Drupal 7.2

3 files changed, 29 insertions, 1 deletions

diff --git a/modules/color/color.install b/modules/color/color.install
index 5705ade3f..b0eb95ef6 100644
--- a/modules/color/color.install
+++ b/modules/color/color.install
@@ -40,3 +40,18 @@ function color_requirements($phase) {
 
   return $requirements;
 }
+
+/**
+ * Warn site administrator if unsafe CSS color codes are found in the database.
+ */
+function color_update_7001() {
+  $theme_palettes = db_query("SELECT name FROM {variable} WHERE name LIKE 'color_%_palette'")->fetchCol();
+  foreach ($theme_palettes as $name) {
+    $palette = variable_get($name, array());
+    foreach ($palette as $key => $color) {
+      if (!preg_match('/^#([a-f0-9]{3}){1,2}$/iD', $color)) {
+        drupal_set_message('Some of the custom CSS color codes specified via the color module are invalid. Please examine the themes which are making use of the color module at the <a href="'. url('admin/appearance/settings') .'">Appearance settings</a> page to verify their CSS color values.', 'warning');
+      }
+    }
+  }
+}
diff --git a/modules/color/color.module b/modules/color/color.module
index ff6c70e6c..f3fafe7b7 100644
--- a/modules/color/color.module
+++ b/modules/color/color.module
@@ -42,6 +42,7 @@ function color_form_system_theme_settings_alter(&$form, &$form_state) {
       '#theme' => 'color_scheme_form',
     );
     $form['color'] += color_scheme_form($form, $form_state, $theme);
+    $form['#validate'][] = 'color_scheme_form_validate';
     $form['#submit'][] = 'color_scheme_form_submit';
   }
 }
@@ -271,6 +272,18 @@ function theme_color_scheme_form($variables) {
 }
 
 /**
+ * Validation handler for color change form.
+ */
+function color_scheme_form_validate($form, &$form_state) {
+  // Only accept hexadecimal CSS color strings to avoid XSS upon use.
+  foreach ($form_state['values']['palette'] as $key => $color) {
+    if (!preg_match('/^#([a-f0-9]{3}){1,2}$/iD', $color)) {
+      form_set_error('palette][' . $key, t('%name must be a valid hexadecimal CSS color value.', array('%name' => $form['color']['palette'][$key]['#title'])));
+    }
+  }
+}
+
+/**
  * Submit handler for color change form.
  */
 function color_scheme_form_submit($form, &$form_state) {
diff --git a/modules/file/file.module b/modules/file/file.module
index 400270178..3e4525119 100644
--- a/modules/file/file.module
+++ b/modules/file/file.module
@@ -976,7 +976,7 @@ function file_get_file_references($file, $field = NULL, $age = FIELD_LOAD_REVISI
     }
   }
 
-  return isset($field) ? $references[$field['field_name']] : $references;
+  return isset($field) ? $references[$field['field_name']] : array_filter($references);
 }
 
 /**