summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDaniel Braksator2012-02-08 05:53:00 (GMT)
committer Daniel Braksator2012-02-08 05:53:00 (GMT)
commit13e2d0ce65db845208f0ded836b4fbcb344e4a3d (patch)
treeda73b01f0aa3848cb15221ef9ac7db93198157b2
parentc6a0e909700a333e43deff590d2420c9a29bf94b (diff)
Issue #M7G677 by danielb: Beyond the night, a rising sun. Beyond the night a battle's won. A battle's won.6.x-1.26
-rwxr-xr-xfinder.module32
-rwxr-xr-xincludes/finder.admin.inc42
-rwxr-xr-xmodules/finder_autocomplete/finder_autocomplete.module2
3 files changed, 72 insertions, 4 deletions
diff --git a/finder.module b/finder.module
index 656cc6b..cd40d8d 100755
--- a/finder.module
+++ b/finder.module
@@ -1594,6 +1594,7 @@ function finder_find_choices($finder, $finder_element_id, $options, $keywords, $
if ($options) {
// If there are options, fetch some info about the field names.
$element = &finder_element($finder, $finder_element_id);
+ $filter = isset($element->settings['choices']['sanitization']['format']) ? $element->settings['choices']['sanitization']['format'] : 'filter_xss';
$fields = &$element->settings['choices']['field'];
foreach ($fields as $key => $field) {
$field_info[$key] = finder_split_field($field);
@@ -1614,7 +1615,7 @@ function finder_find_choices($finder, $finder_element_id, $options, $keywords, $
$option->field_name = $option->base_field;
}
// Append this option to the array.
- $new_options[] = $option;
+ $new_options[] = finder_sanitize($option, $filter);
}
// Complex case - more than one field.
elseif (count($fields) > 1) {
@@ -1632,14 +1633,14 @@ function finder_find_choices($finder, $finder_element_id, $options, $keywords, $
if (count($matching_names) === 1) {
$option->field_name = end($matching_names);
$option->display_field = $option->field_name;
- $new_options[] = $option;
+ $new_options[] = finder_sanitize($option, $filter);
}
elseif (!empty($matching_names)) {
foreach ($matching_names as $matching_name) {
$new_option = drupal_clone($option);
$new_option->field_name = $matching_name;
$new_option->display_field = $new_option->field_name;
- $new_options[] = $new_option;
+ $new_options[] = finder_sanitize($new_option, $filter);
}
}
}
@@ -1651,6 +1652,31 @@ function finder_find_choices($finder, $finder_element_id, $options, $keywords, $
}
/**
+ * Sanitize a finder choice.
+ *
+ * @param $option
+ * The option object with unsanitized display field.
+ * @param $filter
+ * The filter to use.
+ * @return
+ * The option object with sanitized display field.
+ */
+function finder_sanitize($option, $filter = 'filter_xss') {
+ switch ($filter) {
+ case 'filter_xss':
+ case 'filter_xss_admin':
+ case 'check_plain':
+ case 'check_url':
+ $option->{$option->display_field . '_safe'} = $filter($option->{$option->display_field});
+ break;
+ default:
+ $option->{$option->display_field . '_safe'} = check_markup($option->{$option->display_field}, $filter, FALSE);
+ }
+ $option->display_field = $option->display_field . '_safe';
+ return $option;
+}
+
+/**
* Evaluate a string of PHP code.
*
* This is a wrapper around PHP's eval(). It uses output buffering to capture
diff --git a/includes/finder.admin.inc b/includes/finder.admin.inc
index 904eb5f..be3c8ee 100755
--- a/includes/finder.admin.inc
+++ b/includes/finder.admin.inc
@@ -724,6 +724,48 @@ function finder_admin_element_edit($form_state, $finder, $finder_element_id) {
'#description' => t('Will put the list into order for easier scanning.'),
);
+ $form['settings']['choices']['sanitization'] = array(
+ '#type' => 'fieldset',
+ '#title' => t('Sanitization'),
+ '#description' => t('No piece of user-submitted content should ever be placed as-is into HTML.'),
+ '#weight' => 120,
+ '#collapsible' => TRUE,
+ '#collapsed' => TRUE,
+ );
+
+ $format_options = array(
+ 'filter_xss' => t('Filter XSS') . theme('filter_tips', array(array(
+ array('tip' => t('Filters HTML to prevent cross-site-scripting (XSS) vulnerabilities.')),
+ array('tip' => t('Allowed HTML tags') . check_plain(': <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd>')),
+ array('tip' => '<strong>' . t('Recommended for finder fields that contain only plain values or the above HTML tags.') . '</strong>')
+ )), FALSE),
+ 'filter_xss_admin' => t('Filter XSS permissive') . theme('filter_tips', array(array(
+ array('tip' => t('Allows all tags that can be used inside an HTML body, save for scripts and styles.')),
+ array('tip' => '<strong>' . t('Recommended for finder fields that contain HTML.') . '</strong>')
+ )), FALSE),
+ 'check_plain' => t('Check plain') . theme('filter_tips', array(array(
+ array('tip' => t('Encodes special characters in a plain-text string for display as HTML.')),
+ array('tip' => '<strong>' . t('Approved for finder fields that contain only plain values.') . '</strong>')
+ )), FALSE),
+ 'check_url' => t('Check URL') . theme('filter_tips', array(array(
+ array('tip' => t('Strips dangerous protocols from a URI and encodes it for output to HTML.')),
+ array('tip' => '<strong>' . t('Approved for finder fields where the value is a URL.') . '</strong>')
+ )), FALSE),
+ );
+ $filter_formats = filter_formats();
+ foreach ($filter_formats as $filter_format) {
+ $tips = _filter_tips($filter_format->format, FALSE);
+ $tips[$filter_format->name]['finder'] = array('tip' => t('Not pre-approved for finder fields, use with caution.'));
+ $format_options[$filter_format->format] = $filter_format->name . theme('filter_tips', $tips);
+ }
+
+ $form['settings']['choices']['sanitization']['format'] = array(
+ '#type' => 'radios',
+ '#title' => t('Sanitization filter'),
+ '#default_value' => isset($element->settings['choices']['sanitization']['format']) ? $element->settings['choices']['sanitization']['format'] : 'filter_xss',
+ '#options' => $format_options,
+ );
+
$form['settings']['advanced'] = array(
'#type' => 'fieldset',
'#title' => t('Submitted values'),
diff --git a/modules/finder_autocomplete/finder_autocomplete.module b/modules/finder_autocomplete/finder_autocomplete.module
index b825214..92e1e1a 100755
--- a/modules/finder_autocomplete/finder_autocomplete.module
+++ b/modules/finder_autocomplete/finder_autocomplete.module
@@ -200,7 +200,7 @@ function finder_autocomplete_autocomplete($finder_id, $finder_element_id, $keywo
$autofill = theme('finder_autocomplete_autofill', $option, $element);
$suggestion = theme('finder_autocomplete_suggestion', $option, $element);
if ($autofill && $suggestion) {
- $choices[$autofill] = filter_xss($suggestion);
+ $choices[$autofill] = $suggestion;
}
}
}