500-7002-AS
Neil Drumm
parent
69ba5d1abe
commit
12bd111762
|
|
@ -1,5 +1,11 @@
|
|||
// $Id$
|
||||
|
||||
Drupal 5.1, 2007-01-29
|
||||
----------------------
|
||||
- fixed security issue (code execution), see SA-2007-005
|
||||
- fixed a variety of small bugs.
|
||||
|
||||
|
||||
Drupal 5.0, 2007-01-15
|
||||
------------------------
|
||||
- completely retooled the administration page
|
||||
|
|
|
|||
|
|
@ -959,7 +959,7 @@ function form_select_options($element, $choices = NULL) {
|
|||
else {
|
||||
$selected = '';
|
||||
}
|
||||
$options .= '<option value="'. $key .'"'. $selected .'>'. check_plain($choice) .'</option>';
|
||||
$options .= '<option value="'. check_plain($key) .'"'. $selected .'>'. check_plain($choice) .'</option>';
|
||||
}
|
||||
}
|
||||
return $options;
|
||||
|
|
@ -1055,7 +1055,7 @@ function theme_radio($element) {
|
|||
$output = '<input type="radio" ';
|
||||
$output .= 'name="' . $element['#name'] .'" ';
|
||||
$output .= 'value="'. $element['#return_value'] .'" ';
|
||||
$output .= ($element['#value'] == $element['#return_value']) ? ' checked="checked" ' : ' ';
|
||||
$output .= (check_plain($element['#value']) == $element['#return_value']) ? ' checked="checked" ' : ' ';
|
||||
$output .= drupal_attributes($element['#attributes']) .' />';
|
||||
if (!is_null($element['#title'])) {
|
||||
$output = '<label class="option">'. $output .' '. $element['#title'] .'</label>';
|
||||
|
|
@ -1258,7 +1258,7 @@ function expand_radios($element) {
|
|||
if (count($element['#options']) > 0) {
|
||||
foreach ($element['#options'] as $key => $choice) {
|
||||
if (!isset($element[$key])) {
|
||||
$element[$key] = array('#type' => 'radio', '#title' => $choice, '#return_value' => $key, '#default_value' => $element['#default_value'], '#attributes' => $element['#attributes'], '#parents' => $element['#parents'], '#spawned' => TRUE);
|
||||
$element[$key] = array('#type' => 'radio', '#title' => $choice, '#return_value' => check_plain($key), '#default_value' => $element['#default_value'], '#attributes' => $element['#attributes'], '#parents' => $element['#parents'], '#spawned' => TRUE);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
@ -1537,10 +1537,10 @@ function theme_form_element($element, $value) {
|
|||
if (!empty($element['#title'])) {
|
||||
$title = $element['#title'];
|
||||
if (!empty($element['#id'])) {
|
||||
$output .= ' <label for="'. $element['#id'] .'">'. t('!title: !required', array('!title' => $title, '!required' => $required)) ."</label>\n";
|
||||
$output .= ' <label for="'. $element['#id'] .'">'. t('!title: !required', array('!title' => filter_xss_admin($title), '!required' => $required)) ."</label>\n";
|
||||
}
|
||||
else {
|
||||
$output .= ' <label>'. t('!title: !required', array('!title' => $title, '!required' => $required)) ."</label>\n";
|
||||
$output .= ' <label>'. t('!title: !required', array('!title' => filter_xss_admin($title), '!required' => $required)) ."</label>\n";
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -1582,24 +1582,26 @@ function comment_form_add_preview($form, $edit) {
|
|||
|
||||
$output = '';
|
||||
|
||||
comment_validate($edit);
|
||||
$comment = (object)_comment_form_submit($edit);
|
||||
|
||||
// Attach the user and time information.
|
||||
if ($edit['author']) {
|
||||
$account = user_load(array('name' => $edit['author']));
|
||||
}
|
||||
elseif ($user->uid && !isset($edit['is_anonymous'])) {
|
||||
$account = $user;
|
||||
}
|
||||
if ($account) {
|
||||
$comment->uid = $account->uid;
|
||||
$comment->name = check_plain($account->name);
|
||||
}
|
||||
$comment->timestamp = $edit['timestamp'] ? $edit['timestamp'] : time();
|
||||
|
||||
// Preview the comment with security check.
|
||||
// Invoke full validation for the form, to protect against cross site
|
||||
// request forgeries (CSRF) and setting arbitrary values for fields such as
|
||||
// the input format. Preview the comment only when form validation does not
|
||||
// set any errors.
|
||||
drupal_validate_form($form['form_id']['#value'], $form);
|
||||
if (!form_get_errors()) {
|
||||
$comment = (object)_comment_form_submit($edit);
|
||||
|
||||
// Attach the user and time information.
|
||||
if ($edit['author']) {
|
||||
$account = user_load(array('name' => $edit['author']));
|
||||
}
|
||||
elseif ($user->uid && !isset($edit['is_anonymous'])) {
|
||||
$account = $user;
|
||||
}
|
||||
if ($account) {
|
||||
$comment->uid = $account->uid;
|
||||
$comment->name = check_plain($account->name);
|
||||
}
|
||||
$comment->timestamp = $edit['timestamp'] ? $edit['timestamp'] : time();
|
||||
$output .= theme('comment_view', $comment);
|
||||
}
|
||||
$form['comment_preview'] = array(
|
||||
|
|
|
|||
|
|
@ -2069,6 +2069,10 @@ function node_form_add_preview($form) {
|
|||
|
||||
$op = isset($form_values['op']) ? $form_values['op'] : '';
|
||||
if ($op == t('Preview')) {
|
||||
// Invoke full validation for the form, to protect against cross site
|
||||
// request forgeries (CSRF) and setting arbitrary values for fields such as
|
||||
// the input format. Preview the node only when form validation does not
|
||||
// set any errors.
|
||||
drupal_validate_form($form['form_id']['#value'], $form);
|
||||
if (!form_get_errors()) {
|
||||
// Because the node preview may display a form, we must render it
|
||||
|
|
|
|||
|
|
@ -6,7 +6,7 @@
|
|||
* Configuration system that lets administrators modify the workings of the site.
|
||||
*/
|
||||
|
||||
define('VERSION', '5.1-dev');
|
||||
define('VERSION', '5.1');
|
||||
|
||||
/**
|
||||
* Implementation of hook_help().
|
||||
|
|
|
|||
Loading…
Reference in New Issue