#242873 by pwolanin and bjaspan: Make drupal_set_title() do check_plain() by default.

4 files changed, 38 insertions, 7 deletions

diff --git a/includes/batch.inc b/includes/batch.inc
index ad5630368..2cc41a922 100644
--- a/includes/batch.inc
+++ b/includes/batch.inc
@@ -80,10 +80,10 @@ function _batch_start() {
 function _batch_progress_page_js() {
   $batch = batch_get();
 
-  // The first batch set gets to set the page title
-  // and the initialization and error messages.
+  // The first batch set gets to set the page title and the initialization and
+  // error messages. Only safe strings should be passed in to batch_set().
   $current_set = _batch_current_set();
-  drupal_set_title($current_set['title']);
+  drupal_set_title($current_set['title'], PASS_THROUGH);
   drupal_add_js('misc/progress.js', 'core', 'header', FALSE, FALSE);
 
   $url = url($batch['url'], array('query' => array('id' => $batch['id'])));
@@ -126,7 +126,7 @@ function _batch_progress_page_nojs() {
   $batch =& batch_get();
   $current_set = _batch_current_set();
 
-  drupal_set_title($current_set['title']);
+  drupal_set_title($current_set['title'], PASS_THROUGH);
 
   $new_op = 'do_nojs';
 
diff --git a/includes/common.inc b/includes/common.inc
index a244dfbd1..f6b3c1553 100644
--- a/includes/common.inc
+++ b/includes/common.inc
@@ -25,6 +25,27 @@ define('SAVED_UPDATED', 2);
 define('SAVED_DELETED', 3);
 
 /**
+ * @name Title text filtering flags
+ * @{
+ * Flags for use in drupal_set_title().
+ */
+
+/**
+ * Flag for drupal_set_title(); text is not sanitized, so run check_plain().
+ */
+define('CHECK_PLAIN', 0);
+
+/**
+ * Flag for drupal_set_title(); text has already been sanitized.
+ */
+define('PASS_THROUGH', -1);
+
+/**
+ * @} End of "Title text filtering flags".
+ */
+
+
+/**
  * Set content for a specified region.
  *
  * @param $region
@@ -750,7 +771,7 @@ function fix_gpc_magic() {
  *   to escape HTML characters. Use this for any output that's displayed within
  *   a Drupal page.
  *   @code
- *     drupal_set_title($title = t("@name's blog", array('@name' => $account->name)));
+ *     drupal_set_title($title = t("@name's blog", array('@name' => $account->name)), PASS_THROUGH);
  *   @endcode
  *
  * - %variable, which indicates that the string should be HTML escaped and
diff --git a/includes/form.inc b/includes/form.inc
index 21f7224dd..229338931 100644
--- a/includes/form.inc
+++ b/includes/form.inc
@@ -2379,6 +2379,11 @@ function form_clean_id($id = NULL, $flush = FALSE) {
  * batch_process();
  * @endcode
  *
+ * Note - if the batch 'title', 'init_message', 'progress_message',
+ * or 'error_message' could contain any user input, it is the responsibility of
+ * the code calling batch_set() to sanitize them first with a function like
+ * check_plain() or filter_xss().
+ *
  * Sample batch operations:
  * @code
  * // Simple and artificial: load a node of a given type for a given user
diff --git a/includes/path.inc b/includes/path.inc
index 617e69a23..159920e87 100644
--- a/includes/path.inc
+++ b/includes/path.inc
@@ -196,15 +196,20 @@ function drupal_get_title() {
  * @param $title
  *   Optional string value to assign to the page title; or if set to NULL
  *   (default), leaves the current title unchanged.
+ * @param $output
+ *   Optional flag - normally should be left as CHECK_PLAIN. Only set to
+ *   PASS_THROUGH if you have already removed any possibly dangerous code
+ *   from $title using a function like check_plain() or filter_xss(). With this
+ *   flag the string will be passed through unchanged.
  *
  * @return
  *   The updated title of the current page.
  */
-function drupal_set_title($title = NULL) {
+function drupal_set_title($title = NULL, $output = CHECK_PLAIN) {
   static $stored_title;
 
   if (isset($title)) {
-    $stored_title = $title;
+    $stored_title = ($output == PASS_THROUGH) ? $title : check_plain($title);
   }
   return $stored_title;
 }