summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--print.admin.inc13
-rw-r--r--print.module2
-rw-r--r--print.pages.inc23
-rw-r--r--print_mail/print_mail.inc8
-rw-r--r--print_mail/print_mail.module2
-rw-r--r--print_pdf/print_pdf.module2
-rw-r--r--print_pdf/print_pdf.pages.inc4
7 files changed, 32 insertions, 22 deletions
diff --git a/print.admin.inc b/print.admin.inc
index c2f4ffb..d856bc4 100644
--- a/print.admin.inc
+++ b/print.admin.inc
@@ -29,7 +29,9 @@ function print_main_settings() {
'#size' => 60,
'#maxlength' => 250,
'#description' => t('The URL to your custom print cascading stylesheet, if any. When none is specified, the default module CSS file is used.') .'<br />'.
- t('Macros: %b (base path: "%base"), %t (path to theme: "%theme")', array('%base' => base_path(), '%theme' => path_to_theme())),
+ t('Macros: %b (base path: "%base"), %t (path to theme: "%theme")', array('%base' => base_path(), '%theme' => path_to_theme())) .'<br />'.
+ t('Requires the <em>administer site configuration</em> permission.'),
+ '#disabled' => !user_access('administer site configuration'),
);
$form['settings']['print_urls'] = array(
@@ -147,6 +149,8 @@ function print_main_settings() {
* Validate print_main_settings form.
*/
function _print_main_settings_validate($form_id, $form_values, $form) {
+ global $base_url;
+
// Check for a new uploaded logo, and use that instead.
if ($file = file_check_upload('print_logo_upload')) {
if ($info = image_get_info($file->filepath)) {
@@ -162,6 +166,13 @@ function _print_main_settings_validate($form_id, $form_values, $form) {
form_set_error('print_logo_upload', t('Only JPEG, PNG and GIF images are allowed to be used as logos.'));
}
}
+
+ // Check that the stylesheet URL is a local URL, if it is an absolute URL, then it must start with the site's base URL
+ if (preg_match('!^http://.*!', $form_state['values']['print_css'], $matches)) {
+ if (!preg_match("!^$base_url/!", $matches[0])) {
+ form_set_error('print_css', t("Stylesheet URL must be a relative path or start with the site's base URL"));
+ }
+ }
}
/**
diff --git a/print.module b/print.module
index a08d29c..983c745 100644
--- a/print.module
+++ b/print.module
@@ -555,7 +555,7 @@ function theme_print_format_link() {
$print_html_link_class = variable_get('print_html_link_class', PRINT_HTML_LINK_CLASS_DEFAULT);
$print_html_new_window = variable_get('print_html_new_window', PRINT_HTML_NEW_WINDOW_DEFAULT);
$print_html_show_link = variable_get('print_html_show_link', PRINT_HTML_SHOW_LINK_DEFAULT);
- $print_html_link_text = variable_get('print_html_link_text', t('Printer-friendly version'));
+ $print_html_link_text = filter_xss(variable_get('print_html_link_text', t('Printer-friendly version')));
$img = drupal_get_path('module', 'print') .'/icons/print_icon.gif';
$title = t('Display a printer-friendly version of this page.');
diff --git a/print.pages.inc b/print.pages.inc
index 2fba0f8..6e2b930 100644
--- a/print.pages.inc
+++ b/print.pages.inc
@@ -180,7 +180,7 @@ function _print_var_generator($node, $message = NULL, $cid = NULL) {
if (!empty($print_css)) {
$replace_pairs = array('%b' => base_path(), '%t' => path_to_theme());
- $user_css = strip_tags(strtr($print_css, $replace_pairs));
+ $user_css = check_url(strtr($print_css, $replace_pairs));
}
else {
drupal_add_css(drupal_get_path('module', 'print') .'/css/print.css');
@@ -233,25 +233,24 @@ function _print_var_generator($node, $message = NULL, $cid = NULL) {
$logo_url = strip_tags($print_logo_url);
break;
}
- $print['logo'] = $logo_url ? "<img class='print-logo' src='$logo_url' alt='' />\n" : '';
+ $print['logo'] = $logo_url ? "<img class='print-logo' src='". check_url($logo_url) ."' alt='' />\n" : '';
switch ($print_footer_options) {
case 0: // none
$footer = '';
break;
case 1: // theme's
- $footer = filter_xss_admin(variable_get('site_footer', FALSE)) ."\n". theme('blocks', 'footer');
- $logo_url = theme_get_setting('logo');
+ $footer = variable_get('site_footer', FALSE) ."\n". theme('blocks', 'footer');
break;
case 2: // user-specifed
$footer = $print_footer_user;
break;
}
- $print['footer_message'] = $footer;
+ $print['footer_message'] = filter_xss_admin($footer);
$published_site = variable_get('site_name', 0);
if ($published_site) {
- $print_text_published = variable_get('print_text_published', t('Published on %site_name'));
+ $print_text_published = filter_xss(variable_get('print_text_published', t('Published on %site_name')));
$published = t($print_text_published, array('%site_name' => $published_site));
$print['site_name'] = $published .' ('. l($base_url, $base_url) .')';
}
@@ -271,11 +270,11 @@ function _print_var_generator($node, $message = NULL, $cid = NULL) {
$url .= '#comment-$cid';
}
$retrieved_date = format_date(time(), 'small');
- $print_text_retrieved = variable_get('print_text_retrieved', t('retrieved on %date'));
+ $print_text_retrieved = filter_xss(variable_get('print_text_retrieved', t('retrieved on %date')));
$retrieved = t($print_text_retrieved, array('%date' => $retrieved_date));
$print['printdate'] = $print_sourceurl_date ? " ($retrieved)" : '';
- $source_url = variable_get('print_text_source_url', t('Source URL'));
+ $source_url = filter_xss(variable_get('print_text_source_url', t('Source URL')));
$print['source_url'] = '<strong>'. $source_url . $print['printdate'] .':</strong> '. l($url, $url);
}
else {
@@ -286,11 +285,11 @@ function _print_var_generator($node, $message = NULL, $cid = NULL) {
$node_type = $node->type;
if (theme_get_setting("toggle_node_info_$node_type")) {
- $print_text_by = variable_get('print_text_by', t('By %author'));
+ $print_text_by = filter_xss(variable_get('print_text_by', t('By %author')));
$by_author = ($node->name ? $node->name : variable_get('anonymous', t('Anonymous')));
$print['submitted'] = t($print_text_by, array('%author' => $by_author));
- $print_text_created = variable_get('print_text_created', t('Created %date'));
+ $print_text_created = filter_xss(variable_get('print_text_created', t('Created %date')));
$created_datetime = format_date($node->created, 'small');
$print['created'] = t($print_text_created, array('%date' => $created_datetime));
}
@@ -311,7 +310,7 @@ function _print_var_generator($node, $message = NULL, $cid = NULL) {
$breadcrumb = drupal_get_breadcrumb();
if (!empty($breadcrumb)) {
$breadcrumb[] = menu_get_active_title();
- $print['breadcrumb'] = implode(' > ', $breadcrumb);
+ $print['breadcrumb'] = filter_xss(implode(' > ', $breadcrumb));
}
else {
$print['breadcrumb'] = '';
@@ -327,7 +326,7 @@ function _print_var_generator($node, $message = NULL, $cid = NULL) {
for ($i = 0; $i < $max; $i++) {
$pfp_links .= '['. ($i + 1) .'] '. $urls[$i] ."<br />\n";
}
- $links = variable_get('print_text_links', t('Links'));
+ $links = filter_xss(variable_get('print_text_links', t('Links')));
$print['pfp_links'] = "<p><strong>$links:</strong><br />$pfp_links</p>";
}
}
diff --git a/print_mail/print_mail.inc b/print_mail/print_mail.inc
index 80bdc80..d879a79 100644
--- a/print_mail/print_mail.inc
+++ b/print_mail/print_mail.inc
@@ -126,9 +126,9 @@ function print_mail_form($form_state) {
$user_name = t('Someone');
}
$site_name = variable_get('site_name', t('an interesting site'));
- $print_mail_text_subject = variable_get('print_mail_text_subject', t('!user has sent you a message from !site'));
+ $print_mail_text_subject = filter_xss(variable_get('print_mail_text_subject', t('!user has sent you a message from !site')));
$form['fld_subject']['#default_value'] = t($print_mail_text_subject, array('!user' => $user_name, '!site' => $site_name, '!title' => $title));
- $print_mail_text_content = variable_get('print_mail_text_content', '');
+ $print_mail_text_content = filter_xss(variable_get('print_mail_text_content', ''));
$form['txt_message']['#default_value'] = t($print_mail_text_content);
return $form;
@@ -242,7 +242,7 @@ function print_mail_form_submit($form_id, $form_values) {
}
$cid = isset($form_values['cid']) ? $form_values['cid'] : NULL;
- $print_mail_text_message = variable_get('print_mail_text_message', t('Message from sender'));
+ $print_mail_text_message = filter_xss_admin(variable_get('print_mail_text_message', t('Message from sender')));
$sender_message = $print_mail_text_message .':<br /><br /><em>'. nl2br(check_plain($form_values['txt_message'])) .'</em>';
$print = print_controller($form_values['path'], $cid, PRINT_MAIL_FORMAT, $form_values['chk_teaser'], $sender_message);
@@ -300,7 +300,7 @@ function print_mail_form_submit($form_id, $form_values) {
watchdog('print_mail', t('%name [%from] sent %page to [%to]', array('%name' => $form_values['fld_from_name'], '%from' => $form_values['fld_from_addr'], '%page' => $form_values['path'], '%to' => $form_values['txt_to_addrs'])));
$site_name = variable_get('site_name', t('us'));
$print_mail_text_confirmation = variable_get('print_mail_text_confirmation', t('Thank you for spreading the word about !site.'));
- drupal_set_message(t($print_mail_text_confirmation, array('!site' => $site_name)));
+ drupal_set_message(check_plain(t($print_mail_text_confirmation, array('!site' => $site_name))));
$nodepath = drupal_get_normal_path($form_values['path']);
db_query("UPDATE {print_mail_page_counter} SET sentcount = sentcount + %d, sent_timestamp = %d WHERE path = '%s'", count($addresses), time(), $nodepath);
diff --git a/print_mail/print_mail.module b/print_mail/print_mail.module
index 38a00a4..ed8da56 100644
--- a/print_mail/print_mail.module
+++ b/print_mail/print_mail.module
@@ -345,7 +345,7 @@ function _print_mail_node_conf_modify($nid, $link, $comments, $url_list) {
function theme_print_mail_format_link() {
$print_mail_link_class = variable_get('print_mail_link_class', PRINT_MAIL_LINK_CLASS_DEFAULT);
$print_mail_show_link = variable_get('print_mail_show_link', PRINT_MAIL_SHOW_LINK_DEFAULT);
- $print_mail_link_text = variable_get('print_mail_link_text', t('Send to friend'));
+ $print_mail_link_text = filter_xss(variable_get('print_mail_link_text', t('Send to friend')));
$img = drupal_get_path('module', 'print') .'/icons/mail_icon.gif';
$title = t('Send this page by e-mail.');
diff --git a/print_pdf/print_pdf.module b/print_pdf/print_pdf.module
index 88774c7..d846374 100644
--- a/print_pdf/print_pdf.module
+++ b/print_pdf/print_pdf.module
@@ -336,7 +336,7 @@ function theme_print_pdf_format_link() {
$print_pdf_link_class = variable_get('print_pdf_link_class', PRINT_PDF_LINK_CLASS_DEFAULT);
$print_pdf_content_disposition = variable_get('print_pdf_content_disposition', PRINT_PDF_CONTENT_DISPOSITION_DEFAULT);
$print_pdf_show_link = variable_get('print_pdf_show_link', PRINT_PDF_SHOW_LINK_DEFAULT);
- $print_pdf_link_text = variable_get('print_pdf_link_text', t('PDF version'));
+ $print_pdf_link_text = filter_xss(variable_get('print_pdf_link_text', t('PDF version')));
$img = drupal_get_path('module', 'print') .'/icons/pdf_icon.gif';
$title = t('Display a PDF version of this page.');
diff --git a/print_pdf/print_pdf.pages.inc b/print_pdf/print_pdf.pages.inc
index 6be7142..c804e3d 100644
--- a/print_pdf/print_pdf.pages.inc
+++ b/print_pdf/print_pdf.pages.inc
@@ -207,9 +207,9 @@ function _print_pdf_tcpdf($print, $html, $filename) {
}
$font = Array(
- variable_get('print_pdf_font_family', PRINT_PDF_FONT_FAMILY_DEFAULT),
+ check_plain(variable_get('print_pdf_font_family', PRINT_PDF_FONT_FAMILY_DEFAULT)),
'',
- variable_get('print_pdf_font_size', PRINT_PDF_FONT_SIZE_DEFAULT),
+ check_plain(variable_get('print_pdf_font_size', PRINT_PDF_FONT_SIZE_DEFAULT)),
);
$orientation = drupal_strtoupper($print_pdf_page_orientation[0]);