diff options
| author | Steven Wittens <steven@10.no-reply.drupal.org> | 2005-03-31 09:25:33 +0000 |
|---|---|---|
| committer | Steven Wittens <steven@10.no-reply.drupal.org> | 2005-03-31 09:25:33 +0000 |
| commit | be14203534c5f09d0c70c2bf59b81b80f2a90b32 (patch) | |
| tree | a489b0bdda01f9de5deba514bcffd3dce16b59ed /includes | |
| parent | 99233a9c991635e801aebc276e4e2975b6ba9e20 (diff) | |
| download | brdo-be14203534c5f09d0c70c2bf59b81b80f2a90b32.tar.gz brdo-be14203534c5f09d0c70c2bf59b81b80f2a90b32.tar.bz2 | |
- #18817: Clean up plain-text checking (see drupal-devel!)
Diffstat (limited to 'includes')
| -rw-r--r-- | includes/bootstrap.inc | 12 | ||||
| -rw-r--r-- | includes/common.inc | 72 | ||||
| -rw-r--r-- | includes/file.inc | 8 | ||||
| -rw-r--r-- | includes/locale.inc | 52 | ||||
| -rw-r--r-- | includes/pager.inc | 6 | ||||
| -rw-r--r-- | includes/tablesort.inc | 4 | ||||
| -rw-r--r-- | includes/theme.inc | 22 |
7 files changed, 92 insertions, 84 deletions
diff --git a/includes/bootstrap.inc b/includes/bootstrap.inc index 509779049..3ec573846 100644 --- a/includes/bootstrap.inc +++ b/includes/bootstrap.inc @@ -393,7 +393,7 @@ function drupal_get_title() { if (!isset($title)) { // during a bootstrap, menu.inc is not included and thus we cannot provide a title if (function_exists('menu_get_active_title')) { - $title = menu_get_active_title(); + $title = check_plain(menu_get_active_title()); } } @@ -509,7 +509,7 @@ function drupal_unpack($obj, $field = 'data') { */ function referer_uri() { if (isset($_SERVER['HTTP_REFERER'])) { - return check_url($_SERVER['HTTP_REFERER']); + return $_SERVER['HTTP_REFERER']; } } @@ -537,14 +537,14 @@ function arg($index) { } /** - * Prepare user input for use in a URI. + * Prepare a URL for use in an HTML attribute. * - * We replace ( and ) with their entity equivalents to prevent XSS attacks. + * We replace ( and ) with their url-encoded equivalents to prevent XSS attacks. */ function check_url($uri) { $uri = htmlspecialchars($uri, ENT_QUOTES); - $uri = strtr($uri, array('(' => '&040;', ')' => '&041;')); + $uri = strtr($uri, array('(' => '%28', ')' => '%29')); return $uri; } @@ -567,7 +567,7 @@ function request_uri() { } } - return check_url($uri); + return $uri; } /** diff --git a/includes/common.inc b/includes/common.inc index f3abbac85..b6a8807c8 100644 --- a/includes/common.inc +++ b/includes/common.inc @@ -173,8 +173,7 @@ function drupal_goto($path = '', $query = NULL, $fragment = NULL) { extract(parse_url($_REQUEST['edit']['destination'])); } - // Translate & to simply & in the absolute URL. - $url = str_replace('&', '&', url($path, $query, $fragment, TRUE)); + $url = url($path, $query, $fragment, TRUE); if (ini_get('session.use_trans_sid') && session_id() && !strstr($url, session_id())) { $sid = session_name() . '=' . session_id(); @@ -203,7 +202,7 @@ function drupal_goto($path = '', $query = NULL, $fragment = NULL) { */ function drupal_not_found() { header('HTTP/1.0 404 Not Found'); - watchdog('page not found', t('%page not found.', array('%page' => '<em>'. db_escape_string($_GET['q']) .'</em>')), WATCHDOG_WARNING); + watchdog('page not found', t('%page not found.', array('%page' => theme('placeholder', $_GET['q']))), WATCHDOG_WARNING); $path = drupal_get_normal_path(variable_get('site_404', '')); $status = MENU_NOT_FOUND; @@ -223,7 +222,7 @@ function drupal_not_found() { */ function drupal_access_denied() { header('HTTP/1.0 403 Forbidden'); - watchdog('access denied', t('%page denied access.', array('%page' => '<em>'. db_escape_string($_GET['q']) .'</em>')), WATCHDOG_WARNING, l(t('view'), $_GET['q'])); + watchdog('access denied', t('%page denied access.', array('%page' => theme('placeholder', $_GET['q']))), WATCHDOG_WARNING, l(t('view'), $_GET['q'])); $path = drupal_get_normal_path(variable_get('site_403', '')); $status = MENU_NOT_FOUND; @@ -549,15 +548,10 @@ function t($string, $args = 0) { } /** - * Encode special characters in a string for display as HTML. - * - * Note that we'd like to use htmlspecialchars($input, $quotes, 'utf-8') - * as outlined in the PHP manual, but we can't because there's a bug in - * PHP < 4.3 that makes it mess up multibyte charsets if we specify the - * charset. This will be changed later once we make PHP 4.3 a requirement. + * Encode special characters in a plain-text string for display as HTML. */ -function drupal_specialchars($input, $quotes = ENT_NOQUOTES) { - return htmlspecialchars($input, $quotes); +function check_plain($text) { + return htmlspecialchars($text, ENT_QUOTES); } /** @@ -642,7 +636,7 @@ function valid_input_data($data) { $match += preg_match("/<\s*(applet|script|object|style|embed|form|blink|meta|html|frame|iframe|layer|ilayer|head|frameset|xml)/i", $data); if ($match) { - watchdog('security', t('Terminated request because of suspicious input data: %data.', array('%data' => '<em>'. drupal_specialchars($data) .'</em>'))); + watchdog('security', t('Terminated request because of suspicious input data: %data.', array('%data' => theme('placeholder', $data)))); return FALSE; } } @@ -680,10 +674,6 @@ function flood_is_allowed($name, $threshold) { return ($number < $threshold ? TRUE : FALSE); } -function check_form($text) { - return drupal_specialchars($text, ENT_QUOTES); -} - function check_file($filename) { return is_uploaded_file($filename); } @@ -703,12 +693,12 @@ function format_rss_channel($title, $link, $description, $items, $language = 'en // arbitrary elements may be added using the $args associative array $output = "<channel>\n"; - $output .= ' <title>'. drupal_specialchars(strip_tags($title)) ."</title>\n"; - $output .= ' <link>'. drupal_specialchars(strip_tags($link)) ."</link>\n"; - $output .= ' <description>'. drupal_specialchars(strip_tags($description)) ."</description>\n"; - $output .= ' <language>'. drupal_specialchars(strip_tags($language)) ."</language>\n"; + $output .= ' <title>'. check_plain($title) ."</title>\n"; + $output .= ' <link>'. check_url($link) ."</link>\n"; + $output .= ' <description>'. check_plain($description) ."</description>\n"; + $output .= ' <language>'. check_plain($language) ."</language>\n"; foreach ($args as $key => $value) { - $output .= ' <'. $key .'>'. drupal_specialchars(strip_tags($value)) ."</$key>\n"; + $output .= ' <'. $key .'>'. check_plain($value) ."</$key>\n"; } $output .= $items; $output .= "</channel>\n"; @@ -723,9 +713,9 @@ function format_rss_channel($title, $link, $description, $items, $language = 'en */ function format_rss_item($title, $link, $description, $args = array()) { $output = "<item>\n"; - $output .= ' <title>'. drupal_specialchars(strip_tags($title)) ."</title>\n"; - $output .= ' <link>'. drupal_specialchars(strip_tags($link)) ."</link>\n"; - $output .= ' <description>'. drupal_specialchars($description) ."</description>\n"; + $output .= ' <title>'. check_plain($title) ."</title>\n"; + $output .= ' <link>'. check_url($link) ."</link>\n"; + $output .= ' <description>'. check_plain($description) ."</description>\n"; foreach ($args as $key => $value) { if (is_array($value)) { if ($value['key']) { @@ -743,7 +733,7 @@ function format_rss_item($title, $link, $description, $args = array()) { } } else { - $output .= ' <'. $key .'>'. drupal_specialchars(strip_tags($value)) ."</$key>\n"; + $output .= ' <'. $key .'>'. check_plain($value) ."</$key>\n"; } } $output .= "</item>\n"; @@ -1212,7 +1202,7 @@ function form_checkboxes($title, $name, $values, $options, $description = NULL, */ function form_textfield($title, $name, $value, $size, $maxlength, $description = NULL, $attributes = NULL, $required = FALSE) { $size = $size ? ' size="'. $size .'"' : ''; - return theme('form_element', $title, '<input type="text" maxlength="'. $maxlength .'" class="'. _form_get_class('form-text', $required, _form_get_error($name)) .'" name="edit['. $name .']" id="edit-'. $name .'"'. $size .' value="'. check_form($value) .'"'. drupal_attributes($attributes) .' />', $description, 'edit-'. $name, $required, _form_get_error($name)); + return theme('form_element', $title, '<input type="text" maxlength="'. $maxlength .'" class="'. _form_get_class('form-text', $required, _form_get_error($name)) .'" name="edit['. $name .']" id="edit-'. $name .'"'. $size .' value="'. check_plain($value) .'"'. drupal_attributes($attributes) .' />', $description, 'edit-'. $name, $required, _form_get_error($name)); } /** @@ -1239,7 +1229,7 @@ function form_textfield($title, $name, $value, $size, $maxlength, $description = */ function form_password($title, $name, $value, $size, $maxlength, $description = NULL, $attributes = NULL, $required = FALSE) { $size = $size ? ' size="'. $size .'"' : ''; - return theme('form_element', $title, '<input type="password" class="'. _form_get_class('form-password', $required, _form_get_error($name)) .'" maxlength="'. $maxlength .'" name="edit['. $name .']" id="edit-'. $name .'"'. $size .' value="'. check_form($value) .'"'. drupal_attributes($attributes) .' />', $description, 'edit-'. $name, $required, _form_get_error($name)); + return theme('form_element', $title, '<input type="password" class="'. _form_get_class('form-password', $required, _form_get_error($name)) .'" maxlength="'. $maxlength .'" name="edit['. $name .']" id="edit-'. $name .'"'. $size .' value="'. check_plain($value) .'"'. drupal_attributes($attributes) .' />', $description, 'edit-'. $name, $required, _form_get_error($name)); } /** @@ -1275,7 +1265,7 @@ function form_textarea($title, $name, $value, $cols, $rows, $description = NULL, } } - $output .= theme('form_element', $title, '<textarea wrap="virtual"'. $cols .' rows="'. $rows .'" name="edit['. $name .']" id="edit-'. $name .'" class="'. _form_get_class('textarea', $required, _form_get_error($name)) .'"'. drupal_attributes($attributes) .'>'. check_form($value) .'</textarea>', $description, 'edit-'. $name, $required, _form_get_error($name)); + $output .= theme('form_element', $title, '<textarea wrap="virtual"'. $cols .' rows="'. $rows .'" name="edit['. $name .']" id="edit-'. $name .'" class="'. _form_get_class('textarea', $required, _form_get_error($name)) .'"'. drupal_attributes($attributes) .'>'. check_plain($value) .'</textarea>', $description, 'edit-'. $name, $required, _form_get_error($name)); // e.g. optionally plug in a WYSIWYG editor foreach (module_list() as $module_name) { @@ -1321,12 +1311,12 @@ function form_select($title, $name, $value, $options, $description = NULL, $extr if (is_array($choice)) { $select .= '<optgroup label="'. $key .'">'; foreach ($choice as $key => $choice) { - $select .= '<option value="'. $key .'"'. (is_array($value) ? (in_array($key, $value) ? ' selected="selected"' : '') : ($value == $key ? ' selected="selected"' : '')) .'>'. check_form($choice) .'</option>'; + $select .= '<option value="'. $key .'"'. (is_array($value) ? (in_array($key, $value) ? ' selected="selected"' : '') : ($value == $key ? ' selected="selected"' : '')) .'>'. check_plain($choice) .'</option>'; } $select .= '</optgroup>'; } else { - $select .= '<option value="'. $key .'"'. (is_array($value) ? (in_array($key, $value) ? ' selected="selected"' : '') : ($value == $key ? ' selected="selected"' : '')) .'>'. check_form($choice) .'</option>'; + $select .= '<option value="'. $key .'"'. (is_array($value) ? (in_array($key, $value) ? ' selected="selected"' : '') : ($value == $key ? ' selected="selected"' : '')) .'>'. check_plain($choice) .'</option>'; } } return theme('form_element', $title, '<select name="edit['. $name .']'. ($multiple ? '[]' : '') .'"'. ($multiple ? ' multiple="multiple" ' : '') . ($extra ? ' '. $extra : '') .' id="edit-'. $name .'">'. $select .'</select>', $description, 'edit-'. $name, $required, _form_get_error($name)); @@ -1370,7 +1360,7 @@ function form_file($title, $name, $size, $description = NULL, $required = FALSE) * an attacker to change the value before it is submitted. */ function form_hidden($name, $value) { - return '<input type="hidden" name="edit['. $name .']" value="'. check_form($value) ."\" />\n"; + return '<input type="hidden" name="edit['. $name .']" value="'. check_plain($value) ."\" />\n"; } /** @@ -1389,7 +1379,7 @@ function form_hidden($name, $value) { * A themed HTML string representing the button. */ function form_button($value, $name = 'op', $type = 'submit', $attributes = NULL) { - return '<input type="'. $type .'" class="form-'. $type .'" name="'. $name .'" value="'. check_form($value) .'" '. drupal_attributes($attributes) ." />\n"; + return '<input type="'. $type .'" class="form-'. $type .'" name="'. $name .'" value="'. check_plain($value) .'" '. drupal_attributes($attributes) ." />\n"; } /** @@ -1476,12 +1466,12 @@ function url($path = NULL, $query = NULL, $fragment = NULL, $absolute = FALSE) { $fragment = '#'. $fragment; } - $base = ($absolute ? $base_url . '/' : ''); + $base = ($absolute ? $base_url .'/' : ''); if (variable_get('clean_url', '0') == '0') { if (isset($path)) { if (isset($query)) { - return $base . $script .'?q='. $path .'&'. $query . $fragment; + return $base . $script .'?q='. $path .'&'. $query . $fragment; } else { return $base . $script .'?q='. $path . $fragment; @@ -1528,7 +1518,7 @@ function drupal_attributes($attributes = array()) { if ($attributes) { $t = array(); foreach ($attributes as $key => $value) { - $t[] = $key .'="'. $value .'"'; + $t[] = $key .'="'. check_plain($value) .'"'; } return ' '. implode($t, ' '); @@ -1555,10 +1545,12 @@ function drupal_attributes($attributes = array()) { * @param $absolute * Whether to force the output to be an absolute link (beginning with http:). * Useful for links that will be displayed outside the site, such as in an RSS feed. + * @param $html + * Whether the title is HTML, or just plain-text. * @return * an HTML string containing a link to the given path. */ -function l($text, $path, $attributes = array(), $query = NULL, $fragment = NULL, $absolute = FALSE) { +function l($text, $path, $attributes = array(), $query = NULL, $fragment = NULL, $absolute = FALSE, $html = FALSE) { if (drupal_get_normal_path($path) == $_GET['q']) { if (isset($attributes['class'])) { $attributes['class'] .= ' active'; @@ -1567,7 +1559,7 @@ function l($text, $path, $attributes = array(), $query = NULL, $fragment = NULL, $attributes['class'] = 'active'; } } - return '<a href="'. url($path, $query, $fragment, $absolute) .'"'. drupal_attributes($attributes) .'>'. $text .'</a>'; + return '<a href="'. check_url(url($path, $query, $fragment, $absolute)) .'"'. drupal_attributes($attributes) .'>'. ($html ? $text : check_plain($text)) .'</a>'; } /** @@ -1679,7 +1671,7 @@ function drupal_convert_to_utf8($data, $encoding) { $out = @mb_convert_encoding($data, 'utf-8', $encoding); } else if (function_exists('recode_string')) { - $out = @recode_string($encoding . '..utf-8', $data); + $out = @recode_string($encoding .'..utf-8', $data); } else { watchdog('php', t("Unsupported encoding '%s'. Please install iconv, GNU recode or mbstring for PHP.", $encoding), WATCHDOG_ERROR); @@ -1705,7 +1697,7 @@ function drupal_convert_to_utf8($data, $encoding) { * @param $len * An upper limit on the returned string length. * @param $wordsafe - * Flag to truncate at nearest word boundary. Defaults to FALSE. + * Flag to truncate at nearest space. Defaults to FALSE. * @return * The truncated string. */ diff --git a/includes/file.inc b/includes/file.inc index b8bf30b11..18ce0f9d9 100644 --- a/includes/file.inc +++ b/includes/file.inc @@ -76,11 +76,11 @@ function file_check_directory(&$directory, $mode = 0, $form_item = NULL) { // Check if directory exists. if (!is_dir($directory)) { if (($mode & FILE_CREATE_DIRECTORY) && @mkdir($directory, 0760)) { - drupal_set_message(t('Created directory %directory.', array('%directory' => "<em>$directory</em>"))); + drupal_set_message(t('Created directory %directory.', array('%directory' => theme('placeholder', $directory)))); } else { if ($form_item) { - form_set_error($form_item, t('The directory %directory does not exist.', array('%directory' => "<em>$directory</em>"))); + form_set_error($form_item, t('The directory %directory does not exist.', array('%directory' => theme('placeholder', $directory)))); } return false; } @@ -89,10 +89,10 @@ function file_check_directory(&$directory, $mode = 0, $form_item = NULL) { // Check to see if the directory is writable. if (!is_writable($directory)) { if (($mode & FILE_MODIFY_PERMISSIONS) && @chmod($directory, 0760)) { - drupal_set_message(t('Modified permissions on directory %directory.', array('%directory' => "<em>$directory</em>"))); + drupal_set_message(t('Modified permissions on directory %directory.', array('%directory' => theme('placeholder', $directory)))); } else { - form_set_error($form_item, t('The directory %directory is not writable.', array('%directory' => "<em>$directory</em>"))); + form_set_error($form_item, t('The directory %directory is not writable.', array('%directory' => theme('placeholder', $directory)))); return false; } } diff --git a/includes/locale.inc b/includes/locale.inc index 03e6dd098..77bae2b81 100644 --- a/includes/locale.inc +++ b/includes/locale.inc @@ -23,14 +23,14 @@ function _locale_add_language($code, $name, $onlylanguage = TRUE) { // the language addition, we need to inform the user on how to start // a translation if ($onlylanguage) { - $message = t('%locale language added. You can now import a translation. See the <a href="%locale-help">help screen</a> for more information.', array('%locale' => '<em>'. t($name) .'</em>', '%locale-help' => url('admin/help/locale'))); + $message = t('%locale language added. You can now import a translation. See the <a href="%locale-help">help screen</a> for more information.', array('%locale' => theme('placeholder', t($name)), '%locale-help' => url('admin/help/locale'))); } else { - $message = t('%locale language added.', array('%locale' => '<em>'. t($name) .'</em>')); + $message = t('%locale language added.', array('%locale' => theme('placeholder', t($name)))); } drupal_set_message($message); - watchdog('locale', t('%language language (%locale) added.', array('%language' => "<em>$name</em>", '%locale' => "<em>$code</em>"))); + watchdog('locale', t('%language language (%locale) added.', array('%language' => theme('placeholder', $name), '%locale' => theme('placeholder', $code)))); } /** @@ -47,7 +47,7 @@ function _locale_admin_manage_screen() { $status = db_fetch_object(db_query("SELECT isdefault, enabled FROM {locales_meta} WHERE locale = '%s'", $key)); if ($key == 'en') { - $rows[] = array('en', $lang, form_checkbox('', 'enabled][en', 1, $status->enabled), form_radio('', 'sitedefault', $key, $status->isdefault), message_na(), ''); + $rows[] = array('en', check_plain($lang), form_checkbox('', 'enabled][en', 1, $status->enabled), form_radio('', 'sitedefault', $key, $status->isdefault), message_na(), ''); } else { $original = db_fetch_object(db_query("SELECT COUNT(*) AS strings FROM {locales_source}")); @@ -55,7 +55,7 @@ function _locale_admin_manage_screen() { $ratio = ($original->strings > 0 && $translation->translation > 0) ? round(($translation->translation/$original->strings)*100., 2) : 0; - $rows[] = array($key, ($key != 'en' ? form_textfield('', 'name]['. $key, $lang, 15, 64) : $lang), form_checkbox('', 'enabled]['. $key, 1, $status->enabled), form_radio('', 'sitedefault', $key, $status->isdefault), "$translation->translation/$original->strings ($ratio%)", ($key != 'en' ? l(t('delete'), 'admin/locale/language/delete/'. urlencode($key)) : '')); + $rows[] = array(check_plain($key), ($key != 'en' ? form_textfield('', 'name]['. $key, $lang, 15, 64) : $lang), form_checkbox('', 'enabled]['. $key, 1, $status->enabled), form_radio('', 'sitedefault', $key, $status->isdefault), "$translation->translation/$original->strings ($ratio%)", ($key != 'en' ? l(t('delete'), 'admin/locale/language/delete/'. urlencode($key)) : '')); } } @@ -132,7 +132,7 @@ function _locale_import_po($file, $lang, $mode) { // Check if we can get the strings from the file if (!($strings = _locale_import_read_po($file))) { - drupal_set_message(t('Translation file %filename broken: Could not be read.', array('%filename' => "<em>$file->filename</em>")), 'error'); + drupal_set_message(t('Translation file %filename broken: Could not be read.', array('%filename' => theme('placeholder', $file->filename))), 'error'); return FALSE; } @@ -154,7 +154,7 @@ function _locale_import_po($file, $lang, $mode) { } } else { - drupal_set_message(t('Translation file %filename broken: No header.', array('%filename' => "<em>$file->filename</em>")), 'error'); + drupal_set_message(t('Translation file %filename broken: No header.', array('%filename' => theme('placeholder', $file->filename))), 'error'); return FALSE; } @@ -257,7 +257,7 @@ function _locale_import_po($file, $lang, $mode) { menu_rebuild(); drupal_set_message(t('Translation successfully imported. %number translated strings added to language, %update strings updated.', array('%number' => $additions, '%update' => $updates))); - watchdog('locale', t('Imported %file into %locale: %number new strings added and %update updated.', array('%file' => "<em>$file->filename</em>", '%locale' => "<em>$lang</em>", '%number' => $additions, '%update' => $updates))); + watchdog('locale', t('Imported %file into %locale: %number new strings added and %update updated.', array('%file' => theme('placeholder', $file->filename), '%locale' => theme('placeholder', $lang), '%number' => $additions, '%update' => $updates))); return TRUE; } @@ -269,9 +269,10 @@ function _locale_import_po($file, $lang, $mode) { */ function _locale_import_read_po($file) { + $message = theme('placeholder', $file->filename); $fd = fopen($file->filepath, "rb"); if (!$fd) { - drupal_set_message(t('Translation import failed: file %filename cannot be read.', array('%filename' => "<em>$file->filename</em>")), 'error'); + drupal_set_message(t('Translation import failed: file %filename cannot be read.', array('%filename' => $message)), 'error'); return FALSE; } $info = fstat($fd); @@ -303,19 +304,19 @@ function _locale_import_read_po($file) { $context = "COMMENT"; } else { // Parse error - drupal_set_message(t("Translation file %filename broken: expected 'msgstr' in line %line.", array('%filename' => "<em>$file->filename</em>", '%line' => $lineno)), 'error'); + drupal_set_message(t("Translation file %filename broken: expected 'msgstr' in line %line.", array('%filename' => $message, '%line' => $lineno)), 'error'); return FALSE; } } elseif (!strncmp("msgid_plural", $line, 12)) { if ($context != "MSGID") { // Must be plural form for current entry - drupal_set_message(t("Translation file %filename broken: unexpected 'msgid_plural' in line %line.", array('%filename' => "<em>$file->filename</em>", '%line' => $lineno)), 'error'); + drupal_set_message(t("Translation file %filename broken: unexpected 'msgid_plural' in line %line.", array('%filename' => $message, '%line' => $lineno)), 'error'); return FALSE; } $line = trim(substr($line, 12)); $quoted = _locale_import_parse_quoted($line); if ($quoted === false) { - drupal_set_message(t('Translation file %filename broken: syntax error in line %line.', array('%filename' => "<em>$file->filename</em>", '%line' => $lineno)), 'error'); + drupal_set_message(t('Translation file %filename broken: syntax error in line %line.', array('%filename' => $message, '%line' => $lineno)), 'error'); return FALSE; } $current["msgid"] = $current["msgid"] ."\0". $quoted; @@ -327,13 +328,13 @@ function _locale_import_read_po($file) { $current = array(); } elseif ($context == "MSGID") { // Already in this context? Parse error - drupal_set_message(t("Translation file %filename broken: unexpected 'msgid' in line %line.", array('%filename' => "<em>$file->filename</em>", '%line' => $lineno)), 'error'); + drupal_set_message(t("Translation file %filename broken: unexpected 'msgid' in line %line.", array('%filename' => $message, '%line' => $lineno)), 'error'); return FALSE; } $line = trim(substr($line, 5)); $quoted = _locale_import_parse_quoted($line); if ($quoted === false) { - drupal_set_message(t('Translation file %filename broken: syntax error in line %line.', array('%filename' => "<em>$file->filename</em>", '%line' => $lineno)), 'error'); + drupal_set_message(t('Translation file %filename broken: syntax error in line %line.', array('%filename' => $message, '%line' => $lineno)), 'error'); return FALSE; } $current["msgid"] = $quoted; @@ -341,11 +342,11 @@ function _locale_import_read_po($file) { } elseif (!strncmp("msgstr[", $line, 7)) { if (($context != "MSGID") && ($context != "MSGID_PLURAL") && ($context != "MSGSTR_ARR")) { // Must come after msgid, msgid_plural, or msgstr[] - drupal_set_message(t("Translation file %filename broken: unexpected 'msgstr[]' in line %line.", array('%filename' => "<em>$file->filename</em>", '%line' => $lineno)), 'error'); + drupal_set_message(t("Translation file %filename broken: unexpected 'msgstr[]' in line %line.", array('%filename' => $message, '%line' => $lineno)), 'error'); return FALSE; } if (strpos($line, "]") === false) { - drupal_set_message(t('Translation file %filename broken: syntax error in line %line.', array('%filename' => "<em>$file->filename</em>", '%line' => $lineno)), 'error'); + drupal_set_message(t('Translation file %filename broken: syntax error in line %line.', array('%filename' => $message, '%line' => $lineno)), 'error'); return FALSE; } $frombracket = strstr($line, "["); @@ -353,7 +354,7 @@ function _locale_import_read_po($file) { $line = trim(strstr($line, " ")); $quoted = _locale_import_parse_quoted($line); if ($quoted === false) { - drupal_set_message(t('Translation file %filename broken: syntax error in line %line.', array('%filename' => "<em>$file->filename</em>", '%line' => $lineno)), 'error'); + drupal_set_message(t('Translation file %filename broken: syntax error in line %line.', array('%filename' => $message, '%line' => $lineno)), 'error'); return FALSE; } $current["msgstr"][$plural] = $quoted; @@ -361,13 +362,13 @@ function _locale_import_read_po($file) { } elseif (!strncmp("msgstr", $line, 6)) { if ($context != "MSGID") { // Should come just after a msgid block - drupal_set_message(t("Translation file %filename broken: unexpected 'msgstr' in line %line.", array('%filename' => "<em>$file->filename</em>", '%line' => $lineno)), 'error'); + drupal_set_message(t("Translation file %filename broken: unexpected 'msgstr' in line %line.", array('%filename' => $message, '%line' => $lineno)), 'error'); return FALSE; } $line = trim(substr($line, 6)); $quoted = _locale_import_parse_quoted($line); if ($quoted === false) { - drupal_set_message(t('Translation file %filename broken: syntax error in line %line.', array('%filename' => "<em>$file->filename</em>", '%line' => $lineno)), 'error'); + drupal_set_message(t('Translation file %filename broken: syntax error in line %line.', array('%filename' => $message, '%line' => $lineno)), 'error'); return FALSE; } $current["msgstr"] = $quoted; @@ -376,7 +377,7 @@ function _locale_import_read_po($file) { elseif ($line != "") { $quoted = _locale_import_parse_quoted($line); if ($quoted === false) { - drupal_set_message(t('Translation file %filename broken: syntax error in line %line.', array('%filename' => "<em>$file->filename</em>", '%line' => $lineno)), 'error'); + drupal_set_message(t('Translation file %filename broken: syntax error in line %line.', array('%filename' => $message, '%line' => $lineno)), 'error'); return FALSE; } if (($context == "MSGID") || ($context == "MSGID_PLURAL")) { @@ -389,7 +390,7 @@ function _locale_import_read_po($file) { $current["msgstr"][$plural] .= $quoted; } else { - drupal_set_message(t('Translation file %filename broken: unexpected string in line %line.', array('%filename' => "<em>$file->filename</em>", '%line' => $lineno)), 'error'); + drupal_set_message(t('Translation file %filename broken: unexpected string in line %line.', array('%filename' => $message, '%line' => $lineno)), 'error'); return FALSE; } } @@ -400,7 +401,7 @@ function _locale_import_read_po($file) { $strings[$current["msgid"]] = $current; } elseif ($context != "COMMENT") { - drupal_set_message(t('Translation file %filename broken: unexpected end file at line %line.', array('%filename' => "<em>$file->filename</em>", '%line' => $lineno)), 'error'); + drupal_set_message(t('Translation file %filename broken: unexpected end of file at line %line.', array('%filename' => $message, '%line' => $lineno)), 'error'); return FALSE; } @@ -465,7 +466,7 @@ function _locale_import_parse_plural_forms($pluralforms, $filename) { return array($nplurals, $plural); } else { - drupal_set_message(t("Translation file %filename broken: plural formula couldn't get parsed.", array('%filename' => "<em>$filename</em>")), 'error'); + drupal_set_message(t("Translation file %filename broken: plural formula couldn't get parsed.", array('%filename' => theme('placeholder', $filename))), 'error'); return FALSE; } } @@ -768,7 +769,7 @@ function _locale_export_po($language) { $header .= "\"Plural-Forms: nplurals=". $meta->plurals ."; plural=". strtr($meta->formula, '$', '') .";\\n\"\n"; } $header .= "\n"; - watchdog('locale', t('Exported %locale translation file: %filename.', array('%locale' => "<em>$meta->name</em>", '%filename' => "<em>$filename</em>"))); + watchdog('locale', t('Exported %locale translation file: %filename.', array('%locale' => theme('placeholder', $meta->name), '%filename' => theme('placeholder', $filename)))); } // Generating Portable Object Template @@ -789,7 +790,7 @@ function _locale_export_po($language) { $header .= "\"Content-Transfer-Encoding: 8bit\\n\"\n"; $header .= "\"Plural-Forms: nplurals=INTEGER; plural=EXPRESSION;\\n\"\n"; $header .= "\n"; - watchdog('locale', t('Exported translation file: %filename.', array('%filename' => "<em>$filename</em>"))); + watchdog('locale', t('Exported translation file: %filename.', array('%filename' => theme('placeholder', $filename)))); } // Start download process @@ -1080,6 +1081,7 @@ function _locale_string_seek_form() { // Get *all* languages set up $languages = locale_supported_languages(FALSE, TRUE); asort($languages['name']); unset($languages['name']['en']); + $languages['name'] = array_map('check_plain', $languages['name']); // Present edit form preserving previous user settings $query = _locale_string_seek_query(); diff --git a/includes/pager.inc b/includes/pager.inc index 43639c7a6..ddd6c399d 100644 --- a/includes/pager.inc +++ b/includes/pager.inc @@ -384,19 +384,19 @@ function pager_link($from_new, $element, $attributes = array()) { $q = $_GET['q']; $from = array_key_exists('from', $_GET) ? $_GET['from'] : ''; - foreach($attributes as $key => $value) { + foreach ($attributes as $key => $value) { $query[] = $key .'='. $value; } $from_new = pager_load_array($from_new[$element], $element, explode(',', $from)); if (count($attributes)) { - $url = url($q, 'from='. implode($from_new, ',') .'&'. implode('&', $query)); + $url = url($q, 'from='. implode($from_new, ',') .'&'. implode('&', $query)); } else { $url = url($q, 'from='. implode($from_new, ',')); } - return $url; + return check_url($url); } function pager_load_array($value, $element, $old_array) { diff --git a/includes/tablesort.inc b/includes/tablesort.inc index ad0268352..e4f044d89 100644 --- a/includes/tablesort.inc +++ b/includes/tablesort.inc @@ -87,7 +87,7 @@ function tablesort_header($cell, $header, $ts) { $ts['sort'] = 'asc'; $image = ''; } - $cell['data'] = l($cell['data'] . $image, $_GET['q'], array('title' => $title), 'sort='. $ts['sort'] .'&order='. urlencode($cell['data']). $ts['query_string']); + $cell['data'] = l($cell['data'] . $image, $_GET['q'], array('title' => $title), 'sort='. $ts['sort'] .'&order='. urlencode($cell['data']). $ts['query_string'], NULL, FALSE, TRUE); unset($cell['field'], $cell['sort']); } @@ -139,7 +139,7 @@ function tablesort_get_querystring() { $query_string = ''; foreach ($cgi as $key => $val) { if ($key != 'order' && $key != 'sort' && $key != 'q') { - $query_string .= '&'. $key .'='. $val; + $query_string .= '&'. $key .'='. $val; } } return $query_string; diff --git a/includes/theme.inc b/includes/theme.inc index 14b2181e3..789841152 100644 --- a/includes/theme.inc +++ b/includes/theme.inc @@ -225,8 +225,8 @@ function path_to_theme() { */ function theme_get_settings($key = NULL) { $defaults = array( - 'primary_links' => l('edit primary links', 'admin/themes/settings'), - 'secondary_links' => l('edit secondary links', 'admin/themes/settings'), + 'primary_links' => l(t('edit primary links'), 'admin/themes/settings'), + 'secondary_links' => l(t('edit secondary links'), 'admin/themes/settings'), 'mission' => '', 'default_logo' => 1, 'logo_path' => '', @@ -348,6 +348,20 @@ function theme_get_styles() { * * The theme system is described and defined in theme.inc. */ + +/** + * Format a dynamic text string for emphasised display in a placeholder. + * + * E.g. t('Added term %term', array('%term' => theme('placeholder', $term))) + * + * @param $text + * The text to format (plain-text). + * @return + * The formatted text (html). + */ +function theme_placeholder($text) { + return '<em>'. check_plain($text) .'</em>'; +} /** * Return an entire Drupal page displaying the supplied content. @@ -361,7 +375,7 @@ function theme_page($content) { $output = "<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Transitional//EN\" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd\">\n"; $output .= '<html xmlns="http://www.w3.org/1999/xhtml">'; $output .= '<head>'; - $output .= ' <title>'. (drupal_get_title() ? drupal_get_title() : variable_get('site_name', 'drupal')) .'</title>'; + $output .= ' <title>'. (drupal_get_title() ? strip_tags(drupal_get_title()) : variable_get('site_name', 'drupal')) .'</title>'; $output .= drupal_get_html_head(); $output .= theme_get_styles(); @@ -500,7 +514,7 @@ function theme_node($node, $teaser = FALSE, $page = FALSE) { } if ($page == 0) { - $output = '<h2 class="title">'. $node->title .'</h2> by '. format_name($node); + $output = '<h2 class="title">'. check_plain($node->title) .'</h2> by '. format_name($node); } else { $output = 'by '. format_name($node); |