diff options
| author | Dries Buytaert <dries@buytaert.net> | 2007-03-01 19:53:04 +0000 |
|---|---|---|
| committer | Dries Buytaert <dries@buytaert.net> | 2007-03-01 19:53:04 +0000 |
| commit | b95f496bbcac6a063cfb8f455ebb9301f056ff3f (patch) | |
| tree | 07c324a729d5fa2eadcfccafa71633523f512344 /modules/node | |
| parent | 6ee8563edbd2ef7002ccc8cc1527e0abc9be27b6 (diff) | |
| download | brdo-b95f496bbcac6a063cfb8f455ebb9301f056ff3f.tar.gz brdo-b95f496bbcac6a063cfb8f455ebb9301f056ff3f.tar.bz2 | |
- Backporting comment module validation fixes. Already went into DRUPAL-5.
Diffstat (limited to 'modules/node')
| -rw-r--r-- | modules/node/node.module | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/modules/node/node.module b/modules/node/node.module index 192509e27..244fa8f56 100644 --- a/modules/node/node.module +++ b/modules/node/node.module @@ -2027,6 +2027,10 @@ function node_form_add_preview($form) { $op = isset($form_values['op']) ? $form_values['op'] : ''; if ($op == t('Preview')) { + // Invoke full validation for the form, to protect against cross site + // request forgeries (CSRF) and setting arbitrary values for fields such as + // the input format. Preview the node only when form validation does not + // set any errors. drupal_validate_form($form['form_id']['#value'], $form); if (!form_get_errors()) { // Because the node preview may display a form, we must render it |