diff options
| author | Angie Byron <webchick@24967.no-reply.drupal.org> | 2009-04-29 22:36:42 +0000 |
|---|---|---|
| committer | Angie Byron <webchick@24967.no-reply.drupal.org> | 2009-04-29 22:36:42 +0000 |
| commit | 0bb511223945884f871756165bd5d861d14ea1c4 (patch) | |
| tree | bba542e741f72f0bd27619776e28debaa88f69eb | |
| parent | 16cb95557ddfaf134e25aa08cb8b6ef36e1f6d2b (diff) | |
| download | brdo-0bb511223945884f871756165bd5d861d14ea1c4.tar.gz brdo-0bb511223945884f871756165bd5d861d14ea1c4.tar.bz2 | |
#356908 by andypost and yched: Run field prefixes and suffixes through field_filter_xss() rather than check_plain() to prevent funny characters.
| -rw-r--r-- | modules/field/modules/number/number.module | 8 |
1 files changed, 4 insertions, 4 deletions
diff --git a/modules/field/modules/number/number.module b/modules/field/modules/number/number.module index fba9accd0..799853c5b 100644 --- a/modules/field/modules/number/number.module +++ b/modules/field/modules/number/number.module @@ -183,8 +183,8 @@ function theme_field_formatter_number($element) { $output = number_format($value, $settings['scale'], $settings['decimal_separator'], $settings['thousand_separator']); if ($settings['prefix_suffix']) { - $prefixes = isset($instance['settings']['prefix']) ? explode('|', check_plain($instance['settings']['prefix'])) : array(0 => ''); - $suffixes = isset($instance['settings']['suffix']) ? explode('|', check_plain($instance['settings']['suffix'])) : array(0 => ''); + $prefixes = isset($instance['settings']['prefix']) ? array_map('field_filter_xss', explode('|', $instance['settings']['prefix'])) : array(''); + $suffixes = isset($instance['settings']['suffix']) ? array_map('field_filter_xss', explode('|', $instance['settings']['suffix'])) : array(''); $prefix = (count($prefixes) > 1) ? format_plural($value, $prefixes[0], $prefixes[1]) : $prefixes[0]; $suffix = (count($suffixes) > 1) ? format_plural($value, $suffixes[0], $suffixes[1]) : $suffixes[0]; $output = $prefix . $output . $suffix; @@ -323,11 +323,11 @@ function number_process($element, $form_state, $form) { if (!empty($instance['settings']['prefix'])) { $prefixes = explode('|', $instance['settings']['prefix']); - $element[$field_key]['#field_prefix'] = array_pop($prefixes); + $element[$field_key]['#field_prefix'] = field_filter_xss(array_pop($prefixes)); } if (!empty($instance['settings']['suffix'])) { $suffixes = explode('|', $instance['settings']['suffix']); - $element[$field_key]['#field_suffix'] = array_pop($suffixes); + $element[$field_key]['#field_suffix'] = field_filter_xss(array_pop($suffixes)); } // Make sure we don't wipe out element validation added elsewhere. |