diff options
| author | Angie Byron <webchick@24967.no-reply.drupal.org> | 2008-10-11 21:11:02 +0000 |
|---|---|---|
| committer | Angie Byron <webchick@24967.no-reply.drupal.org> | 2008-10-11 21:11:02 +0000 |
| commit | ecf7ad41d0c3b8d4ea12e3883d3b5c9060eb2963 (patch) | |
| tree | 264c817491a1484683e8adb2a2f47e344ef44717 /modules/system/system.module | |
| parent | 4002681267044ab1d226ffeade7b8f6fface18ae (diff) | |
| download | brdo-ecf7ad41d0c3b8d4ea12e3883d3b5c9060eb2963.tar.gz brdo-ecf7ad41d0c3b8d4ea12e3883d3b5c9060eb2963.tar.bz2 | |
#242873 by pwolanin and bjaspan: Make drupal_set_title() do check_plain() by default.
Diffstat (limited to 'modules/system/system.module')
| -rw-r--r-- | modules/system/system.module | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/modules/system/system.module b/modules/system/system.module index 2ccdbc01a..448dcec1f 100644 --- a/modules/system/system.module +++ b/modules/system/system.module @@ -1296,6 +1296,11 @@ function system_node_type($op, $info) { * confirmed the action. You should never directly inspect $_POST to see if an * action was confirmed. * + * Note - if the parameters $question, $description, $yes, or $no could contain + * any user input (such as node titles or taxonomy terms), it is the + * responsibility of the code calling confirm_form() to sanitize them first with + * a function like check_plain() or filter_xss(). + * * @ingroup forms * @param $form * Additional elements to inject into the form, for example hidden elements. @@ -1329,7 +1334,7 @@ function confirm_form($form, $question, $path, $description = NULL, $yes = NULL, } $cancel = l($no ? $no : t('Cancel'), $path, array('query' => $query, 'fragment' => $fragment)); - drupal_set_title($question); + drupal_set_title($question, PASS_THROUGH); // Confirm form fails duplication check, as the form values rarely change -- so skip it. $form['#skip_duplicate_check'] = TRUE; |