diff options
author | Angie Byron <webchick@24967.no-reply.drupal.org> | 2008-10-11 21:11:02 +0000 |
---|---|---|
committer | Angie Byron <webchick@24967.no-reply.drupal.org> | 2008-10-11 21:11:02 +0000 |
commit | ecf7ad41d0c3b8d4ea12e3883d3b5c9060eb2963 (patch) | |
tree | 264c817491a1484683e8adb2a2f47e344ef44717 /modules | |
parent | 4002681267044ab1d226ffeade7b8f6fface18ae (diff) | |
download | brdo-ecf7ad41d0c3b8d4ea12e3883d3b5c9060eb2963.tar.gz brdo-ecf7ad41d0c3b8d4ea12e3883d3b5c9060eb2963.tar.bz2 |
#242873 by pwolanin and bjaspan: Make drupal_set_title() do check_plain() by default.
Diffstat (limited to 'modules')
24 files changed, 107 insertions, 37 deletions
diff --git a/modules/aggregator/aggregator.pages.inc b/modules/aggregator/aggregator.pages.inc index 6a37cd00c..4df1d0391 100644 --- a/modules/aggregator/aggregator.pages.inc +++ b/modules/aggregator/aggregator.pages.inc @@ -37,7 +37,7 @@ function aggregator_page_source($arg1, $arg2 = NULL) { // $arg1 is $form_state and $arg2 is $feed. Otherwise, $arg1 is $feed. $feed = is_array($arg2) ? $arg2 : $arg1; $feed = (object)$feed; - drupal_set_title(check_plain($feed->title)); + drupal_set_title($feed->title); $feed_source = theme('aggregator_feed_source', $feed); // It is safe to include the fid in the query because it's loaded from the diff --git a/modules/block/block.admin.inc b/modules/block/block.admin.inc index af7e47749..ad5541b0b 100644 --- a/modules/block/block.admin.inc +++ b/modules/block/block.admin.inc @@ -174,7 +174,7 @@ function block_admin_configure(&$form_state, $module = NULL, $delta = 0) { // Get the block subject for the page title. $info = module_invoke($module, 'block', 'list'); if (isset($info[$delta])) { - drupal_set_title(t("'%name' block", array('%name' => $info[$delta]['info']))); + drupal_set_title(t("'%name' block", array('%name' => $info[$delta]['info'])), PASS_THROUGH); } // Standard block configurations. diff --git a/modules/blog/blog.pages.inc b/modules/blog/blog.pages.inc index 042b089ed..2deb15cef 100644 --- a/modules/blog/blog.pages.inc +++ b/modules/blog/blog.pages.inc @@ -12,7 +12,7 @@ function blog_page_user($account) { global $user; - drupal_set_title($title = t("@name's blog", array('@name' => $account->name))); + drupal_set_title($title = t("@name's blog", array('@name' => $account->name)), PASS_THROUGH); $items = array(); diff --git a/modules/book/book.admin.inc b/modules/book/book.admin.inc index 088c2d68a..be8fe7b4a 100644 --- a/modules/book/book.admin.inc +++ b/modules/book/book.admin.inc @@ -70,7 +70,7 @@ function book_admin_settings_validate($form, &$form_state) { * @ingroup forms. */ function book_admin_edit($form_state, $node) { - drupal_set_title(check_plain($node->title)); + drupal_set_title($node->title); $form = array(); $form['#node'] = $node; _book_admin_table($node, $form); diff --git a/modules/book/book.pages.inc b/modules/book/book.pages.inc index 6ec9ce00c..01dfe3881 100644 --- a/modules/book/book.pages.inc +++ b/modules/book/book.pages.inc @@ -90,7 +90,7 @@ function book_export_html($nid) { * Menu callback; show the outline form for a single node. */ function book_outline($node) { - drupal_set_title(check_plain($node->title)); + drupal_set_title($node->title); return drupal_get_form('book_outline_form', $node); } diff --git a/modules/comment/comment.module b/modules/comment/comment.module index cde48a989..db663aa87 100644 --- a/modules/comment/comment.module +++ b/modules/comment/comment.module @@ -1442,7 +1442,7 @@ function comment_form_box($edit, $title = NULL) { function comment_form_add_preview($form, &$form_state) { global $user; $edit = $form_state['values']; - drupal_set_title(t('Preview comment')); + drupal_set_title(t('Preview comment'), PASS_THROUGH); $output = ''; $node = node_load($edit['nid']); diff --git a/modules/contact/contact.pages.inc b/modules/contact/contact.pages.inc index 63b5241e0..e9a9f00d3 100644 --- a/modules/contact/contact.pages.inc +++ b/modules/contact/contact.pages.inc @@ -164,7 +164,7 @@ function contact_user_page($account) { $output = t("You cannot send more than %number messages per hour. Please try again later.", array('%number' => variable_get('contact_hourly_threshold', 3))); } else { - drupal_set_title(check_plain($account->name)); + drupal_set_title($account->name); $output = drupal_get_form('contact_mail_user', $account); } diff --git a/modules/filter/filter.admin.inc b/modules/filter/filter.admin.inc index 8fcebb7aa..f74fd2d6b 100644 --- a/modules/filter/filter.admin.inc +++ b/modules/filter/filter.admin.inc @@ -94,7 +94,7 @@ function theme_filter_admin_overview($form) { */ function filter_admin_format_page($format = NULL) { if (!isset($format->name)) { - drupal_set_title(t("Add input format")); + drupal_set_title(t('Add input format'), PASS_THROUGH); $format = (object)array('name' => '', 'roles' => '', 'format' => ''); } return drupal_get_form('filter_admin_format_form', $format); @@ -302,7 +302,7 @@ function filter_admin_delete_submit($form, &$form_state) { * Menu callback; display settings defined by a format's filters. */ function filter_admin_configure_page($format) { - drupal_set_title(t("Configure %format", array('%format' => $format->name))); + drupal_set_title(t("Configure %format", array('%format' => $format->name)), PASS_THROUGH); return drupal_get_form('filter_admin_configure', $format); } @@ -343,7 +343,7 @@ function filter_admin_configure_submit($form, &$form_state) { * Menu callback; display form for ordering filters for a format. */ function filter_admin_order_page($format) { - drupal_set_title(t("Rearrange %format", array('%format' => $format->name))); + drupal_set_title(t("Rearrange %format", array('%format' => $format->name)), PASS_THROUGH); return drupal_get_form('filter_admin_order', $format); } diff --git a/modules/forum/forum.module b/modules/forum/forum.module index 1ad242382..99083e895 100644 --- a/modules/forum/forum.module +++ b/modules/forum/forum.module @@ -723,7 +723,7 @@ function template_preprocess_forums(&$variables) { } } drupal_set_breadcrumb($breadcrumb); - drupal_set_title(check_plain($title)); + drupal_set_title($title); if ($variables['forums_defined'] = count($variables['forums']) || count($variables['parents'])) { // Format the "post new content" links listing. @@ -784,7 +784,7 @@ function template_preprocess_forums(&$variables) { } else { - drupal_set_title(t('No forums defined')); + drupal_set_title(t('No forums defined'), PASS_THROUGH); $variables['links'] = array(); $variables['forums'] = ''; $variables['topics'] = ''; diff --git a/modules/node/node.module b/modules/node/node.module index 176804062..48e75a3be 100644 --- a/modules/node/node.module +++ b/modules/node/node.module @@ -1142,7 +1142,7 @@ function node_build_content($node, $teaser = FALSE, $page = FALSE) { */ function node_show($node, $cid, $message = FALSE) { if ($message) { - drupal_set_title(t('Revision of %title from %date', array('%title' => $node->title, '%date' => format_date($node->revision_timestamp)))); + drupal_set_title(t('Revision of %title from %date', array('%title' => $node->title, '%date' => format_date($node->revision_timestamp))), PASS_THROUGH); } $output = node_view($node, FALSE, TRUE); @@ -1857,7 +1857,7 @@ function node_page_default() { * Menu callback; view a single node. */ function node_page_view($node, $cid = NULL) { - drupal_set_title(check_plain($node->title)); + drupal_set_title($node->title); return node_show($node, $cid); } diff --git a/modules/node/node.pages.inc b/modules/node/node.pages.inc index 3868fd51a..452f3f853 100644 --- a/modules/node/node.pages.inc +++ b/modules/node/node.pages.inc @@ -11,7 +11,7 @@ * Menu callback; presents the node editing form, or redirects to delete confirmation. */ function node_page_edit($node) { - drupal_set_title(check_plain($node->title)); + drupal_set_title($node->title); return drupal_get_form($node->type . '_node_form', $node); } @@ -59,7 +59,7 @@ function node_add($type) { // Initialize settings: $node = array('uid' => $user->uid, 'name' => (isset($user->name) ? $user->name : ''), 'type' => $type, 'language' => ''); - drupal_set_title(t('Create @name', array('@name' => $types[$type]->name))); + drupal_set_title(t('Create @name', array('@name' => $types[$type]->name)), PASS_THROUGH); $output = drupal_get_form($type . '_node_form', $node); } @@ -381,7 +381,7 @@ function node_preview($node) { $cloned_node->build_mode = NODE_BUILD_PREVIEW; $output = theme('node_preview', $cloned_node); } - drupal_set_title(t('Preview')); + drupal_set_title(t('Preview'), PASS_THROUGH); return $output; } @@ -504,7 +504,7 @@ function node_delete_confirm_submit($form, &$form_state) { * Generate an overview table of older revisions of a node. */ function node_revision_overview($node) { - drupal_set_title(t('Revisions for %title', array('%title' => $node->title))); + drupal_set_title(t('Revisions for %title', array('%title' => $node->title)), PASS_THROUGH); $header = array(t('Revision'), array('data' => t('Operations'), 'colspan' => 2)); diff --git a/modules/openid/openid.pages.inc b/modules/openid/openid.pages.inc index 6d8ba2d60..efd7684ee 100644 --- a/modules/openid/openid.pages.inc +++ b/modules/openid/openid.pages.inc @@ -28,7 +28,7 @@ function openid_authentication_page() { * Menu callback; Manage OpenID identities for the specified user. */ function openid_user_identities($account) { - drupal_set_title(check_plain($account->name)); + drupal_set_title($account->name); drupal_add_css(drupal_get_path('module', 'openid') . '/openid.css', 'module'); // Check to see if we got a response diff --git a/modules/path/path.admin.inc b/modules/path/path.admin.inc index 9960f3471..6e2a440af 100644 --- a/modules/path/path.admin.inc +++ b/modules/path/path.admin.inc @@ -66,7 +66,7 @@ function path_admin_overview($keys = NULL) { function path_admin_edit($pid = 0) { if ($pid) { $alias = path_load($pid); - drupal_set_title(check_plain($alias['dst'])); + drupal_set_title($alias['dst']); $output = drupal_get_form('path_admin_form', $alias); } else { diff --git a/modules/poll/poll.pages.inc b/modules/poll/poll.pages.inc index 39d456398..61f3bf6c2 100644 --- a/modules/poll/poll.pages.inc +++ b/modules/poll/poll.pages.inc @@ -28,7 +28,7 @@ function poll_page() { * Callback for the 'votes' tab for polls you can see other votes on */ function poll_votes($node) { - drupal_set_title(check_plain($node->title)); + drupal_set_title($node->title); $output = t('This table lists all the recorded votes for this poll. If anonymous users are allowed to vote, they will be identified by the IP address of the computer they used when they voted.'); $header[] = array('data' => t('Visitor'), 'field' => 'u.name'); @@ -51,7 +51,7 @@ function poll_votes($node) { * Callback for the 'results' tab for polls you can vote on */ function poll_results($node) { - drupal_set_title(check_plain($node->title)); + drupal_set_title($node->title); $node->show_results = TRUE; return node_show($node, 0); } diff --git a/modules/profile/profile.admin.inc b/modules/profile/profile.admin.inc index 912378852..5219dffed 100644 --- a/modules/profile/profile.admin.inc +++ b/modules/profile/profile.admin.inc @@ -175,7 +175,7 @@ function profile_field_form(&$form_state, $arg = NULL) { drupal_not_found(); return; } - drupal_set_title(t('edit %title', array('%title' => $edit['title']))); + drupal_set_title(t('edit %title', array('%title' => $edit['title'])), PASS_THROUGH); $form['fid'] = array('#type' => 'value', '#value' => $fid, ); @@ -193,7 +193,7 @@ function profile_field_form(&$form_state, $arg = NULL) { return; } $type = $arg; - drupal_set_title(t('add new %type', array('%type' => $types[$type]))); + drupal_set_title(t('add new %type', array('%type' => $types[$type])), PASS_THROUGH); $edit = array('name' => 'profile_'); $form['type'] = array('#type' => 'value', '#value' => $type); } diff --git a/modules/profile/profile.pages.inc b/modules/profile/profile.pages.inc index 275a9d463..52946376b 100644 --- a/modules/profile/profile.pages.inc +++ b/modules/profile/profile.pages.inc @@ -73,7 +73,7 @@ function profile_browse() { $title = check_plain($field->page); } - drupal_set_title($title); + drupal_set_title($title, PASS_THROUGH); return $output; } else if ($name && !$field->fid) { @@ -99,7 +99,7 @@ function profile_browse() { $output = theme('profile_wrapper', $content); $output .= theme('pager', NULL, 20); - drupal_set_title(t('User list')); + drupal_set_title(t('User list'), PASS_THROUGH); return $output; } } diff --git a/modules/statistics/statistics.admin.inc b/modules/statistics/statistics.admin.inc index 7295083e7..38733c1f5 100644 --- a/modules/statistics/statistics.admin.inc +++ b/modules/statistics/statistics.admin.inc @@ -64,7 +64,7 @@ function statistics_top_pages() { $rows[] = array(array('data' => t('No statistics available.'), 'colspan' => 4)); } - drupal_set_title(t('Top pages in the past %interval', array('%interval' => format_interval(variable_get('statistics_flush_accesslog_timer', 259200))))); + drupal_set_title(t('Top pages in the past %interval', array('%interval' => format_interval(variable_get('statistics_flush_accesslog_timer', 259200)))), PASS_THROUGH); $output = theme('table', $header, $rows); $output .= theme('pager', NULL, 30, 0); return $output; @@ -97,7 +97,7 @@ function statistics_top_visitors() { $rows[] = array(array('data' => t('No statistics available.'), 'colspan' => 4)); } - drupal_set_title(t('Top visitors in the past %interval', array('%interval' => format_interval(variable_get('statistics_flush_accesslog_timer', 259200))))); + drupal_set_title(t('Top visitors in the past %interval', array('%interval' => format_interval(variable_get('statistics_flush_accesslog_timer', 259200)))), PASS_THROUGH); $output = theme('table', $header, $rows); $output .= theme('pager', NULL, 30, 0); return $output; @@ -109,7 +109,7 @@ function statistics_top_visitors() { function statistics_top_referrers() { $query = "SELECT url, COUNT(url) AS hits, MAX(timestamp) AS last FROM {accesslog} WHERE url NOT LIKE :host AND url <> '' GROUP BY url"; $query_cnt = "SELECT COUNT(DISTINCT(url)) FROM {accesslog} WHERE url <> '' AND url NOT LIKE :host"; - drupal_set_title(t('Top referrers in the past %interval', array('%interval' => format_interval(variable_get('statistics_flush_accesslog_timer', 259200))))); + drupal_set_title(t('Top referrers in the past %interval', array('%interval' => format_interval(variable_get('statistics_flush_accesslog_timer', 259200)))), PASS_THROUGH); $header = array( array('data' => t('Hits'), 'field' => 'hits', 'sort' => 'desc'), diff --git a/modules/statistics/statistics.pages.inc b/modules/statistics/statistics.pages.inc index 69286b515..612a03f34 100644 --- a/modules/statistics/statistics.pages.inc +++ b/modules/statistics/statistics.pages.inc @@ -29,7 +29,7 @@ function statistics_node_tracker() { $rows[] = array(array('data' => t('No statistics available.'), 'colspan' => 4)); } - drupal_set_title(check_plain($node->title)); + drupal_set_title($node->title); $output = theme('table', $header, $rows); $output .= theme('pager', NULL, 30, 0); return $output; @@ -60,7 +60,7 @@ function statistics_user_tracker() { $rows[] = array(array('data' => t('No statistics available.'), 'colspan' => 3)); } - drupal_set_title(check_plain($account->name)); + drupal_set_title($account->name); $output = theme('table', $header, $rows); $output .= theme('pager', NULL, 30, 0); return $output; diff --git a/modules/system/system.module b/modules/system/system.module index 2ccdbc01a..448dcec1f 100644 --- a/modules/system/system.module +++ b/modules/system/system.module @@ -1296,6 +1296,11 @@ function system_node_type($op, $info) { * confirmed the action. You should never directly inspect $_POST to see if an * action was confirmed. * + * Note - if the parameters $question, $description, $yes, or $no could contain + * any user input (such as node titles or taxonomy terms), it is the + * responsibility of the code calling confirm_form() to sanitize them first with + * a function like check_plain() or filter_xss(). + * * @ingroup forms * @param $form * Additional elements to inject into the form, for example hidden elements. @@ -1329,7 +1334,7 @@ function confirm_form($form, $question, $path, $description = NULL, $yes = NULL, } $cancel = l($no ? $no : t('Cancel'), $path, array('query' => $query, 'fragment' => $fragment)); - drupal_set_title($question); + drupal_set_title($question, PASS_THROUGH); // Confirm form fails duplication check, as the form values rarely change -- so skip it. $form['#skip_duplicate_check'] = TRUE; diff --git a/modules/system/system.test b/modules/system/system.test index 18bb36c63..dbf6c0dbd 100644 --- a/modules/system/system.test +++ b/modules/system/system.test @@ -457,3 +457,68 @@ class PageNotFoundTestCase extends DrupalWebTestCase { $this->assertNoText(t('User login'), t('Blocks are not shown on the default 404 page')); } } + +class PageTitleFiltering extends DrupalWebTestCase { + protected $content_user; + protected $saved_title; + + /** + * Implementation of getInfo(). + */ + function getInfo() { + return array( + 'name' => t('HTML in page titles'), + 'description' => t('Tests correct handling or conversion by drupal_set_title() and drupal_get_title().'), + 'group' => t('System') + ); + } + + /** + * Implementation of setUp(). + */ + function setUp() { + parent::setUp(); + + $this->content_user = $this->drupalCreateUser(array('create page content', 'access content')); + $this->drupalLogin($this->content_user); + $this->saved_title = drupal_get_title(); + } + + /** + * Reset page title. + */ + function tearDown() { + // Restore the page title. + drupal_set_title($this->saved_title, PASS_THROUGH); + + parent::tearDown(); + } + + /** + * Tests the handling of HTML by drupal_set_title() and drupal_get_title() + */ + function testTitleTags() { + $title = "string with <em>HTML</em>"; + // drupal_set_title's $filter is CHECK_PLAIN by default, so the title should be + // returned with check_plain(). + drupal_set_title($title, CHECK_PLAIN); + $this->assertTrue(strpos(drupal_get_title(), '<em>') === FALSE, t('Tags in title converted to entities when $output is CHECK_PLAIN.')); + // drupal_set_title's $filter is passed as PASS_THROUGH, so the title should be + // returned with HTML. + drupal_set_title($title, PASS_THROUGH); + $this->assertTrue(strpos(drupal_get_title(), '<em>') !== FALSE, t('Tags in title are not converted to entities when $output is PASS_THROUGH.')); + // Generate node content. + $edit = array( + 'title' => '!SimpleTest! ' . $title . $this->randomName(20), + 'body' => '!SimpleTest! test body' . $this->randomName(200), + ); + // Create the node with HTML in the title. + $this->drupalPost('node/add/page', $edit, t('Save')); + + $node = node_load(array('title' => $edit['title'])); + $this->assertNotNull($node, 'Node created and found in database'); + $this->drupalGet("node/" . $node->nid); + $this->assertText(check_plain($edit['title']), 'Check to make sure tags in the node title are converted.'); + } +} + diff --git a/modules/taxonomy/taxonomy.pages.inc b/modules/taxonomy/taxonomy.pages.inc index 6e6b9af2b..e72c8a207 100644 --- a/modules/taxonomy/taxonomy.pages.inc +++ b/modules/taxonomy/taxonomy.pages.inc @@ -112,7 +112,7 @@ function theme_taxonomy_term_page($tids, $result) { */ function taxonomy_term_edit($term) { if (isset($term)) { - drupal_set_title(check_plain($term->name)); + drupal_set_title($term->name); return drupal_get_form('taxonomy_form_term', taxonomy_vocabulary_load($term->vid), (array)$term); } return drupal_not_found(); diff --git a/modules/tracker/tracker.pages.inc b/modules/tracker/tracker.pages.inc index 97d948992..027b39419 100644 --- a/modules/tracker/tracker.pages.inc +++ b/modules/tracker/tracker.pages.inc @@ -19,7 +19,7 @@ function tracker_page($account = NULL, $set_title = FALSE) { // When viewed from user/%user/track, display the name of the user // as page title -- the tab title remains Track so this needs to be done // here and not in the menu definiton. - drupal_set_title(check_plain($account->name)); + drupal_set_title($account->name); } // TODO: These queries are very expensive, see http://drupal.org/node/105639 $sql = 'SELECT DISTINCT(n.nid), n.title, n.type, n.changed, n.uid, u.name, GREATEST(n.changed, l.last_comment_timestamp) AS last_updated, l.comment_count FROM {node} n INNER JOIN {node_comment_statistics} l ON n.nid = l.nid INNER JOIN {users} u ON n.uid = u.uid LEFT JOIN {comments} c ON n.nid = c.nid AND (c.status = %d OR c.status IS NULL) WHERE n.status = 1 AND (n.uid = %d OR c.uid = %d) ORDER BY last_updated DESC'; diff --git a/modules/translation/translation.pages.inc b/modules/translation/translation.pages.inc index 095b581b5..09c82800f 100644 --- a/modules/translation/translation.pages.inc +++ b/modules/translation/translation.pages.inc @@ -54,6 +54,6 @@ function translation_node_overview($node) { $rows[] = array($language_name, $title, $status, implode(" | ", $options)); } - drupal_set_title(t('Translations of %title', array('%title' => $node->title))); + drupal_set_title(t('Translations of %title', array('%title' => $node->title)), PASS_THROUGH); return theme('table', $header, $rows); } diff --git a/modules/user/user.pages.inc b/modules/user/user.pages.inc index 5050f45e2..24eb3d6c5 100644 --- a/modules/user/user.pages.inc +++ b/modules/user/user.pages.inc @@ -147,7 +147,7 @@ function user_logout() { * Menu callback; Displays a user or user profile page. */ function user_view($account) { - drupal_set_title(check_plain($account->name)); + drupal_set_title($account->name); // Retrieve all profile fields and attach to $account->content. user_build_content($account); @@ -218,7 +218,7 @@ function template_preprocess_user_profile_category(&$variables) { * @see user_edit_submit() */ function user_edit($account, $category = 'account') { - drupal_set_title(check_plain($account->name)); + drupal_set_title($account->name); return drupal_get_form('user_profile_form', $account, $category); } |