Drupal
/
drupal
mirror of https://git.drupalcode.org/project/drupal.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

- Backporting comment module validation fixes. Already went into DRUPAL-5.

6.x
Dries Buytaert 2007-03-01 19:53:04 +00:00
parent 6ee8563edb
commit b95f496bbc
2 changed files with 23 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
modules/comment/comment.module
View File

@ -1589,24 +1589,26 @@ function comment_form_add_preview($form, $edit) {
$output = ''; $output = '';
comment_validate($edit); // Invoke full validation for the form, to protect against cross site
$comment = (object)_comment_form_submit($edit); // request forgeries (CSRF) and setting arbitrary values for fields such as
// the input format. Preview the comment only when form validation does not
// Attach the user and time information. // set any errors.
if ($edit['author']) { drupal_validate_form($form['form_id']['#value'], $form);
$account = user_load(array('name' => $edit['author']));
}
elseif ($user->uid && !isset($edit['is_anonymous'])) {
$account = $user;
}
if ($account) {
$comment->uid = $account->uid;
$comment->name = check_plain($account->name);
}
$comment->timestamp = !empty($edit['timestamp']) ? $edit['timestamp'] : time();
// Preview the comment with security check.
if (!form_get_errors()) { if (!form_get_errors()) {
$comment = (object)_comment_form_submit($edit);
// Attach the user and time information.
if ($edit['author']) {
$account = user_load(array('name' => $edit['author']));
}
elseif ($user->uid && !isset($edit['is_anonymous'])) {
$account = $user;
}
if ($account) {
$comment->uid = $account->uid;
$comment->name = check_plain($account->name);
}
$comment->timestamp = $edit['timestamp'] ? $edit['timestamp'] : time();
$output .= theme('comment_view', $comment); $output .= theme('comment_view', $comment);
} }
$form['comment_preview'] = array( $form['comment_preview'] = array(

4
modules/node/node.module
View File

@ -2027,6 +2027,10 @@ function node_form_add_preview($form) {
$op = isset($form_values['op']) ? $form_values['op'] : ''; $op = isset($form_values['op']) ? $form_values['op'] : '';
if ($op == t('Preview')) { if ($op == t('Preview')) {
// Invoke full validation for the form, to protect against cross site
// request forgeries (CSRF) and setting arbitrary values for fields such as
// the input format. Preview the node only when form validation does not
// set any errors.
drupal_validate_form($form['form_id']['#value'], $form); drupal_validate_form($form['form_id']['#value'], $form);
if (!form_get_errors()) { if (!form_get_errors()) {
// Because the node preview may display a form, we must render it // Because the node preview may display a form, we must render it