- Patch #688100 by mr.baileys, scor: sanitize user-supplied block titles.

author: Dries Buytaert <dries@buytaert.net> 2010-01-29 13:38:00 +0000
committer: Dries Buytaert <dries@buytaert.net> 2010-01-29 13:38:00 +0000
commit: 6ad8b01a0f23573913698e5bf2465006491afa26 (patch)
tree: 3e6ae44b4785650707e21ba4fdc3067b49bfa7d6 /modules
parent: 053a1664afb0039439e4922d0174460393e10a4e (diff)
download: brdo-6ad8b01a0f23573913698e5bf2465006491afa26.tar.gz
brdo-6ad8b01a0f23573913698e5bf2465006491afa26.tar.bz2
1 files changed, 1 insertions, 1 deletions
diff --git a/modules/dashboard/dashboard.module b/modules/dashboard/dashboard.module
index c61598cc1..2b9668b9e 100644
--- a/modules/dashboard/dashboard.module
+++ b/modules/dashboard/dashboard.module
@@ -463,7 +463,7 @@ function theme_dashboard_disabled_block($variables) {
     $output .= '<div id="block-' . $block['module'] . '-' . $block['delta']
     . '" class="disabled-block block block-' . $block['module'] . '-' . $block['delta']
     . ' module-' . $block['module'] . ' delta-' . $block['delta'] . '">'
-    . '<h2>' . (!empty($block['title']) && $block['title'] != '<none>' ? $block['title'] : $block['info']) . '</h2>'
+    . '<h2>' . (!empty($block['title']) && $block['title'] != '<none>' ? check_plain($block['title']) : check_plain($block['info'])) . '</h2>'
     . '<div class="content"></div>'
     . '</div>';
   }
author	Dries Buytaert <dries@buytaert.net>	2010-01-29 13:38:00 +0000
committer	Dries Buytaert <dries@buytaert.net>	2010-01-29 13:38:00 +0000
commit	6ad8b01a0f23573913698e5bf2465006491afa26 (patch)
tree	3e6ae44b4785650707e21ba4fdc3067b49bfa7d6 /modules
parent	053a1664afb0039439e4922d0174460393e10a4e (diff)
download	brdo-6ad8b01a0f23573913698e5bf2465006491afa26.tar.gz brdo-6ad8b01a0f23573913698e5bf2465006491afa26.tar.bz2