diff options
| author | Dries Buytaert <dries@buytaert.net> | 2011-05-01 06:37:52 -0400 |
|---|---|---|
| committer | Dries Buytaert <dries@buytaert.net> | 2011-05-01 06:37:52 -0400 |
| commit | d96bf5d808877830216c371e016a43a59ecf5857 (patch) | |
| tree | 2acc318c9c683aef67b11e0ed06297f0c643a8b1 | |
| parent | 585a2b96682e8e48bcc3581bf486ff2459c0cb4f (diff) | |
| download | brdo-d96bf5d808877830216c371e016a43a59ecf5857.tar.gz brdo-d96bf5d808877830216c371e016a43a59ecf5857.tar.bz2 | |
- Patch #852120 by cygri: batch operations example doesn't do proper sanitizing.
| -rw-r--r-- | includes/form.inc | 12 |
1 files changed, 7 insertions, 5 deletions
diff --git a/includes/form.inc b/includes/form.inc index c0163ca68..3f83b8e3d 100644 --- a/includes/form.inc +++ b/includes/form.inc @@ -4015,7 +4015,9 @@ function _form_set_class(&$element, $class = array()) { * Note: if the batch 'title', 'init_message', 'progress_message', or * 'error_message' could contain any user input, it is the responsibility of * the code calling batch_set() to sanitize them first with a function like - * check_plain() or filter_xss(). + * check_plain() or filter_xss(). Furthermore, if the batch operation + * returns any user input in the 'results' or 'message' keys of $context, + * it must also sanitize them first. * * Sample batch operations: * @code @@ -4038,8 +4040,8 @@ function _form_set_class(&$element, $class = array()) { * // and the batch processing can continue to the next operation. * * $node = node_load(array('uid' => $uid, 'type' => $type)); - * $context['results'][] = $node->nid . ' : ' . $node->title; - * $context['message'] = $node->title; + * $context['results'][] = $node->nid . ' : ' . check_plain($node->title); + * $context['message'] = check_plain($node->title); * } * * // More advanced example: multi-step operation - load all nodes, five by five @@ -4058,10 +4060,10 @@ function _form_set_class(&$element, $class = array()) { * ->execute(); * foreach ($result as $row) { * $node = node_load($row->nid, NULL, TRUE); - * $context['results'][] = $node->nid . ' : ' . $node->title; + * $context['results'][] = $node->nid . ' : ' . check_plain($node->title); * $context['sandbox']['progress']++; * $context['sandbox']['current_node'] = $node->nid; - * $context['message'] = $node->title; + * $context['message'] = check_plain($node->title); * } * if ($context['sandbox']['progress'] != $context['sandbox']['max']) { * $context['finished'] = $context['sandbox']['progress'] / $context['sandbox']['max']; |