diff --git a/includes/common.inc b/includes/common.inc index 264992f0d35..b67350b9aea 100644 --- a/includes/common.inc +++ b/includes/common.inc @@ -945,7 +945,7 @@ function format_name($object) { $name = $object->name; } - $output = l($name, 'user/'. $object->uid, array('title' => t('View user profile.'))); + $output = l(check_plain($name), 'user/'. $object->uid, array('title' => t('View user profile.'))); } else if ($object->name) { // Sometimes modules display content composed by people who are @@ -953,10 +953,10 @@ function format_name($object) { // aggregator modules). This clause enables modules to display // the true author of the content. if ($object->homepage) { - $output = ''. $object->name .''; + $output = ''. check_plain($object->name) .''; } else { - $output = $object->name; + $output = check_plain($object->name); } $output .= ' ('. t('not verified') .')'; diff --git a/modules/book.module b/modules/book.module index 228ea14ba27..d03c0ef98b8 100644 --- a/modules/book.module +++ b/modules/book.module @@ -412,7 +412,7 @@ function book_view(&$node, $teaser = FALSE, $page = FALSE) { $node = book_content($node, $teaser); if (!$teaser && $node->moderate) { - $node->body .= '
'. t('Log') .':
'. $node->log .'
'; + $node->body .= '
'. t('Log') .':
'. check_output($node->log, $node->format) .'
'; } } diff --git a/themes/engines/xtemplate/xtemplate.engine b/themes/engines/xtemplate/xtemplate.engine index 87f561d1dfa..6cf9d4c17d9 100644 --- a/themes/engines/xtemplate/xtemplate.engine +++ b/themes/engines/xtemplate/xtemplate.engine @@ -179,7 +179,7 @@ function xtemplate_page($content, $title = NULL, $breadcrumb = NULL) { // only parse the mission block if we are on the frontpage ... if ($_GET["q"] == variable_get("site_frontpage", "node") && theme_get_setting('toggle_mission') && ($mission = theme_get_setting('mission'))) { - $xtemplate->template->assign("mission", $mission); + $xtemplate->template->assign("mission", filter_xss($mission)); $xtemplate->template->parse("header.mission"); }