- Patch #740068 by sun, pwolanin, yoroy: SA-CORE-2010-01 locale module XSS vulnerabilities.

1 files changed, 11 insertions, 1 deletions

diff --git a/modules/locale/locale.admin.inc b/modules/locale/locale.admin.inc
index a2ac18753..da4dcc35d 100644
--- a/modules/locale/locale.admin.inc
+++ b/modules/locale/locale.admin.inc
@@ -337,13 +337,23 @@ function locale_languages_predefined_form_submit($form, &$form_state) {
   }
 
   $form_state['redirect'] = 'admin/config/regional/language';
-  return;
 }
 
 /**
  * Validate the language editing form. Reused for custom language addition too.
  */
 function locale_languages_edit_form_validate($form, &$form_state) {
+  // Ensure sane field values for langcode, name, and native.
+  if (!isset($form['langcode_view']) && preg_match('@[^a-zA-Z_-]@', $form_state['values']['langcode'])) {
+    form_set_error('langcode', t('%field may only contain characters a-z, underscores, or hyphens.', array('%field' => $form['langcode']['#title'])));
+  }
+  if ($form_state['values']['name'] != check_plain($form_state['values']['name'])) {
+    form_set_error('name', t('%field cannot contain any markup.', array('%field' => $form['name']['#title'])));
+  }
+  if ($form_state['values']['native'] != check_plain($form_state['values']['native'])) {
+    form_set_error('native', t('%field cannot contain any markup.', array('%field' => $form['native']['#title'])));
+  }
+
   if (!empty($form_state['values']['domain']) && !empty($form_state['values']['prefix'])) {
     form_set_error('prefix', t('Domain and path prefix values should not be set at the same time.'));
   }