diff options
| author | Steven Wittens <steven@10.no-reply.drupal.org> | 2006-12-29 08:35:04 +0000 |
|---|---|---|
| committer | Steven Wittens <steven@10.no-reply.drupal.org> | 2006-12-29 08:35:04 +0000 |
| commit | c231ce312dd1b7a6d29177d9f2d1175fc01fdf51 (patch) | |
| tree | f40b071e4b1563c7e1fc5a8d6699c169897ff0a5 | |
| parent | f46f6abeaef6232f07ebe46cbb7a9180fc7ef778 (diff) | |
| download | brdo-c231ce312dd1b7a6d29177d9f2d1175fc01fdf51.tar.gz brdo-c231ce312dd1b7a6d29177d9f2d1175fc01fdf51.tar.bz2 | |
#97640: Do not xss filter locale strings on import or edit.
| -rw-r--r-- | includes/locale.inc | 17 |
1 files changed, 8 insertions, 9 deletions
diff --git a/includes/locale.inc b/includes/locale.inc index 14c0929ce..bb25d02fa 100644 --- a/includes/locale.inc +++ b/includes/locale.inc @@ -422,7 +422,6 @@ function _locale_string_edit($lid) { function _locale_string_edit_submit($form_id, $form_values) { $lid = $form_values['lid']; foreach ($form_values['translations'] as $key => $value) { - $value = str_replace('&', '&', filter_xss_admin($value)); $trans = db_fetch_object(db_query("SELECT translation FROM {locales_target} WHERE lid = %d AND locale = '%s'", $lid, $key)); if (isset($trans->translation)) { db_query("UPDATE {locales_target} SET translation = '%s' WHERE lid = %d AND locale = '%s'", $value, $lid, $key); @@ -714,7 +713,7 @@ function _locale_import_one_string($op, $value = NULL, $mode = NULL, $lang = NUL // Some real string to import else { - $comments = filter_xss_admin(_locale_import_shorten_comments($value['#'])); + $comments = _locale_import_shorten_comments($value['#']); // Handle a translation for some plural string if (strpos($value['msgid'], "\0")) { @@ -736,11 +735,11 @@ function _locale_import_one_string($op, $value = NULL, $mode = NULL, $lang = NUL db_query("UPDATE {locales_source} SET location = '%s' WHERE lid = %d", $comments, $lid); $trans2 = db_fetch_object(db_query("SELECT lid, translation, plid, plural FROM {locales_target} WHERE lid = %d AND locale = '%s'", $lid, $lang)); if (!$trans2->lid) { // no translation in current language - db_query("INSERT INTO {locales_target} (lid, locale, translation, plid, plural) VALUES (%d, '%s', '%s', %d, %d)", $lid, $lang, filter_xss_admin($trans), $plid, $key); + db_query("INSERT INTO {locales_target} (lid, locale, translation, plid, plural) VALUES (%d, '%s', '%s', %d, %d)", $lid, $lang, $trans, $plid, $key); $additions++; } // translation exists else if ($mode == 'overwrite' || $trans2->translation == '') { - db_query("UPDATE {locales_target} SET translation = '%s', plid = %d, plural = %d WHERE locale = '%s' AND lid = %d", filter_xss_admin($trans), $plid, $key, $lang, $lid); + db_query("UPDATE {locales_target} SET translation = '%s', plid = %d, plural = %d WHERE locale = '%s' AND lid = %d", $trans, $plid, $key, $lang, $lid); if ($trans2->translation == '') { $additions++; } @@ -750,10 +749,10 @@ function _locale_import_one_string($op, $value = NULL, $mode = NULL, $lang = NUL } } else { // no string - db_query("INSERT INTO {locales_source} (location, source) VALUES ('%s', '%s')", $comments, filter_xss_admin($english[$key])); + db_query("INSERT INTO {locales_source} (location, source) VALUES ('%s', '%s')", $comments, english[$key]); $loc = db_fetch_object(db_query("SELECT lid FROM {locales_source} WHERE source = '%s'", $english[$key])); $lid = $loc->lid; - db_query("INSERT INTO {locales_target} (lid, locale, translation, plid, plural) VALUES (%d, '%s', '%s', %d, %d)", $lid, $lang, filter_xss_admin($trans), $plid, $key); + db_query("INSERT INTO {locales_target} (lid, locale, translation, plid, plural) VALUES (%d, '%s', '%s', %d, %d)", $lid, $lang, $trans, $plid, $key); if ($trans != '') { $additions++; } @@ -773,11 +772,11 @@ function _locale_import_one_string($op, $value = NULL, $mode = NULL, $lang = NUL db_query("UPDATE {locales_source} SET location = '%s' WHERE source = '%s'", $comments, $english); $trans = db_fetch_object(db_query("SELECT lid, translation FROM {locales_target} WHERE lid = %d AND locale = '%s'", $lid, $lang)); if (!$trans->lid) { // no translation in current language - db_query("INSERT INTO {locales_target} (lid, locale, translation) VALUES (%d, '%s', '%s')", $lid, $lang, filter_xss_admin($translation)); + db_query("INSERT INTO {locales_target} (lid, locale, translation) VALUES (%d, '%s', '%s')", $lid, $lang, $translation); $additions++; } // translation exists else if ($mode == 'overwrite') { //overwrite in any case - db_query("UPDATE {locales_target} SET translation = '%s' WHERE locale = '%s' AND lid = %d", filter_xss_admin($translation), $lang, $lid); + db_query("UPDATE {locales_target} SET translation = '%s' WHERE locale = '%s' AND lid = %d", $translation, $lang, $lid); if ($trans->translation == '') { $additions++; } @@ -794,7 +793,7 @@ function _locale_import_one_string($op, $value = NULL, $mode = NULL, $lang = NUL db_query("INSERT INTO {locales_source} (location, source) VALUES ('%s', '%s')", $comments, $english); $loc = db_fetch_object(db_query("SELECT lid FROM {locales_source} WHERE source = '%s'", $english)); $lid = $loc->lid; - db_query("INSERT INTO {locales_target} (lid, locale, translation) VALUES (%d, '%s', '%s')", $lid, $lang, filter_xss_admin($translation)); + db_query("INSERT INTO {locales_target} (lid, locale, translation) VALUES (%d, '%s', '%s')", $lid, $lang, $translation); if ($translation != '') { $additions++; } |