diff --git a/CHANGELOG.txt b/CHANGELOG.txt index 5e790dcb735aa004e72226080f6842c48fa37e96..4abd8f6b1bd1e79b21bdfd6c5a8f5a0054bea298 100644 --- a/CHANGELOG.txt +++ b/CHANGELOG.txt @@ -1,8 +1,9 @@ // $Id$ -Drupal 6.1-dev, xxxx-xx-xx (development version) ------------------------ - +Drupal 6.1, 2008-02-27 +---------------------- +- fixed a variety of small bugs. +- fixed a security issue (Cross site scripting), see SA-2008-018 Drupal 6.0, 2008-02-13 ---------------------- diff --git a/includes/common.inc b/includes/common.inc index 90b0329cb058ccb344d95e3c1d1318970868a1ce..ccb8520bd4d711c41ce03df07bae44a7cf598e61 100644 --- a/includes/common.inc +++ b/includes/common.inc @@ -577,7 +577,7 @@ function drupal_error_handler($errno, $message, $filename, $line, $context) { return; } - if ($errno & (E_ALL)) { + if ($errno & (E_ALL ^ E_NOTICE)) { $types = array(1 => 'error', 2 => 'warning', 4 => 'parse error', 8 => 'notice', 16 => 'core error', 32 => 'core warning', 64 => 'compile error', 128 => 'compile warning', 256 => 'user error', 512 => 'user warning', 1024 => 'user notice', 2048 => 'strict warning', 4096 => 'recoverable fatal error'); // For database errors, we want the line number/file name of the place that diff --git a/misc/drupal.js b/misc/drupal.js index 04dd70c6634951c5e480ba24aa4936f75b54f81f..50498d87397a4dbaceeb979ec5061cecb62e9e28 100644 --- a/misc/drupal.js +++ b/misc/drupal.js @@ -51,7 +51,8 @@ Drupal.checkPlain = function(str) { str = String(str); var replace = { '&': '&', '"': '"', '<': '<', '>': '>' }; for (var character in replace) { - str = str.replace(character, replace[character]); + var regex = new RegExp(character, 'g'); + str = str.replace(regex, replace[character]); } return str; }; diff --git a/modules/node/node.pages.inc b/modules/node/node.pages.inc index aef2308c721a0115625df02feec55b8b5c02009d..5a72ebb7f5fdc0fa9278299c593556ca4757747c 100644 --- a/modules/node/node.pages.inc +++ b/modules/node/node.pages.inc @@ -11,7 +11,7 @@ * Menu callback; presents the node editing form, or redirects to delete confirmation. */ function node_page_edit($node) { - drupal_set_title($node->title); + drupal_set_title(check_plain($node->title)); return drupal_get_form($node->type .'_node_form', $node); } diff --git a/modules/system/system.module b/modules/system/system.module index 5b8100a0865e68c50b5d52074dec8950177f00e4..c8e7ca97f24691ccafd0b4b5fdff2f5d2987d499 100644 --- a/modules/system/system.module +++ b/modules/system/system.module @@ -9,7 +9,7 @@ /** * The current system version. */ -define('VERSION', '6.1-dev'); +define('VERSION', '6.1'); /** * Core API compatibility.