#462428 by Heine, pwolanin, and dww: SA-CORE-2009-006 - Drupal core - Cross site scripting forward-port.

1 files changed, 45 insertions, 3 deletions

diff --git a/modules/taxonomy/taxonomy.module b/modules/taxonomy/taxonomy.module
index 7995e855c..4c1ab559a 100644
--- a/modules/taxonomy/taxonomy.module
+++ b/modules/taxonomy/taxonomy.module
@@ -509,10 +509,25 @@ function taxonomy_terms_static_reset() {
 
 /**
  * Generate a form element for selecting terms from a vocabulary.
+ *
+ * @param $vid
+ *   The vocabulary ID to generate a form element for
+ * @param $value
+ *   The existing value of the term(s) in this vocabulary to use by default.
+ * @param $help
+ *   Optional help text to use for the form element. If specified, this value
+ *   MUST be properly sanitized and filtered (e.g. with filter_xss_admin() or
+ *   check_plain() if it is user-supplied) to prevent XSS vulnerabilities. If
+ *   omitted, the help text stored with the vocaulary (if any) will be used.
+ * @return
+ *   An array describing a form element to select terms for a vocabulary.
+ *
+ * @see _taxonomy_term_select()
+ * @see filter_xss_admin()
  */
 function taxonomy_form($vid, $value = 0, $help = NULL) {
   $vocabulary = taxonomy_vocabulary_load($vid);
-  $help = ($help) ? $help : $vocabulary->help;
+  $help = ($help) ? $help : filter_xss_admin($vocabulary->help);
 
   if (!$vocabulary->multiple) {
     $blank = ($vocabulary->required) ? t('- Please choose -') : t('- None selected -');
@@ -599,7 +614,7 @@ function taxonomy_form_alter(&$form, $form_state, $form_id) {
           $typed_string = taxonomy_implode_tags($terms, $vocabulary->vid) . (array_key_exists('tags', $terms) ? $terms['tags'][$vocabulary->vid] : NULL);
         }
         if ($vocabulary->help) {
-          $help = $vocabulary->help;
+          $help = filter_xss_admin($vocabulary->help);
         }
         else {
           $help = t('A comma-separated list of terms describing this content. Example: funny, bungee jumping, "Company, Inc."');
@@ -623,7 +638,7 @@ function taxonomy_form_alter(&$form, $form_state, $form_id) {
             $default_terms[$term->tid] = $term;
           }
         }
-        $form['taxonomy'][$vocabulary->vid] = taxonomy_form($vocabulary->vid, array_keys($default_terms), $vocabulary->help);
+        $form['taxonomy'][$vocabulary->vid] = taxonomy_form($vocabulary->vid, array_keys($default_terms), filter_xss_admin($vocabulary->help));
         $form['taxonomy'][$vocabulary->vid]['#weight'] = $vocabulary->weight;
         $form['taxonomy'][$vocabulary->vid]['#required'] = $vocabulary->required;
       }
@@ -1399,6 +1414,33 @@ function taxonomy_get_term_data($tid) {
   return $terms[$tid];
 }
 
+/**
+ * Create a select form element for a given taxonomy vocabulary.
+ *
+ * NOTE: This function expects input that has already been sanitized and is
+ * safe for display. Callers must properly sanitize the $title and
+ * $description arguments to prevent XSS vulnerabilities.
+ *
+ * @param $title
+ *   The title of the vocabulary. This MUST be sanitized by the caller.
+ * @param $value
+ *   The currently selected terms from this vocabulary, if any.
+ * @param $vocabulary_id
+ *   The vocabulary ID to build the form element for.
+ * @param $description
+ *   Help text for the form element. This MUST be sanitized by the caller.
+ * @param $multiple
+ *   Boolean to control if the form should use a single or multiple select.
+ * @param $blank
+ *   Optional form choice to use when no value has been selected.
+ * @param $exclude
+ *   Optional array of term ids to exclude in the selector.
+ * @return
+ *   A FAPI form array to select terms from the given vocabulary.
+ *
+ * @see taxonomy_form()
+ * @see taxonomy_form_term()
+ */
 function _taxonomy_term_select($title, $value, $vocabulary_id, $description, $multiple, $blank, $exclude = array()) {
   $tree = taxonomy_get_tree($vocabulary_id);
   $options = array();