));
@@ -1100,16 +1085,38 @@ function comment_delete($cid = NULL) {
return $output;
}
-function comment_confirm_delete($subject, $nid) {
+function comment_confirm_delete($comment) {
+
+ $form = array();
+ $form['comment'] = array(
+ '#type' => 'value',
+ '#value' => $comment,
+ );
+
return confirm_form(
- array(),
- t('Are you sure you want to delete the comment %title?', array('%title' => $subject)),
- 'node/'. $nid,
+ $form,
+ t('Are you sure you want to delete the comment %title?', array('%title' => $comment->subject)),
+ 'node/'. $comment->nid,
t('Any replies to this comment will be lost. This action cannot be undone.'),
t('Delete'),
t('Cancel'));
}
+function comment_confirm_delete_submit($form_id, $form_values) {
+ $comment = $form_values['comment'];
+
+ // Delete comment and its replies.
+ _comment_delete_thread($comment);
+ _comment_update_node_statistics($comment->nid);
+ // Clear the cache so an anonymous user sees that his comment was deleted.
+ cache_clear_all();
+
+ drupal_set_message(t('The comment and all its replies have been deleted.'));
+
+ return "node/$comment->nid";
+}
+
+
/**
* Comment operations. We offer different update operations depending on
* which comment administration page we're on.
diff --git a/modules/menu/menu.module b/modules/menu/menu.module
index 0c0f2569917a64d0df513dfad198e9d1845e0439..63cdd9186ca0a39f85497e8dec81346f3a4e846a 100644
--- a/modules/menu/menu.module
+++ b/modules/menu/menu.module
@@ -68,7 +68,8 @@ function menu_menu($may_cache) {
'type' => MENU_CALLBACK);
$items[] = array('path' => 'admin/build/menu/item/disable',
'title' => t('Disable menu item'),
- 'callback' => 'menu_disable_item',
+ 'callback' => 'drupal_get_form',
+ 'callback arguments' => array('menu_confirm_disable_item'),
'access' => user_access('administer menu'),
'type' => MENU_CALLBACK);
$items[] = array('path' => 'admin/build/menu/item/delete',
@@ -481,14 +482,24 @@ function menu_reset_item_submit($form_id, $form_values) {
/**
* Menu callback; hide a menu item.
+ *
+ * Presents a confirmation form to protect against cross site request forgeries.
*/
-function menu_disable_item($mid) {
+function menu_confirm_disable_item($mid, $token = NULL) {
+ global $user;
$item = menu_get_item($mid);
- $type = $item['type'];
+ $form = array();
+ $form['mid'] = array('#type' => 'value', '#value' => $mid);
+ $form['item'] = array('#type' => 'value', '#value' => $item);
+ return confirm_form($form, t('Are you sure you want to disable the menu item %menu-item?', array('%menu-item' => $item['title'])), 'admin/build/menu', ' ', t('Disable'), t('Cancel'));
+}
+
+function menu_confirm_disable_item_submit($form_id, $form_values) {
+ $type = $form_values['item']['type'];
$type &= ~MENU_VISIBLE_IN_TREE;
$type &= ~MENU_VISIBLE_IN_BREADCRUMB;
$type |= MENU_MODIFIED_BY_ADMIN;
- db_query('UPDATE {menu} SET type = %d WHERE mid = %d', $type, $mid);
+ db_query('UPDATE {menu} SET type = %d WHERE mid = %d', $type, $form_values['mid']);
drupal_set_message(t('The menu item has been disabled.'));
drupal_goto('admin/build/menu');
}
diff --git a/modules/node/content_types.inc b/modules/node/content_types.inc
index 7b2c55b95c1297ecd315d3a4f94ba5181db484bb..6917b9eb174ad53f66093ffdb79a10a08badb75c 100644
--- a/modules/node/content_types.inc
+++ b/modules/node/content_types.inc
@@ -18,7 +18,6 @@ function node_overview_types() {
foreach ($names as $key => $name) {
$type = $types[$key];
if (function_exists($type->module .'_form')) {
- $name = check_plain($name);
$type_url_str = str_replace('_', '-', $type->type);
// Populate the operations field.
$operations = array();
diff --git a/modules/node/node.module b/modules/node/node.module
index acb638fc9d24be2d0c28cb54ede5201a98eedf0c..af763a5418c106f3dc3e6970d0ccda3884ef080d 100644
--- a/modules/node/node.module
+++ b/modules/node/node.module
@@ -35,7 +35,7 @@ function node_help($section) {
return ''. t('To create a new content type, enter the human-readable name, the machine-readable name, and all other relevant fields that are on this page. Once created, users of your site will be able to create posts that are instances of this content type.') .'
';
}
- if (arg(0) == 'node' && is_numeric(arg(1)) && arg(2) == 'revisions') {
+ if (arg(0) == 'node' && is_numeric(arg(1)) && arg(2) == 'revisions' && arg(3) == NULL) {
return ''. t('The revisions let you track differences between multiple versions of a post.') .'
';
}
@@ -1159,11 +1159,10 @@ function node_menu($may_cache) {
foreach (node_get_types() as $type) {
if (function_exists($type->module .'_form')) {
- $name = check_plain($type->name);
$type_url_str = str_replace('_', '-', $type->type);
$items[] = array(
'path' => 'node/add/'. $type_url_str,
- 'title' => drupal_ucfirst($name),
+ 'title' => drupal_ucfirst($type->name),
'access' => node_access('create', $type->type),
);
}
@@ -1212,11 +1211,26 @@ function node_menu($may_cache) {
'weight' => 1,
'type' => MENU_CALLBACK);
$revisions_access = ((user_access('view revisions') || user_access('administer nodes')) && node_access('view', $node) && db_result(db_query('SELECT COUNT(vid) FROM {node_revisions} WHERE nid = %d', arg(1))) > 1);
- $items[] = array('path' => 'node/'. arg(1) .'/revisions', 'title' => t('Revisions'),
+ $items[] = array(
+ 'path' => 'node/'. arg(1) .'/revisions',
+ 'title' => t('Revisions'),
'callback' => 'node_revisions',
'access' => $revisions_access,
'weight' => 2,
- 'type' => MENU_LOCAL_TASK);
+ 'type' => MENU_LOCAL_TASK,
+ );
+ if (!is_null(arg(3))) {
+ $items[] = array(
+ 'path' => 'node/'. arg(1) .'/revisions/'. arg(3) .'/delete',
+ 'callback' => 'node_revision_delete',
+ 'callback arguments' => array(arg(1), arg(3)),
+ );
+ $items[] = array(
+ 'path' => 'node/'. arg(1) .'/revisions/'. arg(3) .'/revert',
+ 'callback' => 'node_revision_revert',
+ 'callback arguments' => array(arg(1), arg(3)),
+ );
+ }
}
}
@@ -1230,7 +1244,6 @@ function node_menu($may_cache) {
$type = node_get_types('type', $type_name);
if (!empty($type)) {
- $type->name = check_plain($type->name);
$type_url_str = str_replace('_', '-', $type->type);
$items[] = array(
@@ -1569,7 +1582,7 @@ function node_admin_nodes() {
while ($node = db_fetch_object($result)) {
$nodes[$node->nid] = '';
$form['title'][$node->nid] = array('#value' => l($node->title, 'node/'. $node->nid) .' '. theme('mark', node_mark($node->nid, $node->changed)));
- $form['name'][$node->nid] = array('#value' => node_get_types('name', $node));
+ $form['name'][$node->nid] = array('#value' => check_plain(node_get_types('name', $node)));
$form['username'][$node->nid] = array('#value' => theme('username', $node));
$form['status'][$node->nid] = array('#value' => ($node->status ? t('published') : t('not published')));
$form['operations'][$node->nid] = array('#value' => l(t('edit'), 'node/'. $node->nid .'/edit', array(), $destination));
@@ -1696,16 +1709,7 @@ function node_revision_revert($nid, $revision) {
$node = node_load($nid, $revision);
if ((user_access('revert revisions') || user_access('administer nodes')) && node_access('update', $node)) {
if ($node->vid) {
- $node->revision = 1;
- $node->log = t('Copy of the revision from %date.', array('%date' => format_date($node->revision_timestamp)));
- if (module_exists('taxonomy')) {
- $node->taxonomy = array_keys($node->taxonomy);
- }
-
- node_save($node);
-
- drupal_set_message(t('%title has been reverted back to the revision from %revision-date', array('%revision-date' => format_date($node->revision_timestamp), '%title' => $node->title)));
- watchdog('content', t('@type: reverted %title revision %revision.', array('@type' => t($node->type), '%title' => $node->title, '%revision' => $revision)));
+ return drupal_get_form('node_revision_revert_confirm', $node);
}
else {
drupal_set_message(t('You tried to revert to an invalid revision.'), 'error');
@@ -1715,6 +1719,31 @@ function node_revision_revert($nid, $revision) {
drupal_access_denied();
}
+/**
+ * Ask for confirmation of the reversion to prevent against CSRF attacks.
+ */
+function node_revision_revert_confirm($node) {
+ $form['node'] = array('#type' => 'value', '#value' => $node);
+ return confirm_form($form, t('Are you sure you want to revert to the revision from %revision-date?', array('%revision-date' => format_date($node->revision_timestamp))), 'node/'. $node->nid .'/revisions', '', t('Revert'), t('Cancel'));
+}
+
+function node_revision_revert_confirm_submit($form_id, $form_values) {
+ $node = $form_values['node'];
+
+ $node->revision = 1;
+ $node->log = t('Copy of the revision from %date.', array('%date' => format_date($node->revision_timestamp)));
+ if (module_exists('taxonomy')) {
+ $node->taxonomy = array_keys($node->taxonomy);
+ }
+
+ node_save($node);
+
+ drupal_set_message(t('%title has been reverted back to the revision from %revision-date', array('%revision-date' => format_date($node->revision_timestamp), '%title' => $node->title)));
+ watchdog('content', t('@type: reverted %title revision %revision.', array('@type' => t($node->type), '%title' => $node->title, '%revision' => $revision)));
+
+ return 'node/'. $node->nid .'/revisions';
+}
+
/**
* Delete the revision with specified revision number. A "delete revision" nodeapi event is invoked when a
* revision is deleted.
@@ -1725,22 +1754,22 @@ function node_revision_delete($nid, $revision) {
if (node_access('delete', $node)) {
// Don't delete the current revision
if ($revision != $node->vid) {
- $node = node_load($nid, $revision);
-
- db_query("DELETE FROM {node_revisions} WHERE nid = %d AND vid = %d", $nid, $revision);
- node_invoke_nodeapi($node, 'delete revision');
- drupal_set_message(t('Deleted %title revision %revision.', array('%title' => $node->title, '%revision' => $revision)));
- watchdog('content', t('@type: deleted %title revision %revision.', array('@type' => t($node->type), '%title' => $node->title, '%revision' => $revision)));
+ if ($node = node_load($nid, $revision)) {
+ return drupal_get_form('node_revision_delete_confirm', $node);
+ }
+ else {
+ drupal_set_message(t('Deletion failed. You tried to delete a non-existing revision.'));
+ }
}
-
else {
drupal_set_message(t('Deletion failed. You tried to delete the current revision.'));
}
+
if (db_result(db_query('SELECT COUNT(vid) FROM {node_revisions} WHERE nid = %d', $nid)) > 1) {
- drupal_goto("node/$nid/revisions");
+ drupal_goto('node/'. $nid .'/revisions');
}
else {
- drupal_goto("node/$nid");
+ drupal_goto('node/'. $nid);
}
}
}
@@ -1748,6 +1777,29 @@ function node_revision_delete($nid, $revision) {
drupal_access_denied();
}
+/**
+ * Ask confirmation for revision deletion to prevent against CSRF attacks.
+ */
+function node_revision_delete_confirm($node) {
+ $form['node'] = array('#type' => 'value', '#value' => $node);
+ return confirm_form($form, t('Are you sure you want to delete the revision from %revision-date?', array('%revision-date' => format_date($node->revision_timestamp))), 'node/'. $node->nid .'/revisions', t('This action cannot be undone.'), t('Delete'), t('Cancel'));
+}
+
+function node_revision_delete_confirm_submit($form_id, $form_values) {
+ $node = $form_values['node'];
+ db_query("DELETE FROM {node_revisions} WHERE nid = %d AND vid = %d", $node->nid, $node->vid);
+ node_invoke_nodeapi($node, 'delete revision');
+ drupal_set_message(t('Deleted %title revision %revision.', array('%title' => $node->title, '%revision' => $node->vid)));
+ watchdog('content', t('@type: deleted %title revision %revision.', array('@type' => t($node->type), '%title' => $node->title, '%revision' => $node->vid)));
+
+ if (db_result(db_query('SELECT COUNT(vid) FROM {node_revisions} WHERE nid = %d', $node->nid)) > 1) {
+ return 'node/'. $node->nid .'/revisions';
+ }
+ else {
+ return 'node/'. $node->nid;
+ }
+}
+
/**
* Return a list of all the existing revision numbers.
*/
@@ -2352,12 +2404,6 @@ function node_revisions() {
}
}
break;
- case 'revert':
- node_revision_revert(arg(1), arg(3));
- break;
- case 'delete':
- node_revision_delete(arg(1), arg(3));
- break;
}
}
drupal_not_found();
@@ -2536,7 +2582,7 @@ function node_form_alter($form_id, &$form) {
}
// Node types:
- $types = node_get_types('names');
+ $types = array_map('check_plain', node_get_types('names'));
$form['advanced']['type'] = array(
'#type' => 'checkboxes',
'#title' => t('Only of the type(s)'),
diff --git a/modules/poll/poll.module b/modules/poll/poll.module
index 195d3b3b8954f19c28edb61487485e5c5a79519c..be3f284fcb913c9ac9aefd429d05d09802405391 100644
--- a/modules/poll/poll.module
+++ b/modules/poll/poll.module
@@ -354,7 +354,9 @@ function poll_teaser($node) {
$teaser = NULL;
if (is_array($node->choice)) {
foreach ($node->choice as $k => $choice) {
- $teaser .= '* '. $choice['chtext'] .'\n';
+ if ($choice['chtext'] != '') {
+ $teaser .= '* '. check_plain($choice['chtext']) ."\n";
+ }
}
}
return $teaser;
diff --git a/modules/profile/profile.module b/modules/profile/profile.module
index d52731c87140139d2ad36c91d2ce339782a6dbea..ffdfe11956cb9e80723b705e9f3a767b6472919e 100644
--- a/modules/profile/profile.module
+++ b/modules/profile/profile.module
@@ -111,7 +111,7 @@ function profile_block($op = 'list', $delta = 0, $edit = array()) {
$fields = array();
$result = db_query('SELECT name, title, weight, visibility FROM {profile_fields} WHERE visibility IN (%d, %d) ORDER BY weight', PROFILE_PUBLIC, PROFILE_PUBLIC_LISTINGS);
while ($record = db_fetch_object($result)) {
- $fields[$record->name] = $record->title;
+ $fields[$record->name] = check_plain($record->title);
}
$fields['user_profile'] = t('Link to full user profile');
$form['profile_block_author_fields'] = array('#type' => 'checkboxes',
@@ -399,7 +399,7 @@ function profile_admin_overview() {
$result = db_query('SELECT title, name, type, category, fid FROM {profile_fields} ORDER BY category, weight');
$rows = array();
while ($field = db_fetch_object($result)) {
- $rows[] = array(check_plain($field->title), $field->name, _profile_field_types($field->type), $field->category, l(t('edit'), "admin/user/profile/edit/$field->fid"), l(t('delete'), "admin/user/profile/delete/$field->fid"));
+ $rows[] = array(check_plain($field->title), check_plain($field->name), _profile_field_types($field->type), check_plain($field->category), l(t('edit'), "admin/user/profile/edit/$field->fid"), l(t('delete'), "admin/user/profile/delete/$field->fid"));
}
if (count($rows) == 0) {
$rows[] = array(array('data' => t('No fields defined.'), 'colspan' => '6'));
@@ -628,7 +628,7 @@ function profile_form_profile($edit, $user, $category, $register = FALSE) {
while ($field = db_fetch_object($result)) {
$category = $field->category;
if (!isset($fields[$category])) {
- $fields[$category] = array('#type' => 'fieldset', '#title' => $category, '#weight' => $w++);
+ $fields[$category] = array('#type' => 'fieldset', '#title' => check_plain($category), '#weight' => $w++);
}
switch ($field->type) {
case 'textfield':
@@ -759,7 +759,7 @@ function theme_profile_block($account, $fields = array()) {
$output .= "$field->value
\n";
}
else {
- $output .= "$field->title
$field->value
\n";
+ $output .= ''. check_plain($field->title) ."
$field->value
\n";
}
}
}
diff --git a/modules/search/search.module b/modules/search/search.module
index 1289e0e5d3b2ade0188d32b849ca2640a1d19232..7953742ce4c3a8916d20f068e7ecc49dc6b8ec41 100644
--- a/modules/search/search.module
+++ b/modules/search/search.module
@@ -1233,7 +1233,7 @@ function theme_search_item($item, $type) {
$output = ' '. check_plain($item['title']) .'';
$info = array();
if ($item['type']) {
- $info[] = $item['type'];
+ $info[] = check_plain($item['type']);
}
if ($item['user']) {
$info[] = $item['user'];
diff --git a/modules/system/system.module b/modules/system/system.module
index 66e9119afc0356ff45711022b309c2ebe028e848..6c2120881670d5aaf59c54b60fd76c65931e693e 100644
--- a/modules/system/system.module
+++ b/modules/system/system.module
@@ -6,7 +6,7 @@
* Configuration system that lets administrators modify the workings of the site.
*/
-define('VERSION', '5.2 dev');
+define('VERSION', '5.2');
/**
* Implementation of hook_help().
@@ -2011,7 +2011,7 @@ function system_theme_settings($key = '') {
'#suffix' => '',
);
foreach ($node_types as $type => $name) {
- $form['node_info']["toggle_node_info_$type"] = array('#type' => 'checkbox', '#title' => $name, '#default_value' => $settings["toggle_node_info_$type"]);
+ $form['node_info']["toggle_node_info_$type"] = array('#type' => 'checkbox', '#title' => check_plain($name), '#default_value' => $settings["toggle_node_info_$type"]);
}
}
}
diff --git a/modules/taxonomy/taxonomy.module b/modules/taxonomy/taxonomy.module
index 55c381a22acf6c758ccd13f6bcf27e985fcff1fa..72440bafdc7bfa2679cb282882dbfdf76007f91a 100644
--- a/modules/taxonomy/taxonomy.module
+++ b/modules/taxonomy/taxonomy.module
@@ -152,7 +152,7 @@ function taxonomy_overview_vocabularies() {
$types = array();
foreach ($vocabulary->nodes as $type) {
$node_type = node_get_types('name', $type);
- $types[] = $node_type ? $node_type : $type;
+ $types[] = $node_type ? check_plain($node_type) : check_plain($type);
}
$rows[] = array('name' => check_plain($vocabulary->name),
'type' => implode(', ', $types),
@@ -251,7 +251,7 @@ function taxonomy_form_vocabulary($edit = array()) {
$form['nodes'] = array('#type' => 'checkboxes',
'#title' => t('Types'),
'#default_value' => $edit['nodes'],
- '#options' => node_get_types('names'),
+ '#options' => array_map('check_plain', node_get_types('names')),
'#description' => t('A list of node types you want to associate with this vocabulary.'),
'#required' => TRUE,
);
diff --git a/modules/tracker/tracker.module b/modules/tracker/tracker.module
index 1ab089e795e2478677fe15546137644c86d09387..763eba99464691488f4c3c4baee28696636038d6 100644
--- a/modules/tracker/tracker.module
+++ b/modules/tracker/tracker.module
@@ -106,7 +106,7 @@ function tracker_page($uid = 0) {
}
$rows[] = array(
- node_get_types('name', $node->type),
+ check_plain(node_get_types('name', $node->type)),
l($node->title, "node/$node->nid") .' '. theme('mark', node_mark($node->nid, $node->changed)),
theme('username', $node),
array('class' => 'replies', 'data' => $comments),
diff --git a/modules/user/user.module b/modules/user/user.module
index 87abbdbb75a0d3aad37448ee6f4f192d71cefa1a..d75689042c6ead33c36d70cc92895fabbe0fe377 100644
--- a/modules/user/user.module
+++ b/modules/user/user.module
@@ -656,7 +656,7 @@ function theme_user_profile($account, $fields) {
$output .= theme('user_picture', $account);
foreach ($fields as $category => $items) {
if (strlen($category) > 0) {
- $output .= ''. $category .'
';
+ $output .= ''. check_plain($category) .'
';
}
$output .= '';
foreach ($items as $item) {