diff --git a/includes/bootstrap.inc b/includes/bootstrap.inc index 509779049897..3ec57384612a 100644 --- a/includes/bootstrap.inc +++ b/includes/bootstrap.inc @@ -393,7 +393,7 @@ function drupal_get_title() { if (!isset($title)) { // during a bootstrap, menu.inc is not included and thus we cannot provide a title if (function_exists('menu_get_active_title')) { - $title = menu_get_active_title(); + $title = check_plain(menu_get_active_title()); } } @@ -509,7 +509,7 @@ function drupal_unpack($obj, $field = 'data') { */ function referer_uri() { if (isset($_SERVER['HTTP_REFERER'])) { - return check_url($_SERVER['HTTP_REFERER']); + return $_SERVER['HTTP_REFERER']; } } @@ -537,14 +537,14 @@ function arg($index) { } /** - * Prepare user input for use in a URI. + * Prepare a URL for use in an HTML attribute. * - * We replace ( and ) with their entity equivalents to prevent XSS attacks. + * We replace ( and ) with their url-encoded equivalents to prevent XSS attacks. */ function check_url($uri) { $uri = htmlspecialchars($uri, ENT_QUOTES); - $uri = strtr($uri, array('(' => '&040;', ')' => '&041;')); + $uri = strtr($uri, array('(' => '%28', ')' => '%29')); return $uri; } @@ -567,7 +567,7 @@ function request_uri() { } } - return check_url($uri); + return $uri; } /** diff --git a/includes/common.inc b/includes/common.inc index f3abbac85a52..b6a8807c8fe5 100644 --- a/includes/common.inc +++ b/includes/common.inc @@ -173,8 +173,7 @@ function drupal_goto($path = '', $query = NULL, $fragment = NULL) { extract(parse_url($_REQUEST['edit']['destination'])); } - // Translate & to simply & in the absolute URL. - $url = str_replace('&', '&', url($path, $query, $fragment, TRUE)); + $url = url($path, $query, $fragment, TRUE); if (ini_get('session.use_trans_sid') && session_id() && !strstr($url, session_id())) { $sid = session_name() . '=' . session_id(); @@ -203,7 +202,7 @@ function drupal_goto($path = '', $query = NULL, $fragment = NULL) { */ function drupal_not_found() { header('HTTP/1.0 404 Not Found'); - watchdog('page not found', t('%page not found.', array('%page' => ''. db_escape_string($_GET['q']) .'')), WATCHDOG_WARNING); + watchdog('page not found', t('%page not found.', array('%page' => theme('placeholder', $_GET['q']))), WATCHDOG_WARNING); $path = drupal_get_normal_path(variable_get('site_404', '')); $status = MENU_NOT_FOUND; @@ -223,7 +222,7 @@ function drupal_not_found() { */ function drupal_access_denied() { header('HTTP/1.0 403 Forbidden'); - watchdog('access denied', t('%page denied access.', array('%page' => ''. db_escape_string($_GET['q']) .'')), WATCHDOG_WARNING, l(t('view'), $_GET['q'])); + watchdog('access denied', t('%page denied access.', array('%page' => theme('placeholder', $_GET['q']))), WATCHDOG_WARNING, l(t('view'), $_GET['q'])); $path = drupal_get_normal_path(variable_get('site_403', '')); $status = MENU_NOT_FOUND; @@ -549,15 +548,10 @@ function t($string, $args = 0) { } /** - * Encode special characters in a string for display as HTML. - * - * Note that we'd like to use htmlspecialchars($input, $quotes, 'utf-8') - * as outlined in the PHP manual, but we can't because there's a bug in - * PHP < 4.3 that makes it mess up multibyte charsets if we specify the - * charset. This will be changed later once we make PHP 4.3 a requirement. + * Encode special characters in a plain-text string for display as HTML. */ -function drupal_specialchars($input, $quotes = ENT_NOQUOTES) { - return htmlspecialchars($input, $quotes); +function check_plain($text) { + return htmlspecialchars($text, ENT_QUOTES); } /** @@ -642,7 +636,7 @@ function valid_input_data($data) { $match += preg_match("/<\s*(applet|script|object|style|embed|form|blink|meta|html|frame|iframe|layer|ilayer|head|frameset|xml)/i", $data); if ($match) { - watchdog('security', t('Terminated request because of suspicious input data: %data.', array('%data' => ''. drupal_specialchars($data) .''))); + watchdog('security', t('Terminated request because of suspicious input data: %data.', array('%data' => theme('placeholder', $data)))); return FALSE; } } @@ -680,10 +674,6 @@ function flood_is_allowed($name, $threshold) { return ($number < $threshold ? TRUE : FALSE); } -function check_form($text) { - return drupal_specialchars($text, ENT_QUOTES); -} - function check_file($filename) { return is_uploaded_file($filename); } @@ -703,12 +693,12 @@ function format_rss_channel($title, $link, $description, $items, $language = 'en // arbitrary elements may be added using the $args associative array $output = "\n"; - $output .= ' '. drupal_specialchars(strip_tags($title)) ."\n"; - $output .= ' '. drupal_specialchars(strip_tags($link)) ."\n"; - $output .= ' '. drupal_specialchars(strip_tags($description)) ."\n"; - $output .= ' '. drupal_specialchars(strip_tags($language)) ."\n"; + $output .= ' '. check_plain($title) ."\n"; + $output .= ' '. check_url($link) ."\n"; + $output .= ' '. check_plain($description) ."\n"; + $output .= ' '. check_plain($language) ."\n"; foreach ($args as $key => $value) { - $output .= ' <'. $key .'>'. drupal_specialchars(strip_tags($value)) ."\n"; + $output .= ' <'. $key .'>'. check_plain($value) ."\n"; } $output .= $items; $output .= "\n"; @@ -723,9 +713,9 @@ function format_rss_channel($title, $link, $description, $items, $language = 'en */ function format_rss_item($title, $link, $description, $args = array()) { $output = "\n"; - $output .= ' '. drupal_specialchars(strip_tags($title)) ."\n"; - $output .= ' '. drupal_specialchars(strip_tags($link)) ."\n"; - $output .= ' '. drupal_specialchars($description) ."\n"; + $output .= ' '. check_plain($title) ."\n"; + $output .= ' '. check_url($link) ."\n"; + $output .= ' '. check_plain($description) ."\n"; foreach ($args as $key => $value) { if (is_array($value)) { if ($value['key']) { @@ -743,7 +733,7 @@ function format_rss_item($title, $link, $description, $args = array()) { } } else { - $output .= ' <'. $key .'>'. drupal_specialchars(strip_tags($value)) ."\n"; + $output .= ' <'. $key .'>'. check_plain($value) ."\n"; } } $output .= "\n"; @@ -1212,7 +1202,7 @@ function form_checkboxes($title, $name, $values, $options, $description = NULL, */ function form_textfield($title, $name, $value, $size, $maxlength, $description = NULL, $attributes = NULL, $required = FALSE) { $size = $size ? ' size="'. $size .'"' : ''; - return theme('form_element', $title, '', $description, 'edit-'. $name, $required, _form_get_error($name)); + return theme('form_element', $title, '', $description, 'edit-'. $name, $required, _form_get_error($name)); } /** @@ -1239,7 +1229,7 @@ function form_textfield($title, $name, $value, $size, $maxlength, $description = */ function form_password($title, $name, $value, $size, $maxlength, $description = NULL, $attributes = NULL, $required = FALSE) { $size = $size ? ' size="'. $size .'"' : ''; - return theme('form_element', $title, '', $description, 'edit-'. $name, $required, _form_get_error($name)); + return theme('form_element', $title, '', $description, 'edit-'. $name, $required, _form_get_error($name)); } /** @@ -1275,7 +1265,7 @@ function form_textarea($title, $name, $value, $cols, $rows, $description = NULL, } } - $output .= theme('form_element', $title, '', $description, 'edit-'. $name, $required, _form_get_error($name)); + $output .= theme('form_element', $title, '', $description, 'edit-'. $name, $required, _form_get_error($name)); // e.g. optionally plug in a WYSIWYG editor foreach (module_list() as $module_name) { @@ -1321,12 +1311,12 @@ function form_select($title, $name, $value, $options, $description = NULL, $extr if (is_array($choice)) { $select .= ''; foreach ($choice as $key => $choice) { - $select .= ''; + $select .= ''; } $select .= ''; } else { - $select .= ''; + $select .= ''; } } return theme('form_element', $title, '', $description, 'edit-'. $name, $required, _form_get_error($name)); @@ -1370,7 +1360,7 @@ function form_file($title, $name, $size, $description = NULL, $required = FALSE) * an attacker to change the value before it is submitted. */ function form_hidden($name, $value) { - return '\n"; + return '\n"; } /** @@ -1389,7 +1379,7 @@ function form_hidden($name, $value) { * A themed HTML string representing the button. */ function form_button($value, $name = 'op', $type = 'submit', $attributes = NULL) { - return '\n"; + return '\n"; } /** @@ -1476,12 +1466,12 @@ function url($path = NULL, $query = NULL, $fragment = NULL, $absolute = FALSE) { $fragment = '#'. $fragment; } - $base = ($absolute ? $base_url . '/' : ''); + $base = ($absolute ? $base_url .'/' : ''); if (variable_get('clean_url', '0') == '0') { if (isset($path)) { if (isset($query)) { - return $base . $script .'?q='. $path .'&'. $query . $fragment; + return $base . $script .'?q='. $path .'&'. $query . $fragment; } else { return $base . $script .'?q='. $path . $fragment; @@ -1528,7 +1518,7 @@ function drupal_attributes($attributes = array()) { if ($attributes) { $t = array(); foreach ($attributes as $key => $value) { - $t[] = $key .'="'. $value .'"'; + $t[] = $key .'="'. check_plain($value) .'"'; } return ' '. implode($t, ' '); @@ -1555,10 +1545,12 @@ function drupal_attributes($attributes = array()) { * @param $absolute * Whether to force the output to be an absolute link (beginning with http:). * Useful for links that will be displayed outside the site, such as in an RSS feed. + * @param $html + * Whether the title is HTML, or just plain-text. * @return * an HTML string containing a link to the given path. */ -function l($text, $path, $attributes = array(), $query = NULL, $fragment = NULL, $absolute = FALSE) { +function l($text, $path, $attributes = array(), $query = NULL, $fragment = NULL, $absolute = FALSE, $html = FALSE) { if (drupal_get_normal_path($path) == $_GET['q']) { if (isset($attributes['class'])) { $attributes['class'] .= ' active'; @@ -1567,7 +1559,7 @@ function l($text, $path, $attributes = array(), $query = NULL, $fragment = NULL, $attributes['class'] = 'active'; } } - return ''. $text .''; + return ''. ($html ? $text : check_plain($text)) .''; } /** @@ -1679,7 +1671,7 @@ function drupal_convert_to_utf8($data, $encoding) { $out = @mb_convert_encoding($data, 'utf-8', $encoding); } else if (function_exists('recode_string')) { - $out = @recode_string($encoding . '..utf-8', $data); + $out = @recode_string($encoding .'..utf-8', $data); } else { watchdog('php', t("Unsupported encoding '%s'. Please install iconv, GNU recode or mbstring for PHP.", $encoding), WATCHDOG_ERROR); @@ -1705,7 +1697,7 @@ function drupal_convert_to_utf8($data, $encoding) { * @param $len * An upper limit on the returned string length. * @param $wordsafe - * Flag to truncate at nearest word boundary. Defaults to FALSE. + * Flag to truncate at nearest space. Defaults to FALSE. * @return * The truncated string. */ diff --git a/includes/file.inc b/includes/file.inc index b8bf30b1135e..18ce0f9d917d 100644 --- a/includes/file.inc +++ b/includes/file.inc @@ -76,11 +76,11 @@ function file_check_directory(&$directory, $mode = 0, $form_item = NULL) { // Check if directory exists. if (!is_dir($directory)) { if (($mode & FILE_CREATE_DIRECTORY) && @mkdir($directory, 0760)) { - drupal_set_message(t('Created directory %directory.', array('%directory' => "$directory"))); + drupal_set_message(t('Created directory %directory.', array('%directory' => theme('placeholder', $directory)))); } else { if ($form_item) { - form_set_error($form_item, t('The directory %directory does not exist.', array('%directory' => "$directory"))); + form_set_error($form_item, t('The directory %directory does not exist.', array('%directory' => theme('placeholder', $directory)))); } return false; } @@ -89,10 +89,10 @@ function file_check_directory(&$directory, $mode = 0, $form_item = NULL) { // Check to see if the directory is writable. if (!is_writable($directory)) { if (($mode & FILE_MODIFY_PERMISSIONS) && @chmod($directory, 0760)) { - drupal_set_message(t('Modified permissions on directory %directory.', array('%directory' => "$directory"))); + drupal_set_message(t('Modified permissions on directory %directory.', array('%directory' => theme('placeholder', $directory)))); } else { - form_set_error($form_item, t('The directory %directory is not writable.', array('%directory' => "$directory"))); + form_set_error($form_item, t('The directory %directory is not writable.', array('%directory' => theme('placeholder', $directory)))); return false; } } diff --git a/includes/locale.inc b/includes/locale.inc index 03e6dd098283..77bae2b81db2 100644 --- a/includes/locale.inc +++ b/includes/locale.inc @@ -23,14 +23,14 @@ function _locale_add_language($code, $name, $onlylanguage = TRUE) { // the language addition, we need to inform the user on how to start // a translation if ($onlylanguage) { - $message = t('%locale language added. You can now import a translation. See the help screen for more information.', array('%locale' => ''. t($name) .'', '%locale-help' => url('admin/help/locale'))); + $message = t('%locale language added. You can now import a translation. See the help screen for more information.', array('%locale' => theme('placeholder', t($name)), '%locale-help' => url('admin/help/locale'))); } else { - $message = t('%locale language added.', array('%locale' => ''. t($name) .'')); + $message = t('%locale language added.', array('%locale' => theme('placeholder', t($name)))); } drupal_set_message($message); - watchdog('locale', t('%language language (%locale) added.', array('%language' => "$name", '%locale' => "$code"))); + watchdog('locale', t('%language language (%locale) added.', array('%language' => theme('placeholder', $name), '%locale' => theme('placeholder', $code)))); } /** @@ -47,7 +47,7 @@ function _locale_admin_manage_screen() { $status = db_fetch_object(db_query("SELECT isdefault, enabled FROM {locales_meta} WHERE locale = '%s'", $key)); if ($key == 'en') { - $rows[] = array('en', $lang, form_checkbox('', 'enabled][en', 1, $status->enabled), form_radio('', 'sitedefault', $key, $status->isdefault), message_na(), ''); + $rows[] = array('en', check_plain($lang), form_checkbox('', 'enabled][en', 1, $status->enabled), form_radio('', 'sitedefault', $key, $status->isdefault), message_na(), ''); } else { $original = db_fetch_object(db_query("SELECT COUNT(*) AS strings FROM {locales_source}")); @@ -55,7 +55,7 @@ function _locale_admin_manage_screen() { $ratio = ($original->strings > 0 && $translation->translation > 0) ? round(($translation->translation/$original->strings)*100., 2) : 0; - $rows[] = array($key, ($key != 'en' ? form_textfield('', 'name]['. $key, $lang, 15, 64) : $lang), form_checkbox('', 'enabled]['. $key, 1, $status->enabled), form_radio('', 'sitedefault', $key, $status->isdefault), "$translation->translation/$original->strings ($ratio%)", ($key != 'en' ? l(t('delete'), 'admin/locale/language/delete/'. urlencode($key)) : '')); + $rows[] = array(check_plain($key), ($key != 'en' ? form_textfield('', 'name]['. $key, $lang, 15, 64) : $lang), form_checkbox('', 'enabled]['. $key, 1, $status->enabled), form_radio('', 'sitedefault', $key, $status->isdefault), "$translation->translation/$original->strings ($ratio%)", ($key != 'en' ? l(t('delete'), 'admin/locale/language/delete/'. urlencode($key)) : '')); } } @@ -132,7 +132,7 @@ function _locale_import_po($file, $lang, $mode) { // Check if we can get the strings from the file if (!($strings = _locale_import_read_po($file))) { - drupal_set_message(t('Translation file %filename broken: Could not be read.', array('%filename' => "$file->filename")), 'error'); + drupal_set_message(t('Translation file %filename broken: Could not be read.', array('%filename' => theme('placeholder', $file->filename))), 'error'); return FALSE; } @@ -154,7 +154,7 @@ function _locale_import_po($file, $lang, $mode) { } } else { - drupal_set_message(t('Translation file %filename broken: No header.', array('%filename' => "$file->filename")), 'error'); + drupal_set_message(t('Translation file %filename broken: No header.', array('%filename' => theme('placeholder', $file->filename))), 'error'); return FALSE; } @@ -257,7 +257,7 @@ function _locale_import_po($file, $lang, $mode) { menu_rebuild(); drupal_set_message(t('Translation successfully imported. %number translated strings added to language, %update strings updated.', array('%number' => $additions, '%update' => $updates))); - watchdog('locale', t('Imported %file into %locale: %number new strings added and %update updated.', array('%file' => "$file->filename", '%locale' => "$lang", '%number' => $additions, '%update' => $updates))); + watchdog('locale', t('Imported %file into %locale: %number new strings added and %update updated.', array('%file' => theme('placeholder', $file->filename), '%locale' => theme('placeholder', $lang), '%number' => $additions, '%update' => $updates))); return TRUE; } @@ -269,9 +269,10 @@ function _locale_import_po($file, $lang, $mode) { */ function _locale_import_read_po($file) { + $message = theme('placeholder', $file->filename); $fd = fopen($file->filepath, "rb"); if (!$fd) { - drupal_set_message(t('Translation import failed: file %filename cannot be read.', array('%filename' => "$file->filename")), 'error'); + drupal_set_message(t('Translation import failed: file %filename cannot be read.', array('%filename' => $message)), 'error'); return FALSE; } $info = fstat($fd); @@ -303,19 +304,19 @@ function _locale_import_read_po($file) { $context = "COMMENT"; } else { // Parse error - drupal_set_message(t("Translation file %filename broken: expected 'msgstr' in line %line.", array('%filename' => "$file->filename", '%line' => $lineno)), 'error'); + drupal_set_message(t("Translation file %filename broken: expected 'msgstr' in line %line.", array('%filename' => $message, '%line' => $lineno)), 'error'); return FALSE; } } elseif (!strncmp("msgid_plural", $line, 12)) { if ($context != "MSGID") { // Must be plural form for current entry - drupal_set_message(t("Translation file %filename broken: unexpected 'msgid_plural' in line %line.", array('%filename' => "$file->filename", '%line' => $lineno)), 'error'); + drupal_set_message(t("Translation file %filename broken: unexpected 'msgid_plural' in line %line.", array('%filename' => $message, '%line' => $lineno)), 'error'); return FALSE; } $line = trim(substr($line, 12)); $quoted = _locale_import_parse_quoted($line); if ($quoted === false) { - drupal_set_message(t('Translation file %filename broken: syntax error in line %line.', array('%filename' => "$file->filename", '%line' => $lineno)), 'error'); + drupal_set_message(t('Translation file %filename broken: syntax error in line %line.', array('%filename' => $message, '%line' => $lineno)), 'error'); return FALSE; } $current["msgid"] = $current["msgid"] ."\0". $quoted; @@ -327,13 +328,13 @@ function _locale_import_read_po($file) { $current = array(); } elseif ($context == "MSGID") { // Already in this context? Parse error - drupal_set_message(t("Translation file %filename broken: unexpected 'msgid' in line %line.", array('%filename' => "$file->filename", '%line' => $lineno)), 'error'); + drupal_set_message(t("Translation file %filename broken: unexpected 'msgid' in line %line.", array('%filename' => $message, '%line' => $lineno)), 'error'); return FALSE; } $line = trim(substr($line, 5)); $quoted = _locale_import_parse_quoted($line); if ($quoted === false) { - drupal_set_message(t('Translation file %filename broken: syntax error in line %line.', array('%filename' => "$file->filename", '%line' => $lineno)), 'error'); + drupal_set_message(t('Translation file %filename broken: syntax error in line %line.', array('%filename' => $message, '%line' => $lineno)), 'error'); return FALSE; } $current["msgid"] = $quoted; @@ -341,11 +342,11 @@ function _locale_import_read_po($file) { } elseif (!strncmp("msgstr[", $line, 7)) { if (($context != "MSGID") && ($context != "MSGID_PLURAL") && ($context != "MSGSTR_ARR")) { // Must come after msgid, msgid_plural, or msgstr[] - drupal_set_message(t("Translation file %filename broken: unexpected 'msgstr[]' in line %line.", array('%filename' => "$file->filename", '%line' => $lineno)), 'error'); + drupal_set_message(t("Translation file %filename broken: unexpected 'msgstr[]' in line %line.", array('%filename' => $message, '%line' => $lineno)), 'error'); return FALSE; } if (strpos($line, "]") === false) { - drupal_set_message(t('Translation file %filename broken: syntax error in line %line.', array('%filename' => "$file->filename", '%line' => $lineno)), 'error'); + drupal_set_message(t('Translation file %filename broken: syntax error in line %line.', array('%filename' => $message, '%line' => $lineno)), 'error'); return FALSE; } $frombracket = strstr($line, "["); @@ -353,7 +354,7 @@ function _locale_import_read_po($file) { $line = trim(strstr($line, " ")); $quoted = _locale_import_parse_quoted($line); if ($quoted === false) { - drupal_set_message(t('Translation file %filename broken: syntax error in line %line.', array('%filename' => "$file->filename", '%line' => $lineno)), 'error'); + drupal_set_message(t('Translation file %filename broken: syntax error in line %line.', array('%filename' => $message, '%line' => $lineno)), 'error'); return FALSE; } $current["msgstr"][$plural] = $quoted; @@ -361,13 +362,13 @@ function _locale_import_read_po($file) { } elseif (!strncmp("msgstr", $line, 6)) { if ($context != "MSGID") { // Should come just after a msgid block - drupal_set_message(t("Translation file %filename broken: unexpected 'msgstr' in line %line.", array('%filename' => "$file->filename", '%line' => $lineno)), 'error'); + drupal_set_message(t("Translation file %filename broken: unexpected 'msgstr' in line %line.", array('%filename' => $message, '%line' => $lineno)), 'error'); return FALSE; } $line = trim(substr($line, 6)); $quoted = _locale_import_parse_quoted($line); if ($quoted === false) { - drupal_set_message(t('Translation file %filename broken: syntax error in line %line.', array('%filename' => "$file->filename", '%line' => $lineno)), 'error'); + drupal_set_message(t('Translation file %filename broken: syntax error in line %line.', array('%filename' => $message, '%line' => $lineno)), 'error'); return FALSE; } $current["msgstr"] = $quoted; @@ -376,7 +377,7 @@ function _locale_import_read_po($file) { elseif ($line != "") { $quoted = _locale_import_parse_quoted($line); if ($quoted === false) { - drupal_set_message(t('Translation file %filename broken: syntax error in line %line.', array('%filename' => "$file->filename", '%line' => $lineno)), 'error'); + drupal_set_message(t('Translation file %filename broken: syntax error in line %line.', array('%filename' => $message, '%line' => $lineno)), 'error'); return FALSE; } if (($context == "MSGID") || ($context == "MSGID_PLURAL")) { @@ -389,7 +390,7 @@ function _locale_import_read_po($file) { $current["msgstr"][$plural] .= $quoted; } else { - drupal_set_message(t('Translation file %filename broken: unexpected string in line %line.', array('%filename' => "$file->filename", '%line' => $lineno)), 'error'); + drupal_set_message(t('Translation file %filename broken: unexpected string in line %line.', array('%filename' => $message, '%line' => $lineno)), 'error'); return FALSE; } } @@ -400,7 +401,7 @@ function _locale_import_read_po($file) { $strings[$current["msgid"]] = $current; } elseif ($context != "COMMENT") { - drupal_set_message(t('Translation file %filename broken: unexpected end file at line %line.', array('%filename' => "$file->filename", '%line' => $lineno)), 'error'); + drupal_set_message(t('Translation file %filename broken: unexpected end of file at line %line.', array('%filename' => $message, '%line' => $lineno)), 'error'); return FALSE; } @@ -465,7 +466,7 @@ function _locale_import_parse_plural_forms($pluralforms, $filename) { return array($nplurals, $plural); } else { - drupal_set_message(t("Translation file %filename broken: plural formula couldn't get parsed.", array('%filename' => "$filename")), 'error'); + drupal_set_message(t("Translation file %filename broken: plural formula couldn't get parsed.", array('%filename' => theme('placeholder', $filename))), 'error'); return FALSE; } } @@ -768,7 +769,7 @@ function _locale_export_po($language) { $header .= "\"Plural-Forms: nplurals=". $meta->plurals ."; plural=". strtr($meta->formula, '$', '') .";\\n\"\n"; } $header .= "\n"; - watchdog('locale', t('Exported %locale translation file: %filename.', array('%locale' => "$meta->name", '%filename' => "$filename"))); + watchdog('locale', t('Exported %locale translation file: %filename.', array('%locale' => theme('placeholder', $meta->name), '%filename' => theme('placeholder', $filename)))); } // Generating Portable Object Template @@ -789,7 +790,7 @@ function _locale_export_po($language) { $header .= "\"Content-Transfer-Encoding: 8bit\\n\"\n"; $header .= "\"Plural-Forms: nplurals=INTEGER; plural=EXPRESSION;\\n\"\n"; $header .= "\n"; - watchdog('locale', t('Exported translation file: %filename.', array('%filename' => "$filename"))); + watchdog('locale', t('Exported translation file: %filename.', array('%filename' => theme('placeholder', $filename)))); } // Start download process @@ -1080,6 +1081,7 @@ function _locale_string_seek_form() { // Get *all* languages set up $languages = locale_supported_languages(FALSE, TRUE); asort($languages['name']); unset($languages['name']['en']); + $languages['name'] = array_map('check_plain', $languages['name']); // Present edit form preserving previous user settings $query = _locale_string_seek_query(); diff --git a/includes/pager.inc b/includes/pager.inc index 43639c7a683f..ddd6c399df23 100644 --- a/includes/pager.inc +++ b/includes/pager.inc @@ -384,19 +384,19 @@ function pager_link($from_new, $element, $attributes = array()) { $q = $_GET['q']; $from = array_key_exists('from', $_GET) ? $_GET['from'] : ''; - foreach($attributes as $key => $value) { + foreach ($attributes as $key => $value) { $query[] = $key .'='. $value; } $from_new = pager_load_array($from_new[$element], $element, explode(',', $from)); if (count($attributes)) { - $url = url($q, 'from='. implode($from_new, ',') .'&'. implode('&', $query)); + $url = url($q, 'from='. implode($from_new, ',') .'&'. implode('&', $query)); } else { $url = url($q, 'from='. implode($from_new, ',')); } - return $url; + return check_url($url); } function pager_load_array($value, $element, $old_array) { diff --git a/includes/tablesort.inc b/includes/tablesort.inc index ad02683524e4..e4f044d89c76 100644 --- a/includes/tablesort.inc +++ b/includes/tablesort.inc @@ -87,7 +87,7 @@ function tablesort_header($cell, $header, $ts) { $ts['sort'] = 'asc'; $image = ''; } - $cell['data'] = l($cell['data'] . $image, $_GET['q'], array('title' => $title), 'sort='. $ts['sort'] .'&order='. urlencode($cell['data']). $ts['query_string']); + $cell['data'] = l($cell['data'] . $image, $_GET['q'], array('title' => $title), 'sort='. $ts['sort'] .'&order='. urlencode($cell['data']). $ts['query_string'], NULL, FALSE, TRUE); unset($cell['field'], $cell['sort']); } @@ -139,7 +139,7 @@ function tablesort_get_querystring() { $query_string = ''; foreach ($cgi as $key => $val) { if ($key != 'order' && $key != 'sort' && $key != 'q') { - $query_string .= '&'. $key .'='. $val; + $query_string .= '&'. $key .'='. $val; } } return $query_string; diff --git a/includes/theme.inc b/includes/theme.inc index 14b2181e3040..789841152928 100644 --- a/includes/theme.inc +++ b/includes/theme.inc @@ -225,8 +225,8 @@ function path_to_theme() { */ function theme_get_settings($key = NULL) { $defaults = array( - 'primary_links' => l('edit primary links', 'admin/themes/settings'), - 'secondary_links' => l('edit secondary links', 'admin/themes/settings'), + 'primary_links' => l(t('edit primary links'), 'admin/themes/settings'), + 'secondary_links' => l(t('edit secondary links'), 'admin/themes/settings'), 'mission' => '', 'default_logo' => 1, 'logo_path' => '', @@ -348,6 +348,20 @@ function theme_get_styles() { * * The theme system is described and defined in theme.inc. */ + +/** + * Format a dynamic text string for emphasised display in a placeholder. + * + * E.g. t('Added term %term', array('%term' => theme('placeholder', $term))) + * + * @param $text + * The text to format (plain-text). + * @return + * The formatted text (html). + */ +function theme_placeholder($text) { + return ''. check_plain($text) .''; +} /** * Return an entire Drupal page displaying the supplied content. @@ -361,7 +375,7 @@ function theme_page($content) { $output = "\n"; $output .= ''; $output .= ''; - $output .= ' '. (drupal_get_title() ? drupal_get_title() : variable_get('site_name', 'drupal')) .''; + $output .= ' '. (drupal_get_title() ? strip_tags(drupal_get_title()) : variable_get('site_name', 'drupal')) .''; $output .= drupal_get_html_head(); $output .= theme_get_styles(); @@ -500,7 +514,7 @@ function theme_node($node, $teaser = FALSE, $page = FALSE) { } if ($page == 0) { - $output = '

'. $node->title .'

by '. format_name($node); + $output = '

'. check_plain($node->title) .'

by '. format_name($node); } else { $output = 'by '. format_name($node); diff --git a/modules/aggregator.module b/modules/aggregator.module index edd23ad1e8cc..2374afd9c60e 100644 --- a/modules/aggregator.module +++ b/modules/aggregator.module @@ -198,11 +198,11 @@ function aggregator_block($op, $delta = 0, $edit = array()) { if ($op == 'list') { $result = db_query('SELECT cid, title FROM {aggregator_category} ORDER BY title'); while ($category = db_fetch_object($result)) { - $block['category:'. $category->cid]['info'] = t('%title category latest items', array('%title' => $category->title)); + $block['category:'. $category->cid]['info'] = t('%title category latest items', array('%title' => theme('placeholder', $category->title))); } $result = db_query('SELECT fid, title FROM {aggregator_feed} ORDER BY fid'); while ($feed = db_fetch_object($result)) { - $block['feed:'. $feed->fid]['info'] = t('%title feed latest items', array('%title' => $feed->title)); + $block['feed:'. $feed->fid]['info'] = t('%title feed latest items', array('%title' => theme('placeholder', $feed->title))); } } else if ($op == 'configure') { @@ -231,7 +231,7 @@ function aggregator_block($op, $delta = 0, $edit = array()) { switch ($type) { case 'feed': if ($feed = db_fetch_object(db_query('SELECT fid, title, block FROM {aggregator_feed} WHERE fid = %d', $id))) { - $block['subject'] = $feed->title; + $block['subject'] = check_plain($feed->title); $result = db_query_range('SELECT * FROM {aggregator_item} WHERE fid = %d ORDER BY timestamp DESC, iid DESC', $feed->fid, 0, $feed->block); $block['content'] = '
'. l(t('more'), 'aggregator/sources/'. $feed->fid, array('title' => t('View this feed\'s recent news.'))) .'
'; } @@ -239,7 +239,7 @@ function aggregator_block($op, $delta = 0, $edit = array()) { case 'category': if ($category = db_fetch_object(db_query('SELECT cid, title, block FROM {aggregator_category} WHERE cid = %d', $id))) { - $block['subject'] = $category->title; + $block['subject'] = check_plain($category->title); $result = db_query_range('SELECT i.* FROM {aggregator_category_item} ci LEFT JOIN {aggregator_item} i ON ci.iid = i.iid WHERE ci.cid = %d ORDER BY i.timestamp DESC, i.iid DESC', $category->cid, 0, $category->block); $block['content'] = '
'. l(t('more'), 'aggregator/categories/'. $category->cid, array('title' => t('View this category\'s recent news.'))) .'
'; } @@ -265,7 +265,7 @@ function aggregator_remove($feed) { } db_query('DELETE FROM {aggregator_item} WHERE fid = %d', $feed['fid']); db_query("UPDATE {aggregator_feed} SET checked = 0, etag = '', modified = 0 WHERE fid = %d", $feed['fid']); - drupal_set_message(t('Removed news items from %site.', array('%site' => ''. $feed['title'] .''))); + drupal_set_message(t('Removed news items from %site.', array('%site' => theme('placeholder', $feed['title'])))); } /** @@ -345,11 +345,11 @@ function aggregator_refresh($feed) { switch ($result->code) { case 304: db_query('UPDATE {aggregator_feed} SET checked = %d WHERE fid = %d', time(), $feed['fid']); - drupal_set_message(t('No new syndicated content from %site.', array('%site' => ''. $feed['title'] .''))); + drupal_set_message(t('No new syndicated content from %site.', array('%site' => theme('placeholder', $feed['title'])))); break; case 301: $feed['url'] = $result->redirect_url; - watchdog('aggregator', t('Updated URL for feed %title to %url.', array('%title' => ''. $feed['title'] .'', '%url' => ''. $feed['url'] .''))); + watchdog('aggregator', t('Updated URL for feed %title to %url.', array('%title' => theme('placeholder', $feed['title']), '%url' => theme('placeholder', $feed['url'])))); break; case 200: @@ -397,13 +397,13 @@ function aggregator_refresh($feed) { cache_clear_all(); - $message = t('Syndicated content from %site.', array('%site' => ''. $feed[title] .'')); + $message = t('Syndicated content from %site.', array('%site' => theme('placeholder', $feed[title]))); watchdog('aggregator', $message); drupal_set_message($message); } break; default: - $message = t('Failed to parse RSS feed %site: %error.', array('%site' => ''. $feed['title'] .'', '%error' => "$result->code $result->error")); + $message = t('Failed to parse RSS feed %site: %error.', array('%site' => theme('placeholder', $feed['title']), '%error' => theme('placeholder', $result->code .' '. $result->error))); watchdog('aggregator', $message, WATCHDOG_WARNING); drupal_set_message($message); } @@ -461,7 +461,7 @@ function aggregator_parse_feed(&$data, $feed) { xml_set_character_data_handler($xml_parser, 'aggregator_element_data'); if (!xml_parse($xml_parser, $data, 1)) { - $message = t('Failed to parse RSS feed %site: %error at line %line.', array('%site' => ''. $feed['title'] .'', '%error' => xml_error_string(xml_get_error_code($xml_parser)), '%line' => xml_get_current_line_number($xml_parser))); + $message = t('Failed to parse RSS feed %site: %error at line %line.', array('%site' => theme('placeholder', $feed['title']), '%error' => xml_error_string(xml_get_error_code($xml_parser)), '%line' => xml_get_current_line_number($xml_parser))); watchdog('aggregator', $message, WATCHDOG_WARNING); drupal_set_message($message, 'error'); return 0; @@ -554,7 +554,7 @@ function aggregator_parse_feed(&$data, $feed) { } if (!valid_input_data($item['DESCRIPTION'])) { - drupal_set_message(t('Failed to parse entry from %site feed: suspicious input data.', array('%site' => ''. $feed['title'] .'')), 'error'); + drupal_set_message(t('Failed to parse entry from %site feed: suspicious input data.', array('%site' => theme('placeholder', $feed['title']))), 'error'); } else { aggregator_save_item(array('iid' => $entry->iid, 'fid' => $feed['fid'], 'timestamp' => $timestamp, 'title' => $title, 'link' => $link, 'author' => $item['AUTHOR'], 'description' => $item['DESCRIPTION'])); @@ -643,7 +643,7 @@ function aggregator_form_feed($edit = array()) { $categories = db_query('SELECT c.cid, c.title, f.fid FROM {aggregator_category} c LEFT JOIN {aggregator_category_feed} f ON c.cid = f.cid AND f.fid = %d ORDER BY title', $edit['fid']); while ($category = db_fetch_object($categories)) { $options[$category->cid] = $category->title; - if ($category->fid) $values[] = $category->cid; + if ($category->fid) $values[] = check_plain($category->cid); } if ($options) { $form .= form_checkboxes(t('Categorize news items'), 'category', $values, $options, t('New items in this feed will be automatically filed in the the checked categories as they are received.')); @@ -920,7 +920,7 @@ function _aggregator_page_list($sql, $op, $header = '') { $selected = array(); while ($category = db_fetch_object($categories_result)) { if (!$done) { - $categories[$category->cid] = check_form($category->title); + $categories[$category->cid] = check_plain($category->title); } if ($category->iid) { $selected[] = $category->cid; @@ -932,7 +932,7 @@ function _aggregator_page_list($sql, $op, $header = '') { else { $form = ''; while ($category = db_fetch_object($categories_result)) { - $form .= form_checkbox(check_form($category->title), 'categories]['. $item->iid .'][', $category->cid, !is_null($category->iid)); + $form .= form_checkbox(check_plain($category->title), 'categories]['. $item->iid .'][', $category->cid, !is_null($category->iid)); } } $rows[] = array(theme('aggregator_page_item', $item), array('data' => $form, 'class' => 'categorize-item')); @@ -960,7 +960,7 @@ function aggregator_page_sources() { $result = db_query('SELECT f.fid, f.title, f.description, f.image, MAX(i.timestamp) AS last FROM {aggregator_feed} f LEFT JOIN {aggregator_item} i ON f.fid = i.fid GROUP BY f.fid'); $output = "
\n"; while ($feed = db_fetch_object($result)) { - $output .= "

$feed->title

\n"; + $output .= '

'. check_plain($feed->title) ."

\n"; // Most recent items: $list = array(); @@ -987,13 +987,13 @@ function aggregator_page_opml() { $output = "\n"; $output .= "\n"; $output .= "\n"; - $output .= ''. drupal_specialchars(variable_get('site_name', 'Drupal')) ."\n"; + $output .= ''. check_plain(variable_get('site_name', 'Drupal')) ."\n"; $output .= ''. gmdate('r') ."\n"; $output .= "\n"; $output .= "\n"; while ($feed = db_fetch_object($result)) { - $output .= '\n"; + $output .= '\n"; } $output .= "\n"; @@ -1011,7 +1011,7 @@ function aggregator_page_categories() { $output = "
\n"; while ($category = db_fetch_object($result)) { - $output .= "

$category->title

\n"; + $output .= '

'. check_plain($category->title) ."

\n"; if (variable_get('aggregator_summary_items', 3)) { $list = array(); $items = db_query_range('SELECT i.title, i.timestamp, i.link, f.title as feed_title, f.link as feed_link FROM {aggregator_category_item} ci LEFT JOIN {aggregator_item} i ON i.iid = ci.iid LEFT JOIN {aggregator_feed} f ON i.fid = f.fid WHERE ci.cid = %d ORDER BY i.timestamp DESC', $category->cid, 0, variable_get('aggregator_summary_items', 3)); @@ -1042,7 +1042,7 @@ function theme_aggregator_feed($feed) { $output .= $feed->description; $output .= '

'. t('URL') ."

\n"; $output .= theme('xml_icon', $feed->url); - $output .= "link\">$feed->link\n"; + $output .= ''. check_plain($feed->link) ."\n"; $output .= '

'. t('Last update') ."

\n"; $updated = t('%time ago', array('%time' => format_interval(time() - $feed->checked))); @@ -1066,12 +1066,12 @@ function theme_aggregator_block_item($item, $feed = 0) { if ($user->uid && module_exist('blog') && user_access('edit own blog')) { if ($image = theme('image', 'misc/blog.png', t('blog it'), t('blog it'))) { - $output .= '
'. l($image, 'node/add/blog', array('title' => t('Comment on this news item in your personal blog.'), 'class' => 'blog-it'), "iid=$item->iid") .'
'; + $output .= '
'. l($image, 'node/add/blog', array('title' => t('Comment on this news item in your personal blog.'), 'class' => 'blog-it'), "iid=$item->iid", NULL, FALSE, TRUE) .'
'; } } // Display the external link to the item. - $output .= "link\">$item->title\n"; + $output .= ''. check_plain($item->title) ."\n"; return $output; } @@ -1086,7 +1086,7 @@ function theme_aggregator_block_item($item, $feed = 0) { * @ingroup themeable */ function theme_aggregator_summary_item($item) { - $output = ''. $item->title .' '. t('%age old', array('%age' => format_interval(time() - $item->timestamp))) .''; + $output = ''. check_plain($item->title) .' '. t('%age old', array('%age' => format_interval(time() - $item->timestamp))) .''; if ($item->feed_link) { $output .= ', '. $item->feed_title .''; } @@ -1110,9 +1110,9 @@ function theme_aggregator_page_item($item) { $output .= "
\n"; $output .= '
'. date('H:i', $item->timestamp) ."
\n"; $output .= "
\n"; - $output .= "
link\">$item->title
\n"; + $output .= '
'. check_plain($item->title) ."
\n"; if ($item->description) { - $output .= "
$item->description
\n"; + $output .= '
'. check_plain($item->description) ."
\n"; } if ($item->ftitle && $item->fid) { $output .= '
'. t('Source') .': '. l($item->ftitle, "aggregator/sources/$item->fid") ."
\n"; diff --git a/modules/aggregator/aggregator.module b/modules/aggregator/aggregator.module index edd23ad1e8cc..2374afd9c60e 100644 --- a/modules/aggregator/aggregator.module +++ b/modules/aggregator/aggregator.module @@ -198,11 +198,11 @@ function aggregator_block($op, $delta = 0, $edit = array()) { if ($op == 'list') { $result = db_query('SELECT cid, title FROM {aggregator_category} ORDER BY title'); while ($category = db_fetch_object($result)) { - $block['category:'. $category->cid]['info'] = t('%title category latest items', array('%title' => $category->title)); + $block['category:'. $category->cid]['info'] = t('%title category latest items', array('%title' => theme('placeholder', $category->title))); } $result = db_query('SELECT fid, title FROM {aggregator_feed} ORDER BY fid'); while ($feed = db_fetch_object($result)) { - $block['feed:'. $feed->fid]['info'] = t('%title feed latest items', array('%title' => $feed->title)); + $block['feed:'. $feed->fid]['info'] = t('%title feed latest items', array('%title' => theme('placeholder', $feed->title))); } } else if ($op == 'configure') { @@ -231,7 +231,7 @@ function aggregator_block($op, $delta = 0, $edit = array()) { switch ($type) { case 'feed': if ($feed = db_fetch_object(db_query('SELECT fid, title, block FROM {aggregator_feed} WHERE fid = %d', $id))) { - $block['subject'] = $feed->title; + $block['subject'] = check_plain($feed->title); $result = db_query_range('SELECT * FROM {aggregator_item} WHERE fid = %d ORDER BY timestamp DESC, iid DESC', $feed->fid, 0, $feed->block); $block['content'] = '
'. l(t('more'), 'aggregator/sources/'. $feed->fid, array('title' => t('View this feed\'s recent news.'))) .'
'; } @@ -239,7 +239,7 @@ function aggregator_block($op, $delta = 0, $edit = array()) { case 'category': if ($category = db_fetch_object(db_query('SELECT cid, title, block FROM {aggregator_category} WHERE cid = %d', $id))) { - $block['subject'] = $category->title; + $block['subject'] = check_plain($category->title); $result = db_query_range('SELECT i.* FROM {aggregator_category_item} ci LEFT JOIN {aggregator_item} i ON ci.iid = i.iid WHERE ci.cid = %d ORDER BY i.timestamp DESC, i.iid DESC', $category->cid, 0, $category->block); $block['content'] = '
'. l(t('more'), 'aggregator/categories/'. $category->cid, array('title' => t('View this category\'s recent news.'))) .'
'; } @@ -265,7 +265,7 @@ function aggregator_remove($feed) { } db_query('DELETE FROM {aggregator_item} WHERE fid = %d', $feed['fid']); db_query("UPDATE {aggregator_feed} SET checked = 0, etag = '', modified = 0 WHERE fid = %d", $feed['fid']); - drupal_set_message(t('Removed news items from %site.', array('%site' => ''. $feed['title'] .''))); + drupal_set_message(t('Removed news items from %site.', array('%site' => theme('placeholder', $feed['title'])))); } /** @@ -345,11 +345,11 @@ function aggregator_refresh($feed) { switch ($result->code) { case 304: db_query('UPDATE {aggregator_feed} SET checked = %d WHERE fid = %d', time(), $feed['fid']); - drupal_set_message(t('No new syndicated content from %site.', array('%site' => ''. $feed['title'] .''))); + drupal_set_message(t('No new syndicated content from %site.', array('%site' => theme('placeholder', $feed['title'])))); break; case 301: $feed['url'] = $result->redirect_url; - watchdog('aggregator', t('Updated URL for feed %title to %url.', array('%title' => ''. $feed['title'] .'', '%url' => ''. $feed['url'] .''))); + watchdog('aggregator', t('Updated URL for feed %title to %url.', array('%title' => theme('placeholder', $feed['title']), '%url' => theme('placeholder', $feed['url'])))); break; case 200: @@ -397,13 +397,13 @@ function aggregator_refresh($feed) { cache_clear_all(); - $message = t('Syndicated content from %site.', array('%site' => ''. $feed[title] .'')); + $message = t('Syndicated content from %site.', array('%site' => theme('placeholder', $feed[title]))); watchdog('aggregator', $message); drupal_set_message($message); } break; default: - $message = t('Failed to parse RSS feed %site: %error.', array('%site' => ''. $feed['title'] .'', '%error' => "$result->code $result->error")); + $message = t('Failed to parse RSS feed %site: %error.', array('%site' => theme('placeholder', $feed['title']), '%error' => theme('placeholder', $result->code .' '. $result->error))); watchdog('aggregator', $message, WATCHDOG_WARNING); drupal_set_message($message); } @@ -461,7 +461,7 @@ function aggregator_parse_feed(&$data, $feed) { xml_set_character_data_handler($xml_parser, 'aggregator_element_data'); if (!xml_parse($xml_parser, $data, 1)) { - $message = t('Failed to parse RSS feed %site: %error at line %line.', array('%site' => ''. $feed['title'] .'', '%error' => xml_error_string(xml_get_error_code($xml_parser)), '%line' => xml_get_current_line_number($xml_parser))); + $message = t('Failed to parse RSS feed %site: %error at line %line.', array('%site' => theme('placeholder', $feed['title']), '%error' => xml_error_string(xml_get_error_code($xml_parser)), '%line' => xml_get_current_line_number($xml_parser))); watchdog('aggregator', $message, WATCHDOG_WARNING); drupal_set_message($message, 'error'); return 0; @@ -554,7 +554,7 @@ function aggregator_parse_feed(&$data, $feed) { } if (!valid_input_data($item['DESCRIPTION'])) { - drupal_set_message(t('Failed to parse entry from %site feed: suspicious input data.', array('%site' => ''. $feed['title'] .'')), 'error'); + drupal_set_message(t('Failed to parse entry from %site feed: suspicious input data.', array('%site' => theme('placeholder', $feed['title']))), 'error'); } else { aggregator_save_item(array('iid' => $entry->iid, 'fid' => $feed['fid'], 'timestamp' => $timestamp, 'title' => $title, 'link' => $link, 'author' => $item['AUTHOR'], 'description' => $item['DESCRIPTION'])); @@ -643,7 +643,7 @@ function aggregator_form_feed($edit = array()) { $categories = db_query('SELECT c.cid, c.title, f.fid FROM {aggregator_category} c LEFT JOIN {aggregator_category_feed} f ON c.cid = f.cid AND f.fid = %d ORDER BY title', $edit['fid']); while ($category = db_fetch_object($categories)) { $options[$category->cid] = $category->title; - if ($category->fid) $values[] = $category->cid; + if ($category->fid) $values[] = check_plain($category->cid); } if ($options) { $form .= form_checkboxes(t('Categorize news items'), 'category', $values, $options, t('New items in this feed will be automatically filed in the the checked categories as they are received.')); @@ -920,7 +920,7 @@ function _aggregator_page_list($sql, $op, $header = '') { $selected = array(); while ($category = db_fetch_object($categories_result)) { if (!$done) { - $categories[$category->cid] = check_form($category->title); + $categories[$category->cid] = check_plain($category->title); } if ($category->iid) { $selected[] = $category->cid; @@ -932,7 +932,7 @@ function _aggregator_page_list($sql, $op, $header = '') { else { $form = ''; while ($category = db_fetch_object($categories_result)) { - $form .= form_checkbox(check_form($category->title), 'categories]['. $item->iid .'][', $category->cid, !is_null($category->iid)); + $form .= form_checkbox(check_plain($category->title), 'categories]['. $item->iid .'][', $category->cid, !is_null($category->iid)); } } $rows[] = array(theme('aggregator_page_item', $item), array('data' => $form, 'class' => 'categorize-item')); @@ -960,7 +960,7 @@ function aggregator_page_sources() { $result = db_query('SELECT f.fid, f.title, f.description, f.image, MAX(i.timestamp) AS last FROM {aggregator_feed} f LEFT JOIN {aggregator_item} i ON f.fid = i.fid GROUP BY f.fid'); $output = "
\n"; while ($feed = db_fetch_object($result)) { - $output .= "

$feed->title

\n"; + $output .= '

'. check_plain($feed->title) ."

\n"; // Most recent items: $list = array(); @@ -987,13 +987,13 @@ function aggregator_page_opml() { $output = "\n"; $output .= "\n"; $output .= "\n"; - $output .= ''. drupal_specialchars(variable_get('site_name', 'Drupal')) ."\n"; + $output .= ''. check_plain(variable_get('site_name', 'Drupal')) ."\n"; $output .= ''. gmdate('r') ."\n"; $output .= "\n"; $output .= "\n"; while ($feed = db_fetch_object($result)) { - $output .= '\n"; + $output .= '\n"; } $output .= "\n"; @@ -1011,7 +1011,7 @@ function aggregator_page_categories() { $output = "
\n"; while ($category = db_fetch_object($result)) { - $output .= "

$category->title

\n"; + $output .= '

'. check_plain($category->title) ."

\n"; if (variable_get('aggregator_summary_items', 3)) { $list = array(); $items = db_query_range('SELECT i.title, i.timestamp, i.link, f.title as feed_title, f.link as feed_link FROM {aggregator_category_item} ci LEFT JOIN {aggregator_item} i ON i.iid = ci.iid LEFT JOIN {aggregator_feed} f ON i.fid = f.fid WHERE ci.cid = %d ORDER BY i.timestamp DESC', $category->cid, 0, variable_get('aggregator_summary_items', 3)); @@ -1042,7 +1042,7 @@ function theme_aggregator_feed($feed) { $output .= $feed->description; $output .= '

'. t('URL') ."

\n"; $output .= theme('xml_icon', $feed->url); - $output .= "link\">$feed->link\n"; + $output .= ''. check_plain($feed->link) ."\n"; $output .= '

'. t('Last update') ."

\n"; $updated = t('%time ago', array('%time' => format_interval(time() - $feed->checked))); @@ -1066,12 +1066,12 @@ function theme_aggregator_block_item($item, $feed = 0) { if ($user->uid && module_exist('blog') && user_access('edit own blog')) { if ($image = theme('image', 'misc/blog.png', t('blog it'), t('blog it'))) { - $output .= '
'. l($image, 'node/add/blog', array('title' => t('Comment on this news item in your personal blog.'), 'class' => 'blog-it'), "iid=$item->iid") .'
'; + $output .= '
'. l($image, 'node/add/blog', array('title' => t('Comment on this news item in your personal blog.'), 'class' => 'blog-it'), "iid=$item->iid", NULL, FALSE, TRUE) .'
'; } } // Display the external link to the item. - $output .= "link\">$item->title\n"; + $output .= ''. check_plain($item->title) ."\n"; return $output; } @@ -1086,7 +1086,7 @@ function theme_aggregator_block_item($item, $feed = 0) { * @ingroup themeable */ function theme_aggregator_summary_item($item) { - $output = ''. $item->title .' '. t('%age old', array('%age' => format_interval(time() - $item->timestamp))) .''; + $output = ''. check_plain($item->title) .' '. t('%age old', array('%age' => format_interval(time() - $item->timestamp))) .''; if ($item->feed_link) { $output .= ', '. $item->feed_title .''; } @@ -1110,9 +1110,9 @@ function theme_aggregator_page_item($item) { $output .= "
\n"; $output .= '
'. date('H:i', $item->timestamp) ."
\n"; $output .= "
\n"; - $output .= "
link\">$item->title
\n"; + $output .= '
'. check_plain($item->title) ."
\n"; if ($item->description) { - $output .= "
$item->description
\n"; + $output .= '
'. check_plain($item->description) ."
\n"; } if ($item->ftitle && $item->fid) { $output .= '
'. t('Source') .': '. l($item->ftitle, "aggregator/sources/$item->fid") ."
\n"; diff --git a/modules/archive.module b/modules/archive.module index 446071c33872..de6b8794847e 100644 --- a/modules/archive.module +++ b/modules/archive.module @@ -91,7 +91,7 @@ function archive_calendar($original = 0) { $output .= "\n\n"; $output .= '
'; $output .= '\n"; - $output .= ' \n"; + $output .= ' \n"; // First day of week (0 => Sunday, 1 => Monday, ...) $weekstart = variable_get('date_first_day', 0); diff --git a/modules/archive/archive.module b/modules/archive/archive.module index 446071c33872..de6b8794847e 100644 --- a/modules/archive/archive.module +++ b/modules/archive/archive.module @@ -91,7 +91,7 @@ function archive_calendar($original = 0) { $output .= "\n\n"; $output .= '
'; $output .= '
'. l('«', 'archive/'. date('Y/m/d', $prev), array('title' => t('Previous month'))) .' '. format_date($requested, 'custom', 'F') . date(' Y', $requested) .' '. ($nextmonth <= time() ? l('»', 'archive/'. date('Y/m/d', $next), array('title' => t('Next month'))) : ' ') ."'. l('«', 'archive/'. date('Y/m/d', $prev), array('title' => t('Previous month'))) .' '. format_date($requested, 'custom', 'F') . date(' Y', $requested) .' '. ($nextmonth <= time() ? l('»', 'archive/'. date('Y/m/d', $next), array('title' => t('Next month'))) : ' ') ."
\n"; - $output .= ' \n"; + $output .= ' \n"; // First day of week (0 => Sunday, 1 => Monday, ...) $weekstart = variable_get('date_first_day', 0); diff --git a/modules/block.module b/modules/block.module index 78a848f5ebb1..caeee3691a3e 100644 --- a/modules/block.module +++ b/modules/block.module @@ -86,7 +86,7 @@ function block_block($op = 'list', $delta = 0, $edit = array()) { case 'list': $result = db_query('SELECT bid, title, info FROM {boxes} ORDER BY title'); while ($block = db_fetch_object($result)) { - $blocks[$block->bid]['info'] = $block->info ? $block->info : $block->title; + $blocks[$block->bid]['info'] = $block->info ? check_plain($block->info) : check_plain($block->title); } return $blocks; @@ -103,7 +103,7 @@ function block_block($op = 'list', $delta = 0, $edit = array()) { case 'view': $block = db_fetch_object(db_query('SELECT * FROM {boxes} WHERE bid = %d', $delta)); - $data['subject'] = $block->title; + $data['subject'] = check_plain($block->title); $data['content'] = check_output($block->body, $block->format); return $data; } @@ -335,13 +335,13 @@ function block_box_delete($bid = 0) { if ($_POST['edit']['confirm']) { db_query('DELETE FROM {boxes} WHERE bid = %d', $bid); - drupal_set_message(t('The block %name has been deleted.', array('%name' => ''. $info .''))); + drupal_set_message(t('The block %name has been deleted.', array('%name' => theme('placeholder', $info)))); cache_clear_all(); drupal_goto('admin/block'); } else { $output = theme('confirm', - t('Are you sure you want to delete the block %name?', array('%name' => ''. $info .'')), + t('Are you sure you want to delete the block %name?', array('%name' => theme('placeholder', $info))), 'admin/block', NULL, t('Delete')); diff --git a/modules/block/block.module b/modules/block/block.module index 78a848f5ebb1..caeee3691a3e 100644 --- a/modules/block/block.module +++ b/modules/block/block.module @@ -86,7 +86,7 @@ function block_block($op = 'list', $delta = 0, $edit = array()) { case 'list': $result = db_query('SELECT bid, title, info FROM {boxes} ORDER BY title'); while ($block = db_fetch_object($result)) { - $blocks[$block->bid]['info'] = $block->info ? $block->info : $block->title; + $blocks[$block->bid]['info'] = $block->info ? check_plain($block->info) : check_plain($block->title); } return $blocks; @@ -103,7 +103,7 @@ function block_block($op = 'list', $delta = 0, $edit = array()) { case 'view': $block = db_fetch_object(db_query('SELECT * FROM {boxes} WHERE bid = %d', $delta)); - $data['subject'] = $block->title; + $data['subject'] = check_plain($block->title); $data['content'] = check_output($block->body, $block->format); return $data; } @@ -335,13 +335,13 @@ function block_box_delete($bid = 0) { if ($_POST['edit']['confirm']) { db_query('DELETE FROM {boxes} WHERE bid = %d', $bid); - drupal_set_message(t('The block %name has been deleted.', array('%name' => ''. $info .''))); + drupal_set_message(t('The block %name has been deleted.', array('%name' => theme('placeholder', $info)))); cache_clear_all(); drupal_goto('admin/block'); } else { $output = theme('confirm', - t('Are you sure you want to delete the block %name?', array('%name' => ''. $info .'')), + t('Are you sure you want to delete the block %name?', array('%name' => theme('placeholder', $info))), 'admin/block', NULL, t('Delete')); diff --git a/modules/blogapi.module b/modules/blogapi.module index a3a5c75de4a6..58807c87be2d 100644 --- a/modules/blogapi.module +++ b/modules/blogapi.module @@ -153,7 +153,7 @@ function blogapi_new_post($req_params) { $nid = node_save($node); if ($nid) { - watchdog('content', t('%type: added %title using blog API.', array('%type' => ''. t($node->type) .'', '%title' => "$node->title")), WATCHDOG_NOTICE, l(t('view'), "node/$nid")); + watchdog('content', t('%type: added %title using blog API.', array('%type' => ''. t($node->type) .'', '%title' => theme('placeholder', $node->title))), WATCHDOG_NOTICE, l(t('view'), "node/$nid")); return new xmlrpcresp(new xmlrpcval($nid, 'string')); } @@ -215,7 +215,7 @@ function blogapi_edit_post($req_params) { } $nid = node_save($node); if ($nid) { - watchdog('content', t('%type: updated %title using blog API.', array('%type' => ''. t($node->type) .'', '%title' => "$node->title")), WATCHDOG_NOTICE, l(t('view'), "node/$nid")); + watchdog('content', t('%type: updated %title using blog API.', array('%type' => ''. t($node->type) .'', '%title' => theme('placeholder', $node->title))), WATCHDOG_NOTICE, l(t('view'), "node/$nid")); return new xmlrpcresp(new xmlrpcval(true, 'boolean')); } diff --git a/modules/blogapi/blogapi.module b/modules/blogapi/blogapi.module index a3a5c75de4a6..58807c87be2d 100644 --- a/modules/blogapi/blogapi.module +++ b/modules/blogapi/blogapi.module @@ -153,7 +153,7 @@ function blogapi_new_post($req_params) { $nid = node_save($node); if ($nid) { - watchdog('content', t('%type: added %title using blog API.', array('%type' => ''. t($node->type) .'', '%title' => "$node->title")), WATCHDOG_NOTICE, l(t('view'), "node/$nid")); + watchdog('content', t('%type: added %title using blog API.', array('%type' => ''. t($node->type) .'', '%title' => theme('placeholder', $node->title))), WATCHDOG_NOTICE, l(t('view'), "node/$nid")); return new xmlrpcresp(new xmlrpcval($nid, 'string')); } @@ -215,7 +215,7 @@ function blogapi_edit_post($req_params) { } $nid = node_save($node); if ($nid) { - watchdog('content', t('%type: updated %title using blog API.', array('%type' => ''. t($node->type) .'', '%title' => "$node->title")), WATCHDOG_NOTICE, l(t('view'), "node/$nid")); + watchdog('content', t('%type: updated %title using blog API.', array('%type' => ''. t($node->type) .'', '%title' => theme('placeholder', $node->title))), WATCHDOG_NOTICE, l(t('view'), "node/$nid")); return new xmlrpcresp(new xmlrpcval(true, 'boolean')); } diff --git a/modules/book.module b/modules/book.module index 76bb98b6008a..576f8fd1a9c1 100644 --- a/modules/book.module +++ b/modules/book.module @@ -148,7 +148,7 @@ function book_block($op = 'list', $delta = 0) { $expand[] = $node->nid; } - $block['subject'] = $path[0]->title; + $block['subject'] = check_plain($path[0]->title); $block['content'] = book_tree($expand[0], 5, $expand); } } @@ -287,7 +287,7 @@ function book_outline() { $output .= form_submit(t('Add to book outline')); } - drupal_set_title($node->title); + drupal_set_title(check_plain($node->title)); print theme('page', form($output)); } } @@ -477,7 +477,7 @@ function theme_book_navigation($node) { $links .= ''; - $titles .= ''; + $titles .= ''; } else { $links .= ''; // Make an empty div to fill the space. @@ -486,7 +486,7 @@ function theme_book_navigation($node) { $links .= ''; - $titles .= ''; + $titles .= ''; } else { $links .= ''; // Make an empty div to fill the space. @@ -633,7 +633,7 @@ function book_print($nid = 0, $depth = 1) { // Allow modules to change $node->body before viewing. node_invoke_nodeapi($node, 'view', $node->body, false); - $output .= '

'. $node->title .'

'; + $output .= '

'. check_plain($node->title) .'

'; if ($node->body) { $output .= $node->body; @@ -643,7 +643,7 @@ function book_print($nid = 0, $depth = 1) { $output .= book_print_recurse($nid, $depth); - $html = ''. $node->title .''; + $html = ''. check_plain($node->title) .''; $html .= ''; $html .= ""; $html .= ''. $output .''; @@ -671,7 +671,7 @@ function book_print_recurse($parent = '', $depth = 1) { // Allow modules to change $node->body before viewing. node_invoke_nodeapi($node, 'view', $node->body, false); - $output .= '

'. $node->title .'

'; + $output .= '

'. check_plain($node->title) .'

'; if ($node->body) { $output .= '
    '. $node->body .'
'; @@ -707,7 +707,7 @@ function book_admin_view($nid, $depth = 0) { if ($nid) { $node = node_load(array('nid' => $nid)); - $output .= '

'. $node->title .'

'; + $output .= '

'. check_plain($node->title) .'

'; $header = array(t('Title'), t('Weight'), array('data' => t('Operations'), 'colspan' => '3')); $rows[] = book_admin_view_line($node); @@ -738,7 +738,7 @@ function book_admin_save($nid, $edit = array()) { } } - $message = t('Updated book %title.', array('%title' => "$book->title")); + $message = t('Updated book %title.', array('%title' => theme('placeholder', $book->title))); watchdog('content', $message); return $message; diff --git a/modules/book/book.module b/modules/book/book.module index 76bb98b6008a..576f8fd1a9c1 100644 --- a/modules/book/book.module +++ b/modules/book/book.module @@ -148,7 +148,7 @@ function book_block($op = 'list', $delta = 0) { $expand[] = $node->nid; } - $block['subject'] = $path[0]->title; + $block['subject'] = check_plain($path[0]->title); $block['content'] = book_tree($expand[0], 5, $expand); } } @@ -287,7 +287,7 @@ function book_outline() { $output .= form_submit(t('Add to book outline')); } - drupal_set_title($node->title); + drupal_set_title(check_plain($node->title)); print theme('page', form($output)); } } @@ -477,7 +477,7 @@ function theme_book_navigation($node) { $links .= ''; - $titles .= ''; + $titles .= ''; } else { $links .= ''; // Make an empty div to fill the space. @@ -486,7 +486,7 @@ function theme_book_navigation($node) { $links .= ''; - $titles .= ''; + $titles .= ''; } else { $links .= ''; // Make an empty div to fill the space. @@ -633,7 +633,7 @@ function book_print($nid = 0, $depth = 1) { // Allow modules to change $node->body before viewing. node_invoke_nodeapi($node, 'view', $node->body, false); - $output .= '

'. $node->title .'

'; + $output .= '

'. check_plain($node->title) .'

'; if ($node->body) { $output .= $node->body; @@ -643,7 +643,7 @@ function book_print($nid = 0, $depth = 1) { $output .= book_print_recurse($nid, $depth); - $html = ''. $node->title .''; + $html = ''. check_plain($node->title) .''; $html .= ''; $html .= ""; $html .= ''. $output .''; @@ -671,7 +671,7 @@ function book_print_recurse($parent = '', $depth = 1) { // Allow modules to change $node->body before viewing. node_invoke_nodeapi($node, 'view', $node->body, false); - $output .= '

'. $node->title .'

'; + $output .= '

'. check_plain($node->title) .'

'; if ($node->body) { $output .= '
    '. $node->body .'
'; @@ -707,7 +707,7 @@ function book_admin_view($nid, $depth = 0) { if ($nid) { $node = node_load(array('nid' => $nid)); - $output .= '

'. $node->title .'

'; + $output .= '

'. check_plain($node->title) .'

'; $header = array(t('Title'), t('Weight'), array('data' => t('Operations'), 'colspan' => '3')); $rows[] = book_admin_view_line($node); @@ -738,7 +738,7 @@ function book_admin_save($nid, $edit = array()) { } } - $message = t('Updated book %title.', array('%title' => "$book->title")); + $message = t('Updated book %title.', array('%title' => theme('placeholder', $book->title))); watchdog('content', $message); return $message; diff --git a/modules/comment.module b/modules/comment.module index a22da2242e41..876e89bff1f8 100644 --- a/modules/comment.module +++ b/modules/comment.module @@ -274,7 +274,7 @@ function comment_nodeapi(&$node, $op, $arg = 0) { $text = ''; $comments = db_query('SELECT subject, comment, format FROM {comments} WHERE nid = %d AND status = 0', $node->nid); while ($comment = db_fetch_object($comments)) { - $text .= '

'. $comment->subject .'

'. check_output($comment->comment, $comment->format); + $text .= '

'. check_plain($comment->subject) .'

'. check_output($comment->comment, $comment->format); } return $text; @@ -431,9 +431,12 @@ function comment_validate_form($edit) { // Validate the comment's subject. If not specified, extract // one from the comment's body. - $edit['subject'] = strip_tags($edit['subject']); - if ($edit['subject'] == '') { - $edit['subject'] = truncate_utf8(strip_tags($edit['comment']), 29, TRUE); + if (trim($edit['subject']) == '') { + // The body may be in any format, so we: + // 1) Filter it into HTML + // 2) Strip out all HTML tags + // 3) Convert entities back to plain-text. + $edit['subject'] = truncate_utf8(decode_entities(strip_tags(check_output($edit['comment'], $edit['format']))), 29, TRUE); } // Validate the comment's body. @@ -450,7 +453,7 @@ function comment_validate_form($edit) { if (!$user->uid) { if (variable_get('comment_anonymous', 0) > 0) { if ($edit['name']) { - $taken = db_result(db_query("SELECT COUNT(uid) FROM {users} WHERE LOWER(name) = '%s'", strip_tags($edit['name'])), 0); + $taken = db_result(db_query("SELECT COUNT(uid) FROM {users} WHERE LOWER(name) = '%s'", $edit['name']), 0); if ($taken != 0) { form_set_error('name', t('The name you used belongs to a registered user.')); @@ -494,7 +497,7 @@ function comment_preview($edit) { // Attach the user and time information. $comment->uid = $user->uid; $comment->timestamp = time(); - $comment->name = $user->name ? $user->name : $comment->name; + $comment->name = check_plain($user->name ? $user->name : $comment->name); // Preview the comment. $output .= theme('comment_view', $comment, theme('links', module_invoke_all('link', 'comment', $comment, 1))); @@ -523,7 +526,7 @@ function comment_post($edit) { // validated/filtered data to perform such check. $duplicate = db_result(db_query("SELECT COUNT(cid) FROM {comments} WHERE pid = %d AND nid = %d AND subject = '%s' AND comment = '%s'", $edit['pid'], $edit['nid'], $edit['subject'], $edit['comment']), 0); if ($duplicate != 0) { - watchdog('content', t('Comment: duplicate %subject.', array('%subject' => ''. $edit['subject'] .'')), WATCHDOG_WARNING); + watchdog('content', t('Comment: duplicate %subject.', array('%subject' => theme('placeholder', $edit['subject']))), WATCHDOG_WARNING); } if ($edit['cid']) { @@ -538,7 +541,7 @@ function comment_post($edit) { module_invoke_all('comment', 'update', $edit); // Add an entry to the watchdog log. - watchdog('content', t('Comment: updated %subject.', array('%subject' => ''. $edit['subject'] .'')), WATCHDOG_NOTICE, l(t('view'), 'node/'. $edit['nid'], NULL, NULL, 'comment-'. $edit['cid'])); + watchdog('content', t('Comment: updated %subject.', array('%subject' => theme('placeholder', $edit['subject']))), WATCHDOG_NOTICE, l(t('view'), 'node/'. $edit['nid'], NULL, NULL, 'comment-'. $edit['cid'])); } else { // Add the comment to database. @@ -641,7 +644,7 @@ function comment_post($edit) { module_invoke_all('comment', 'insert', $edit); // Add an entry to the watchdog log. - watchdog('content', t('Comment: added %subject.', array('%subject' => ''. $edit['subject'] .'')), WATCHDOG_NOTICE, l(t('view'), 'node/'. $edit['nid'], NULL, NULL, 'comment-'. $edit['cid'])); + watchdog('content', t('Comment: added %subject.', array('%subject' => theme('placeholder', $edit['subject']))), WATCHDOG_NOTICE, l(t('view'), 'node/'. $edit['nid'], NULL, NULL, 'comment-'. $edit['cid'])); } // Clear the cache so an anonymous user can see his comment being added. @@ -662,7 +665,7 @@ function comment_post($edit) { } } else { - watchdog('content', t('Comment: unauthorized comment submitted or comment submitted to a closed node %subject.', array('%subject' => ''. $edit['subject'] .'')), WATCHDOG_WARNING); + watchdog('content', t('Comment: unauthorized comment submitted or comment submitted to a closed node (%subject).', array('%subject' => theme('placeholder', $edit['subject']))), WATCHDOG_WARNING); } } @@ -974,7 +977,7 @@ function comment_delete($cid) { } else if ($comment->cid) { $output = theme('confirm', - t('Are you sure you want to delete the comment %title?', array('%title' => ''. $comment->subject .'')), + t('Are you sure you want to delete the comment %title?', array('%title' => theme('placeholder', $comment->subject))), 'node/'. $comment->nid, t('Any replies to this comment will be lost. This action cannot be undone.'), t('Delete')); @@ -992,7 +995,7 @@ function comment_delete($cid) { function comment_save($id, $edit) { db_query("UPDATE {comments} SET subject = '%s', comment = '%s', status = %d, format = '%s', name = '%s', mail = '%s', homepage = '%s' WHERE cid = %d", $edit['subject'], $edit['comment'], $edit['status'], $edit['format'], $edit['name'], $edit['mail'], $edit['homepage'], $id); - watchdog('content', t('Comment: modified %subject.', array('%subject' => ''. $edit['subject'] .''))); + watchdog('content', t('Comment: modified %subject.', array('%subject' => theme('placeholder', $edit['subject'])))); drupal_set_message(t('The comment has been saved.')); _comment_update_node_statistics($edit['nid']); @@ -1023,7 +1026,7 @@ function comment_admin_overview($type = 'new') { while ($comment = db_fetch_object($result)) { $comment->name = $comment->uid ? $comment->registered_name : $comment->name; $rows[] = array( - l($comment->subject, "node/$comment->nid", array('title' => htmlspecialchars(truncate_utf8($comment->comment, 128))), NULL, "comment-$comment->cid") ." ". theme('mark', node_mark($comment->nid, $comment->timestamp)), + l($comment->subject, "node/$comment->nid", array('title' => truncate_utf8($comment->comment, 128)), NULL, "comment-$comment->cid") ." ". theme('mark', node_mark($comment->nid, $comment->timestamp)), format_name($comment), ($comment->status == 0 ? t('Published') : t('Not published')), format_date($comment->timestamp, 'small'), @@ -1624,7 +1627,7 @@ function theme_comment_post_forbidden() { function _comment_delete_thread($comment) { // Delete the comment: db_query('DELETE FROM {comments} WHERE cid = %d', $comment->cid); - watchdog('content', t('Comment: deleted %subject.', array('%subject' => "$comment->subject"))); + watchdog('content', t('Comment: deleted %subject.', array('%subject' => theme('placeholder', $comment->subject)))); module_invoke_all('comment', 'delete', $comment); diff --git a/modules/comment/comment.module b/modules/comment/comment.module index a22da2242e41..876e89bff1f8 100644 --- a/modules/comment/comment.module +++ b/modules/comment/comment.module @@ -274,7 +274,7 @@ function comment_nodeapi(&$node, $op, $arg = 0) { $text = ''; $comments = db_query('SELECT subject, comment, format FROM {comments} WHERE nid = %d AND status = 0', $node->nid); while ($comment = db_fetch_object($comments)) { - $text .= '

'. $comment->subject .'

'. check_output($comment->comment, $comment->format); + $text .= '

'. check_plain($comment->subject) .'

'. check_output($comment->comment, $comment->format); } return $text; @@ -431,9 +431,12 @@ function comment_validate_form($edit) { // Validate the comment's subject. If not specified, extract // one from the comment's body. - $edit['subject'] = strip_tags($edit['subject']); - if ($edit['subject'] == '') { - $edit['subject'] = truncate_utf8(strip_tags($edit['comment']), 29, TRUE); + if (trim($edit['subject']) == '') { + // The body may be in any format, so we: + // 1) Filter it into HTML + // 2) Strip out all HTML tags + // 3) Convert entities back to plain-text. + $edit['subject'] = truncate_utf8(decode_entities(strip_tags(check_output($edit['comment'], $edit['format']))), 29, TRUE); } // Validate the comment's body. @@ -450,7 +453,7 @@ function comment_validate_form($edit) { if (!$user->uid) { if (variable_get('comment_anonymous', 0) > 0) { if ($edit['name']) { - $taken = db_result(db_query("SELECT COUNT(uid) FROM {users} WHERE LOWER(name) = '%s'", strip_tags($edit['name'])), 0); + $taken = db_result(db_query("SELECT COUNT(uid) FROM {users} WHERE LOWER(name) = '%s'", $edit['name']), 0); if ($taken != 0) { form_set_error('name', t('The name you used belongs to a registered user.')); @@ -494,7 +497,7 @@ function comment_preview($edit) { // Attach the user and time information. $comment->uid = $user->uid; $comment->timestamp = time(); - $comment->name = $user->name ? $user->name : $comment->name; + $comment->name = check_plain($user->name ? $user->name : $comment->name); // Preview the comment. $output .= theme('comment_view', $comment, theme('links', module_invoke_all('link', 'comment', $comment, 1))); @@ -523,7 +526,7 @@ function comment_post($edit) { // validated/filtered data to perform such check. $duplicate = db_result(db_query("SELECT COUNT(cid) FROM {comments} WHERE pid = %d AND nid = %d AND subject = '%s' AND comment = '%s'", $edit['pid'], $edit['nid'], $edit['subject'], $edit['comment']), 0); if ($duplicate != 0) { - watchdog('content', t('Comment: duplicate %subject.', array('%subject' => ''. $edit['subject'] .'')), WATCHDOG_WARNING); + watchdog('content', t('Comment: duplicate %subject.', array('%subject' => theme('placeholder', $edit['subject']))), WATCHDOG_WARNING); } if ($edit['cid']) { @@ -538,7 +541,7 @@ function comment_post($edit) { module_invoke_all('comment', 'update', $edit); // Add an entry to the watchdog log. - watchdog('content', t('Comment: updated %subject.', array('%subject' => ''. $edit['subject'] .'')), WATCHDOG_NOTICE, l(t('view'), 'node/'. $edit['nid'], NULL, NULL, 'comment-'. $edit['cid'])); + watchdog('content', t('Comment: updated %subject.', array('%subject' => theme('placeholder', $edit['subject']))), WATCHDOG_NOTICE, l(t('view'), 'node/'. $edit['nid'], NULL, NULL, 'comment-'. $edit['cid'])); } else { // Add the comment to database. @@ -641,7 +644,7 @@ function comment_post($edit) { module_invoke_all('comment', 'insert', $edit); // Add an entry to the watchdog log. - watchdog('content', t('Comment: added %subject.', array('%subject' => ''. $edit['subject'] .'')), WATCHDOG_NOTICE, l(t('view'), 'node/'. $edit['nid'], NULL, NULL, 'comment-'. $edit['cid'])); + watchdog('content', t('Comment: added %subject.', array('%subject' => theme('placeholder', $edit['subject']))), WATCHDOG_NOTICE, l(t('view'), 'node/'. $edit['nid'], NULL, NULL, 'comment-'. $edit['cid'])); } // Clear the cache so an anonymous user can see his comment being added. @@ -662,7 +665,7 @@ function comment_post($edit) { } } else { - watchdog('content', t('Comment: unauthorized comment submitted or comment submitted to a closed node %subject.', array('%subject' => ''. $edit['subject'] .'')), WATCHDOG_WARNING); + watchdog('content', t('Comment: unauthorized comment submitted or comment submitted to a closed node (%subject).', array('%subject' => theme('placeholder', $edit['subject']))), WATCHDOG_WARNING); } } @@ -974,7 +977,7 @@ function comment_delete($cid) { } else if ($comment->cid) { $output = theme('confirm', - t('Are you sure you want to delete the comment %title?', array('%title' => ''. $comment->subject .'')), + t('Are you sure you want to delete the comment %title?', array('%title' => theme('placeholder', $comment->subject))), 'node/'. $comment->nid, t('Any replies to this comment will be lost. This action cannot be undone.'), t('Delete')); @@ -992,7 +995,7 @@ function comment_delete($cid) { function comment_save($id, $edit) { db_query("UPDATE {comments} SET subject = '%s', comment = '%s', status = %d, format = '%s', name = '%s', mail = '%s', homepage = '%s' WHERE cid = %d", $edit['subject'], $edit['comment'], $edit['status'], $edit['format'], $edit['name'], $edit['mail'], $edit['homepage'], $id); - watchdog('content', t('Comment: modified %subject.', array('%subject' => ''. $edit['subject'] .''))); + watchdog('content', t('Comment: modified %subject.', array('%subject' => theme('placeholder', $edit['subject'])))); drupal_set_message(t('The comment has been saved.')); _comment_update_node_statistics($edit['nid']); @@ -1023,7 +1026,7 @@ function comment_admin_overview($type = 'new') { while ($comment = db_fetch_object($result)) { $comment->name = $comment->uid ? $comment->registered_name : $comment->name; $rows[] = array( - l($comment->subject, "node/$comment->nid", array('title' => htmlspecialchars(truncate_utf8($comment->comment, 128))), NULL, "comment-$comment->cid") ." ". theme('mark', node_mark($comment->nid, $comment->timestamp)), + l($comment->subject, "node/$comment->nid", array('title' => truncate_utf8($comment->comment, 128)), NULL, "comment-$comment->cid") ." ". theme('mark', node_mark($comment->nid, $comment->timestamp)), format_name($comment), ($comment->status == 0 ? t('Published') : t('Not published')), format_date($comment->timestamp, 'small'), @@ -1624,7 +1627,7 @@ function theme_comment_post_forbidden() { function _comment_delete_thread($comment) { // Delete the comment: db_query('DELETE FROM {comments} WHERE cid = %d', $comment->cid); - watchdog('content', t('Comment: deleted %subject.', array('%subject' => "$comment->subject"))); + watchdog('content', t('Comment: deleted %subject.', array('%subject' => theme('placeholder', $comment->subject)))); module_invoke_all('comment', 'delete', $comment); diff --git a/modules/contact.module b/modules/contact.module index 627f6ca3aa70..b86989963814 100644 --- a/modules/contact.module +++ b/modules/contact.module @@ -88,7 +88,7 @@ function contact_mail_user() { // Tidy up the body: foreach ($message as $key => $value) { - $message[$key] = wordwrap(strip_tags($value)); + $message[$key] = wordwrap(check_plain($value)); } // Prepare all fields: diff --git a/modules/contact/contact.module b/modules/contact/contact.module index 627f6ca3aa70..b86989963814 100644 --- a/modules/contact/contact.module +++ b/modules/contact/contact.module @@ -88,7 +88,7 @@ function contact_mail_user() { // Tidy up the body: foreach ($message as $key => $value) { - $message[$key] = wordwrap(strip_tags($value)); + $message[$key] = wordwrap(check_plain($value)); } // Prepare all fields: diff --git a/modules/drupal.module b/modules/drupal.module index 9158221bfdd3..08add863ca40 100644 --- a/modules/drupal.module +++ b/modules/drupal.module @@ -95,7 +95,7 @@ function drupal_directory_ping($arguments) { db_query("DELETE FROM {directory} WHERE link = '%s' OR mail = '%s'", $link, $mail); db_query("INSERT INTO {directory} (link, name, mail, slogan, mission, timestamp) VALUES ('%s', '%s', '%s', '%s', '%s', %d)", $link, $name, $mail, $slogan, $mission, time()); - watchdog('directory ping', t('Ping from %name (%link).', array('%name' => "$name", '%link' => "$link")), WATCHDOG_NOTICE, "view"); + watchdog('directory ping', t('Ping from %name (%link).', array('%name' => theme('placeholder', $name), '%link' => theme('placeholder', $link))), WATCHDOG_NOTICE, 'view'); return new xmlrpcresp(new xmlrpcval(1, 'int')); } @@ -143,7 +143,7 @@ function drupal_notify($server) { $result = $client->send($message, 5); if (!$result || $result->faultCode()) { - watchdog('directory ping', t('Failed to notify %url at %path: %error.', array('%url' => ''. $url["host"] .'', '%path' => ''. $url["path"] .'', '%error' => ''. $result->faultString() .'')), WATCHDOG_WARNING); + watchdog('directory ping', t('Failed to notify %url at %path: %error.', array('%url' => theme('placeholder', $url['host']), '%path' => theme('placeholder', $url['path']), '%error' => theme('placeholder', $result->faultString()))), WATCHDOG_WARNING); } } diff --git a/modules/drupal/drupal.module b/modules/drupal/drupal.module index 9158221bfdd3..08add863ca40 100644 --- a/modules/drupal/drupal.module +++ b/modules/drupal/drupal.module @@ -95,7 +95,7 @@ function drupal_directory_ping($arguments) { db_query("DELETE FROM {directory} WHERE link = '%s' OR mail = '%s'", $link, $mail); db_query("INSERT INTO {directory} (link, name, mail, slogan, mission, timestamp) VALUES ('%s', '%s', '%s', '%s', '%s', %d)", $link, $name, $mail, $slogan, $mission, time()); - watchdog('directory ping', t('Ping from %name (%link).', array('%name' => "$name", '%link' => "$link")), WATCHDOG_NOTICE, "view"); + watchdog('directory ping', t('Ping from %name (%link).', array('%name' => theme('placeholder', $name), '%link' => theme('placeholder', $link))), WATCHDOG_NOTICE, 'view'); return new xmlrpcresp(new xmlrpcval(1, 'int')); } @@ -143,7 +143,7 @@ function drupal_notify($server) { $result = $client->send($message, 5); if (!$result || $result->faultCode()) { - watchdog('directory ping', t('Failed to notify %url at %path: %error.', array('%url' => ''. $url["host"] .'', '%path' => ''. $url["path"] .'', '%error' => ''. $result->faultString() .'')), WATCHDOG_WARNING); + watchdog('directory ping', t('Failed to notify %url at %path: %error.', array('%url' => theme('placeholder', $url['host']), '%path' => theme('placeholder', $url['path']), '%error' => theme('placeholder', $result->faultString()))), WATCHDOG_WARNING); } } diff --git a/modules/filter.module b/modules/filter.module index 74e95e079c53..2fa406d75ed0 100644 --- a/modules/filter.module +++ b/modules/filter.module @@ -60,9 +60,9 @@ function filter_filter_tips($delta, $format, $long = false) { if ($allowed_html = variable_get("allowed_html_$format", '
'. l('«', 'archive/'. date('Y/m/d', $prev), array('title' => t('Previous month'))) .' '. format_date($requested, 'custom', 'F') . date(' Y', $requested) .' '. ($nextmonth <= time() ? l('»', 'archive/'. date('Y/m/d', $next), array('title' => t('Next month'))) : ' ') ."'. l('«', 'archive/'. date('Y/m/d', $prev), array('title' => t('Previous month'))) .' '. format_date($requested, 'custom', 'F') . date(' Y', $requested) .' '. ($nextmonth <= time() ? l('»', 'archive/'. date('Y/m/d', $next), array('title' => t('Next month'))) : ' ') ."
\n"; - if ($title = drupal_get_title()) { + if ($title) { $output .= theme("breadcrumb", drupal_get_breadcrumb()); $output .= "

$title

"; } @@ -107,7 +109,7 @@ function chameleon_node($node, $main = 0, $page = 0) { $output = "
\n"; if (!$page) { - $output .= "

". ($main ? l($node->title, "node/$node->nid") : $node->title) ."

\n"; + $output .= "

". ($main ? l($node->title, "node/$node->nid") : check_plain($node->title)) ."

\n"; } $output .= "
\n"; diff --git a/themes/engines/xtemplate/xtemplate.engine b/themes/engines/xtemplate/xtemplate.engine index 0a5a16a43e93..c7bb12d18328 100644 --- a/themes/engines/xtemplate/xtemplate.engine +++ b/themes/engines/xtemplate/xtemplate.engine @@ -45,7 +45,7 @@ function xtemplate_node($node, $main = 0, $page = 0) { array("%a" => format_name($node), "%b" => format_date($node->created))) : '', "link" => url("node/$node->nid"), - "title" => $node->title, + "title" => check_plain($node->title), "author" => format_name($node), "date" => format_date($node->created), "sticky" => ($main && $node->sticky) ? 'sticky' : '', @@ -116,7 +116,7 @@ function xtemplate_page($content) { $xtemplate->template->assign(array( "language" => $GLOBALS['locale'], - "head_title" => (drupal_get_title() ? drupal_get_title() ." | ". variable_get("site_name", "drupal") : variable_get("site_name", "drupal") ." | ". variable_get("site_slogan", "")), + "head_title" => (drupal_get_title() ? strip_tags(drupal_get_title()) ." | ". variable_get("site_name", "drupal") : variable_get("site_name", "drupal") ." | ". variable_get("site_slogan", "")), "head" => drupal_get_html_head(), "styles" => theme_get_styles(), "onload_attributes" => theme_onload_attribute(),