diff options
52 files changed, 454 insertions, 438 deletions
diff --git a/includes/bootstrap.inc b/includes/bootstrap.inc index 509779049..3ec573846 100644 --- a/includes/bootstrap.inc +++ b/includes/bootstrap.inc @@ -393,7 +393,7 @@ function drupal_get_title() { if (!isset($title)) { // during a bootstrap, menu.inc is not included and thus we cannot provide a title if (function_exists('menu_get_active_title')) { - $title = menu_get_active_title(); + $title = check_plain(menu_get_active_title()); } } @@ -509,7 +509,7 @@ function drupal_unpack($obj, $field = 'data') { */ function referer_uri() { if (isset($_SERVER['HTTP_REFERER'])) { - return check_url($_SERVER['HTTP_REFERER']); + return $_SERVER['HTTP_REFERER']; } } @@ -537,14 +537,14 @@ function arg($index) { } /** - * Prepare user input for use in a URI. + * Prepare a URL for use in an HTML attribute. * - * We replace ( and ) with their entity equivalents to prevent XSS attacks. + * We replace ( and ) with their url-encoded equivalents to prevent XSS attacks. */ function check_url($uri) { $uri = htmlspecialchars($uri, ENT_QUOTES); - $uri = strtr($uri, array('(' => '&040;', ')' => '&041;')); + $uri = strtr($uri, array('(' => '%28', ')' => '%29')); return $uri; } @@ -567,7 +567,7 @@ function request_uri() { } } - return check_url($uri); + return $uri; } /** diff --git a/includes/common.inc b/includes/common.inc index f3abbac85..b6a8807c8 100644 --- a/includes/common.inc +++ b/includes/common.inc @@ -173,8 +173,7 @@ function drupal_goto($path = '', $query = NULL, $fragment = NULL) { extract(parse_url($_REQUEST['edit']['destination'])); } - // Translate & to simply & in the absolute URL. - $url = str_replace('&', '&', url($path, $query, $fragment, TRUE)); + $url = url($path, $query, $fragment, TRUE); if (ini_get('session.use_trans_sid') && session_id() && !strstr($url, session_id())) { $sid = session_name() . '=' . session_id(); @@ -203,7 +202,7 @@ function drupal_goto($path = '', $query = NULL, $fragment = NULL) { */ function drupal_not_found() { header('HTTP/1.0 404 Not Found'); - watchdog('page not found', t('%page not found.', array('%page' => '<em>'. db_escape_string($_GET['q']) .'</em>')), WATCHDOG_WARNING); + watchdog('page not found', t('%page not found.', array('%page' => theme('placeholder', $_GET['q']))), WATCHDOG_WARNING); $path = drupal_get_normal_path(variable_get('site_404', '')); $status = MENU_NOT_FOUND; @@ -223,7 +222,7 @@ function drupal_not_found() { */ function drupal_access_denied() { header('HTTP/1.0 403 Forbidden'); - watchdog('access denied', t('%page denied access.', array('%page' => '<em>'. db_escape_string($_GET['q']) .'</em>')), WATCHDOG_WARNING, l(t('view'), $_GET['q'])); + watchdog('access denied', t('%page denied access.', array('%page' => theme('placeholder', $_GET['q']))), WATCHDOG_WARNING, l(t('view'), $_GET['q'])); $path = drupal_get_normal_path(variable_get('site_403', '')); $status = MENU_NOT_FOUND; @@ -549,15 +548,10 @@ function t($string, $args = 0) { } /** - * Encode special characters in a string for display as HTML. - * - * Note that we'd like to use htmlspecialchars($input, $quotes, 'utf-8') - * as outlined in the PHP manual, but we can't because there's a bug in - * PHP < 4.3 that makes it mess up multibyte charsets if we specify the - * charset. This will be changed later once we make PHP 4.3 a requirement. + * Encode special characters in a plain-text string for display as HTML. */ -function drupal_specialchars($input, $quotes = ENT_NOQUOTES) { - return htmlspecialchars($input, $quotes); +function check_plain($text) { + return htmlspecialchars($text, ENT_QUOTES); } /** @@ -642,7 +636,7 @@ function valid_input_data($data) { $match += preg_match("/<\s*(applet|script|object|style|embed|form|blink|meta|html|frame|iframe|layer|ilayer|head|frameset|xml)/i", $data); if ($match) { - watchdog('security', t('Terminated request because of suspicious input data: %data.', array('%data' => '<em>'. drupal_specialchars($data) .'</em>'))); + watchdog('security', t('Terminated request because of suspicious input data: %data.', array('%data' => theme('placeholder', $data)))); return FALSE; } } @@ -680,10 +674,6 @@ function flood_is_allowed($name, $threshold) { return ($number < $threshold ? TRUE : FALSE); } -function check_form($text) { - return drupal_specialchars($text, ENT_QUOTES); -} - function check_file($filename) { return is_uploaded_file($filename); } @@ -703,12 +693,12 @@ function format_rss_channel($title, $link, $description, $items, $language = 'en // arbitrary elements may be added using the $args associative array $output = "<channel>\n"; - $output .= ' <title>'. drupal_specialchars(strip_tags($title)) ."</title>\n"; - $output .= ' <link>'. drupal_specialchars(strip_tags($link)) ."</link>\n"; - $output .= ' <description>'. drupal_specialchars(strip_tags($description)) ."</description>\n"; - $output .= ' <language>'. drupal_specialchars(strip_tags($language)) ."</language>\n"; + $output .= ' <title>'. check_plain($title) ."</title>\n"; + $output .= ' <link>'. check_url($link) ."</link>\n"; + $output .= ' <description>'. check_plain($description) ."</description>\n"; + $output .= ' <language>'. check_plain($language) ."</language>\n"; foreach ($args as $key => $value) { - $output .= ' <'. $key .'>'. drupal_specialchars(strip_tags($value)) ."</$key>\n"; + $output .= ' <'. $key .'>'. check_plain($value) ."</$key>\n"; } $output .= $items; $output .= "</channel>\n"; @@ -723,9 +713,9 @@ function format_rss_channel($title, $link, $description, $items, $language = 'en */ function format_rss_item($title, $link, $description, $args = array()) { $output = "<item>\n"; - $output .= ' <title>'. drupal_specialchars(strip_tags($title)) ."</title>\n"; - $output .= ' <link>'. drupal_specialchars(strip_tags($link)) ."</link>\n"; - $output .= ' <description>'. drupal_specialchars($description) ."</description>\n"; + $output .= ' <title>'. check_plain($title) ."</title>\n"; + $output .= ' <link>'. check_url($link) ."</link>\n"; + $output .= ' <description>'. check_plain($description) ."</description>\n"; foreach ($args as $key => $value) { if (is_array($value)) { if ($value['key']) { @@ -743,7 +733,7 @@ function format_rss_item($title, $link, $description, $args = array()) { } } else { - $output .= ' <'. $key .'>'. drupal_specialchars(strip_tags($value)) ."</$key>\n"; + $output .= ' <'. $key .'>'. check_plain($value) ."</$key>\n"; } } $output .= "</item>\n"; @@ -1212,7 +1202,7 @@ function form_checkboxes($title, $name, $values, $options, $description = NULL, */ function form_textfield($title, $name, $value, $size, $maxlength, $description = NULL, $attributes = NULL, $required = FALSE) { $size = $size ? ' size="'. $size .'"' : ''; - return theme('form_element', $title, '<input type="text" maxlength="'. $maxlength .'" class="'. _form_get_class('form-text', $required, _form_get_error($name)) .'" name="edit['. $name .']" id="edit-'. $name .'"'. $size .' value="'. check_form($value) .'"'. drupal_attributes($attributes) .' />', $description, 'edit-'. $name, $required, _form_get_error($name)); + return theme('form_element', $title, '<input type="text" maxlength="'. $maxlength .'" class="'. _form_get_class('form-text', $required, _form_get_error($name)) .'" name="edit['. $name .']" id="edit-'. $name .'"'. $size .' value="'. check_plain($value) .'"'. drupal_attributes($attributes) .' />', $description, 'edit-'. $name, $required, _form_get_error($name)); } /** @@ -1239,7 +1229,7 @@ function form_textfield($title, $name, $value, $size, $maxlength, $description = */ function form_password($title, $name, $value, $size, $maxlength, $description = NULL, $attributes = NULL, $required = FALSE) { $size = $size ? ' size="'. $size .'"' : ''; - return theme('form_element', $title, '<input type="password" class="'. _form_get_class('form-password', $required, _form_get_error($name)) .'" maxlength="'. $maxlength .'" name="edit['. $name .']" id="edit-'. $name .'"'. $size .' value="'. check_form($value) .'"'. drupal_attributes($attributes) .' />', $description, 'edit-'. $name, $required, _form_get_error($name)); + return theme('form_element', $title, '<input type="password" class="'. _form_get_class('form-password', $required, _form_get_error($name)) .'" maxlength="'. $maxlength .'" name="edit['. $name .']" id="edit-'. $name .'"'. $size .' value="'. check_plain($value) .'"'. drupal_attributes($attributes) .' />', $description, 'edit-'. $name, $required, _form_get_error($name)); } /** @@ -1275,7 +1265,7 @@ function form_textarea($title, $name, $value, $cols, $rows, $description = NULL, } } - $output .= theme('form_element', $title, '<textarea wrap="virtual"'. $cols .' rows="'. $rows .'" name="edit['. $name .']" id="edit-'. $name .'" class="'. _form_get_class('textarea', $required, _form_get_error($name)) .'"'. drupal_attributes($attributes) .'>'. check_form($value) .'</textarea>', $description, 'edit-'. $name, $required, _form_get_error($name)); + $output .= theme('form_element', $title, '<textarea wrap="virtual"'. $cols .' rows="'. $rows .'" name="edit['. $name .']" id="edit-'. $name .'" class="'. _form_get_class('textarea', $required, _form_get_error($name)) .'"'. drupal_attributes($attributes) .'>'. check_plain($value) .'</textarea>', $description, 'edit-'. $name, $required, _form_get_error($name)); // e.g. optionally plug in a WYSIWYG editor foreach (module_list() as $module_name) { @@ -1321,12 +1311,12 @@ function form_select($title, $name, $value, $options, $description = NULL, $extr if (is_array($choice)) { $select .= '<optgroup label="'. $key .'">'; foreach ($choice as $key => $choice) { - $select .= '<option value="'. $key .'"'. (is_array($value) ? (in_array($key, $value) ? ' selected="selected"' : '') : ($value == $key ? ' selected="selected"' : '')) .'>'. check_form($choice) .'</option>'; + $select .= '<option value="'. $key .'"'. (is_array($value) ? (in_array($key, $value) ? ' selected="selected"' : '') : ($value == $key ? ' selected="selected"' : '')) .'>'. check_plain($choice) .'</option>'; } $select .= '</optgroup>'; } else { - $select .= '<option value="'. $key .'"'. (is_array($value) ? (in_array($key, $value) ? ' selected="selected"' : '') : ($value == $key ? ' selected="selected"' : '')) .'>'. check_form($choice) .'</option>'; + $select .= '<option value="'. $key .'"'. (is_array($value) ? (in_array($key, $value) ? ' selected="selected"' : '') : ($value == $key ? ' selected="selected"' : '')) .'>'. check_plain($choice) .'</option>'; } } return theme('form_element', $title, '<select name="edit['. $name .']'. ($multiple ? '[]' : '') .'"'. ($multiple ? ' multiple="multiple" ' : '') . ($extra ? ' '. $extra : '') .' id="edit-'. $name .'">'. $select .'</select>', $description, 'edit-'. $name, $required, _form_get_error($name)); @@ -1370,7 +1360,7 @@ function form_file($title, $name, $size, $description = NULL, $required = FALSE) * an attacker to change the value before it is submitted. */ function form_hidden($name, $value) { - return '<input type="hidden" name="edit['. $name .']" value="'. check_form($value) ."\" />\n"; + return '<input type="hidden" name="edit['. $name .']" value="'. check_plain($value) ."\" />\n"; } /** @@ -1389,7 +1379,7 @@ function form_hidden($name, $value) { * A themed HTML string representing the button. */ function form_button($value, $name = 'op', $type = 'submit', $attributes = NULL) { - return '<input type="'. $type .'" class="form-'. $type .'" name="'. $name .'" value="'. check_form($value) .'" '. drupal_attributes($attributes) ." />\n"; + return '<input type="'. $type .'" class="form-'. $type .'" name="'. $name .'" value="'. check_plain($value) .'" '. drupal_attributes($attributes) ." />\n"; } /** @@ -1476,12 +1466,12 @@ function url($path = NULL, $query = NULL, $fragment = NULL, $absolute = FALSE) { $fragment = '#'. $fragment; } - $base = ($absolute ? $base_url . '/' : ''); + $base = ($absolute ? $base_url .'/' : ''); if (variable_get('clean_url', '0') == '0') { if (isset($path)) { if (isset($query)) { - return $base . $script .'?q='. $path .'&'. $query . $fragment; + return $base . $script .'?q='. $path .'&'. $query . $fragment; } else { return $base . $script .'?q='. $path . $fragment; @@ -1528,7 +1518,7 @@ function drupal_attributes($attributes = array()) { if ($attributes) { $t = array(); foreach ($attributes as $key => $value) { - $t[] = $key .'="'. $value .'"'; + $t[] = $key .'="'. check_plain($value) .'"'; } return ' '. implode($t, ' '); @@ -1555,10 +1545,12 @@ function drupal_attributes($attributes = array()) { * @param $absolute * Whether to force the output to be an absolute link (beginning with http:). * Useful for links that will be displayed outside the site, such as in an RSS feed. + * @param $html + * Whether the title is HTML, or just plain-text. * @return * an HTML string containing a link to the given path. */ -function l($text, $path, $attributes = array(), $query = NULL, $fragment = NULL, $absolute = FALSE) { +function l($text, $path, $attributes = array(), $query = NULL, $fragment = NULL, $absolute = FALSE, $html = FALSE) { if (drupal_get_normal_path($path) == $_GET['q']) { if (isset($attributes['class'])) { $attributes['class'] .= ' active'; @@ -1567,7 +1559,7 @@ function l($text, $path, $attributes = array(), $query = NULL, $fragment = NULL, $attributes['class'] = 'active'; } } - return '<a href="'. url($path, $query, $fragment, $absolute) .'"'. drupal_attributes($attributes) .'>'. $text .'</a>'; + return '<a href="'. check_url(url($path, $query, $fragment, $absolute)) .'"'. drupal_attributes($attributes) .'>'. ($html ? $text : check_plain($text)) .'</a>'; } /** @@ -1679,7 +1671,7 @@ function drupal_convert_to_utf8($data, $encoding) { $out = @mb_convert_encoding($data, 'utf-8', $encoding); } else if (function_exists('recode_string')) { - $out = @recode_string($encoding . '..utf-8', $data); + $out = @recode_string($encoding .'..utf-8', $data); } else { watchdog('php', t("Unsupported encoding '%s'. Please install iconv, GNU recode or mbstring for PHP.", $encoding), WATCHDOG_ERROR); @@ -1705,7 +1697,7 @@ function drupal_convert_to_utf8($data, $encoding) { * @param $len * An upper limit on the returned string length. * @param $wordsafe - * Flag to truncate at nearest word boundary. Defaults to FALSE. + * Flag to truncate at nearest space. Defaults to FALSE. * @return * The truncated string. */ diff --git a/includes/file.inc b/includes/file.inc index b8bf30b11..18ce0f9d9 100644 --- a/includes/file.inc +++ b/includes/file.inc @@ -76,11 +76,11 @@ function file_check_directory(&$directory, $mode = 0, $form_item = NULL) { // Check if directory exists. if (!is_dir($directory)) { if (($mode & FILE_CREATE_DIRECTORY) && @mkdir($directory, 0760)) { - drupal_set_message(t('Created directory %directory.', array('%directory' => "<em>$directory</em>"))); + drupal_set_message(t('Created directory %directory.', array('%directory' => theme('placeholder', $directory)))); } else { if ($form_item) { - form_set_error($form_item, t('The directory %directory does not exist.', array('%directory' => "<em>$directory</em>"))); + form_set_error($form_item, t('The directory %directory does not exist.', array('%directory' => theme('placeholder', $directory)))); } return false; } @@ -89,10 +89,10 @@ function file_check_directory(&$directory, $mode = 0, $form_item = NULL) { // Check to see if the directory is writable. if (!is_writable($directory)) { if (($mode & FILE_MODIFY_PERMISSIONS) && @chmod($directory, 0760)) { - drupal_set_message(t('Modified permissions on directory %directory.', array('%directory' => "<em>$directory</em>"))); + drupal_set_message(t('Modified permissions on directory %directory.', array('%directory' => theme('placeholder', $directory)))); } else { - form_set_error($form_item, t('The directory %directory is not writable.', array('%directory' => "<em>$directory</em>"))); + form_set_error($form_item, t('The directory %directory is not writable.', array('%directory' => theme('placeholder', $directory)))); return false; } } diff --git a/includes/locale.inc b/includes/locale.inc index 03e6dd098..77bae2b81 100644 --- a/includes/locale.inc +++ b/includes/locale.inc @@ -23,14 +23,14 @@ function _locale_add_language($code, $name, $onlylanguage = TRUE) { // the language addition, we need to inform the user on how to start // a translation if ($onlylanguage) { - $message = t('%locale language added. You can now import a translation. See the <a href="%locale-help">help screen</a> for more information.', array('%locale' => '<em>'. t($name) .'</em>', '%locale-help' => url('admin/help/locale'))); + $message = t('%locale language added. You can now import a translation. See the <a href="%locale-help">help screen</a> for more information.', array('%locale' => theme('placeholder', t($name)), '%locale-help' => url('admin/help/locale'))); } else { - $message = t('%locale language added.', array('%locale' => '<em>'. t($name) .'</em>')); + $message = t('%locale language added.', array('%locale' => theme('placeholder', t($name)))); } drupal_set_message($message); - watchdog('locale', t('%language language (%locale) added.', array('%language' => "<em>$name</em>", '%locale' => "<em>$code</em>"))); + watchdog('locale', t('%language language (%locale) added.', array('%language' => theme('placeholder', $name), '%locale' => theme('placeholder', $code)))); } /** @@ -47,7 +47,7 @@ function _locale_admin_manage_screen() { $status = db_fetch_object(db_query("SELECT isdefault, enabled FROM {locales_meta} WHERE locale = '%s'", $key)); if ($key == 'en') { - $rows[] = array('en', $lang, form_checkbox('', 'enabled][en', 1, $status->enabled), form_radio('', 'sitedefault', $key, $status->isdefault), message_na(), ''); + $rows[] = array('en', check_plain($lang), form_checkbox('', 'enabled][en', 1, $status->enabled), form_radio('', 'sitedefault', $key, $status->isdefault), message_na(), ''); } else { $original = db_fetch_object(db_query("SELECT COUNT(*) AS strings FROM {locales_source}")); @@ -55,7 +55,7 @@ function _locale_admin_manage_screen() { $ratio = ($original->strings > 0 && $translation->translation > 0) ? round(($translation->translation/$original->strings)*100., 2) : 0; - $rows[] = array($key, ($key != 'en' ? form_textfield('', 'name]['. $key, $lang, 15, 64) : $lang), form_checkbox('', 'enabled]['. $key, 1, $status->enabled), form_radio('', 'sitedefault', $key, $status->isdefault), "$translation->translation/$original->strings ($ratio%)", ($key != 'en' ? l(t('delete'), 'admin/locale/language/delete/'. urlencode($key)) : '')); + $rows[] = array(check_plain($key), ($key != 'en' ? form_textfield('', 'name]['. $key, $lang, 15, 64) : $lang), form_checkbox('', 'enabled]['. $key, 1, $status->enabled), form_radio('', 'sitedefault', $key, $status->isdefault), "$translation->translation/$original->strings ($ratio%)", ($key != 'en' ? l(t('delete'), 'admin/locale/language/delete/'. urlencode($key)) : '')); } } @@ -132,7 +132,7 @@ function _locale_import_po($file, $lang, $mode) { // Check if we can get the strings from the file if (!($strings = _locale_import_read_po($file))) { - drupal_set_message(t('Translation file %filename broken: Could not be read.', array('%filename' => "<em>$file->filename</em>")), 'error'); + drupal_set_message(t('Translation file %filename broken: Could not be read.', array('%filename' => theme('placeholder', $file->filename))), 'error'); return FALSE; } @@ -154,7 +154,7 @@ function _locale_import_po($file, $lang, $mode) { } } else { - drupal_set_message(t('Translation file %filename broken: No header.', array('%filename' => "<em>$file->filename</em>")), 'error'); + drupal_set_message(t('Translation file %filename broken: No header.', array('%filename' => theme('placeholder', $file->filename))), 'error'); return FALSE; } @@ -257,7 +257,7 @@ function _locale_import_po($file, $lang, $mode) { menu_rebuild(); drupal_set_message(t('Translation successfully imported. %number translated strings added to language, %update strings updated.', array('%number' => $additions, '%update' => $updates))); - watchdog('locale', t('Imported %file into %locale: %number new strings added and %update updated.', array('%file' => "<em>$file->filename</em>", '%locale' => "<em>$lang</em>", '%number' => $additions, '%update' => $updates))); + watchdog('locale', t('Imported %file into %locale: %number new strings added and %update updated.', array('%file' => theme('placeholder', $file->filename), '%locale' => theme('placeholder', $lang), '%number' => $additions, '%update' => $updates))); return TRUE; } @@ -269,9 +269,10 @@ function _locale_import_po($file, $lang, $mode) { */ function _locale_import_read_po($file) { + $message = theme('placeholder', $file->filename); $fd = fopen($file->filepath, "rb"); if (!$fd) { - drupal_set_message(t('Translation import failed: file %filename cannot be read.', array('%filename' => "<em>$file->filename</em>")), 'error'); + drupal_set_message(t('Translation import failed: file %filename cannot be read.', array('%filename' => $message)), 'error'); return FALSE; } $info = fstat($fd); @@ -303,19 +304,19 @@ function _locale_import_read_po($file) { $context = "COMMENT"; } else { // Parse error - drupal_set_message(t("Translation file %filename broken: expected 'msgstr' in line %line.", array('%filename' => "<em>$file->filename</em>", '%line' => $lineno)), 'error'); + drupal_set_message(t("Translation file %filename broken: expected 'msgstr' in line %line.", array('%filename' => $message, '%line' => $lineno)), 'error'); return FALSE; } } elseif (!strncmp("msgid_plural", $line, 12)) { if ($context != "MSGID") { // Must be plural form for current entry - drupal_set_message(t("Translation file %filename broken: unexpected 'msgid_plural' in line %line.", array('%filename' => "<em>$file->filename</em>", '%line' => $lineno)), 'error'); + drupal_set_message(t("Translation file %filename broken: unexpected 'msgid_plural' in line %line.", array('%filename' => $message, '%line' => $lineno)), 'error'); return FALSE; } $line = trim(substr($line, 12)); $quoted = _locale_import_parse_quoted($line); if ($quoted === false) { - drupal_set_message(t('Translation file %filename broken: syntax error in line %line.', array('%filename' => "<em>$file->filename</em>", '%line' => $lineno)), 'error'); + drupal_set_message(t('Translation file %filename broken: syntax error in line %line.', array('%filename' => $message, '%line' => $lineno)), 'error'); return FALSE; } $current["msgid"] = $current["msgid"] ."\0". $quoted; @@ -327,13 +328,13 @@ function _locale_import_read_po($file) { $current = array(); } elseif ($context == "MSGID") { // Already in this context? Parse error - drupal_set_message(t("Translation file %filename broken: unexpected 'msgid' in line %line.", array('%filename' => "<em>$file->filename</em>", '%line' => $lineno)), 'error'); + drupal_set_message(t("Translation file %filename broken: unexpected 'msgid' in line %line.", array('%filename' => $message, '%line' => $lineno)), 'error'); return FALSE; } $line = trim(substr($line, 5)); $quoted = _locale_import_parse_quoted($line); if ($quoted === false) { - drupal_set_message(t('Translation file %filename broken: syntax error in line %line.', array('%filename' => "<em>$file->filename</em>", '%line' => $lineno)), 'error'); + drupal_set_message(t('Translation file %filename broken: syntax error in line %line.', array('%filename' => $message, '%line' => $lineno)), 'error'); return FALSE; } $current["msgid"] = $quoted; @@ -341,11 +342,11 @@ function _locale_import_read_po($file) { } elseif (!strncmp("msgstr[", $line, 7)) { if (($context != "MSGID") && ($context != "MSGID_PLURAL") && ($context != "MSGSTR_ARR")) { // Must come after msgid, msgid_plural, or msgstr[] - drupal_set_message(t("Translation file %filename broken: unexpected 'msgstr[]' in line %line.", array('%filename' => "<em>$file->filename</em>", '%line' => $lineno)), 'error'); + drupal_set_message(t("Translation file %filename broken: unexpected 'msgstr[]' in line %line.", array('%filename' => $message, '%line' => $lineno)), 'error'); return FALSE; } if (strpos($line, "]") === false) { - drupal_set_message(t('Translation file %filename broken: syntax error in line %line.', array('%filename' => "<em>$file->filename</em>", '%line' => $lineno)), 'error'); + drupal_set_message(t('Translation file %filename broken: syntax error in line %line.', array('%filename' => $message, '%line' => $lineno)), 'error'); return FALSE; } $frombracket = strstr($line, "["); @@ -353,7 +354,7 @@ function _locale_import_read_po($file) { $line = trim(strstr($line, " ")); $quoted = _locale_import_parse_quoted($line); if ($quoted === false) { - drupal_set_message(t('Translation file %filename broken: syntax error in line %line.', array('%filename' => "<em>$file->filename</em>", '%line' => $lineno)), 'error'); + drupal_set_message(t('Translation file %filename broken: syntax error in line %line.', array('%filename' => $message, '%line' => $lineno)), 'error'); return FALSE; } $current["msgstr"][$plural] = $quoted; @@ -361,13 +362,13 @@ function _locale_import_read_po($file) { } elseif (!strncmp("msgstr", $line, 6)) { if ($context != "MSGID") { // Should come just after a msgid block - drupal_set_message(t("Translation file %filename broken: unexpected 'msgstr' in line %line.", array('%filename' => "<em>$file->filename</em>", '%line' => $lineno)), 'error'); + drupal_set_message(t("Translation file %filename broken: unexpected 'msgstr' in line %line.", array('%filename' => $message, '%line' => $lineno)), 'error'); return FALSE; } $line = trim(substr($line, 6)); $quoted = _locale_import_parse_quoted($line); if ($quoted === false) { - drupal_set_message(t('Translation file %filename broken: syntax error in line %line.', array('%filename' => "<em>$file->filename</em>", '%line' => $lineno)), 'error'); + drupal_set_message(t('Translation file %filename broken: syntax error in line %line.', array('%filename' => $message, '%line' => $lineno)), 'error'); return FALSE; } $current["msgstr"] = $quoted; @@ -376,7 +377,7 @@ function _locale_import_read_po($file) { elseif ($line != "") { $quoted = _locale_import_parse_quoted($line); if ($quoted === false) { - drupal_set_message(t('Translation file %filename broken: syntax error in line %line.', array('%filename' => "<em>$file->filename</em>", '%line' => $lineno)), 'error'); + drupal_set_message(t('Translation file %filename broken: syntax error in line %line.', array('%filename' => $message, '%line' => $lineno)), 'error'); return FALSE; } if (($context == "MSGID") || ($context == "MSGID_PLURAL")) { @@ -389,7 +390,7 @@ function _locale_import_read_po($file) { $current["msgstr"][$plural] .= $quoted; } else { - drupal_set_message(t('Translation file %filename broken: unexpected string in line %line.', array('%filename' => "<em>$file->filename</em>", '%line' => $lineno)), 'error'); + drupal_set_message(t('Translation file %filename broken: unexpected string in line %line.', array('%filename' => $message, '%line' => $lineno)), 'error'); return FALSE; } } @@ -400,7 +401,7 @@ function _locale_import_read_po($file) { $strings[$current["msgid"]] = $current; } elseif ($context != "COMMENT") { - drupal_set_message(t('Translation file %filename broken: unexpected end file at line %line.', array('%filename' => "<em>$file->filename</em>", '%line' => $lineno)), 'error'); + drupal_set_message(t('Translation file %filename broken: unexpected end of file at line %line.', array('%filename' => $message, '%line' => $lineno)), 'error'); return FALSE; } @@ -465,7 +466,7 @@ function _locale_import_parse_plural_forms($pluralforms, $filename) { return array($nplurals, $plural); } else { - drupal_set_message(t("Translation file %filename broken: plural formula couldn't get parsed.", array('%filename' => "<em>$filename</em>")), 'error'); + drupal_set_message(t("Translation file %filename broken: plural formula couldn't get parsed.", array('%filename' => theme('placeholder', $filename))), 'error'); return FALSE; } } @@ -768,7 +769,7 @@ function _locale_export_po($language) { $header .= "\"Plural-Forms: nplurals=". $meta->plurals ."; plural=". strtr($meta->formula, '$', '') .";\\n\"\n"; } $header .= "\n"; - watchdog('locale', t('Exported %locale translation file: %filename.', array('%locale' => "<em>$meta->name</em>", '%filename' => "<em>$filename</em>"))); + watchdog('locale', t('Exported %locale translation file: %filename.', array('%locale' => theme('placeholder', $meta->name), '%filename' => theme('placeholder', $filename)))); } // Generating Portable Object Template @@ -789,7 +790,7 @@ function _locale_export_po($language) { $header .= "\"Content-Transfer-Encoding: 8bit\\n\"\n"; $header .= "\"Plural-Forms: nplurals=INTEGER; plural=EXPRESSION;\\n\"\n"; $header .= "\n"; - watchdog('locale', t('Exported translation file: %filename.', array('%filename' => "<em>$filename</em>"))); + watchdog('locale', t('Exported translation file: %filename.', array('%filename' => theme('placeholder', $filename)))); } // Start download process @@ -1080,6 +1081,7 @@ function _locale_string_seek_form() { // Get *all* languages set up $languages = locale_supported_languages(FALSE, TRUE); asort($languages['name']); unset($languages['name']['en']); + $languages['name'] = array_map('check_plain', $languages['name']); // Present edit form preserving previous user settings $query = _locale_string_seek_query(); diff --git a/includes/pager.inc b/includes/pager.inc index 43639c7a6..ddd6c399d 100644 --- a/includes/pager.inc +++ b/includes/pager.inc @@ -384,19 +384,19 @@ function pager_link($from_new, $element, $attributes = array()) { $q = $_GET['q']; $from = array_key_exists('from', $_GET) ? $_GET['from'] : ''; - foreach($attributes as $key => $value) { + foreach ($attributes as $key => $value) { $query[] = $key .'='. $value; } $from_new = pager_load_array($from_new[$element], $element, explode(',', $from)); if (count($attributes)) { - $url = url($q, 'from='. implode($from_new, ',') .'&'. implode('&', $query)); + $url = url($q, 'from='. implode($from_new, ',') .'&'. implode('&', $query)); } else { $url = url($q, 'from='. implode($from_new, ',')); } - return $url; + return check_url($url); } function pager_load_array($value, $element, $old_array) { diff --git a/includes/tablesort.inc b/includes/tablesort.inc index ad0268352..e4f044d89 100644 --- a/includes/tablesort.inc +++ b/includes/tablesort.inc @@ -87,7 +87,7 @@ function tablesort_header($cell, $header, $ts) { $ts['sort'] = 'asc'; $image = ''; } - $cell['data'] = l($cell['data'] . $image, $_GET['q'], array('title' => $title), 'sort='. $ts['sort'] .'&order='. urlencode($cell['data']). $ts['query_string']); + $cell['data'] = l($cell['data'] . $image, $_GET['q'], array('title' => $title), 'sort='. $ts['sort'] .'&order='. urlencode($cell['data']). $ts['query_string'], NULL, FALSE, TRUE); unset($cell['field'], $cell['sort']); } @@ -139,7 +139,7 @@ function tablesort_get_querystring() { $query_string = ''; foreach ($cgi as $key => $val) { if ($key != 'order' && $key != 'sort' && $key != 'q') { - $query_string .= '&'. $key .'='. $val; + $query_string .= '&'. $key .'='. $val; } } return $query_string; diff --git a/includes/theme.inc b/includes/theme.inc index 14b2181e3..789841152 100644 --- a/includes/theme.inc +++ b/includes/theme.inc @@ -225,8 +225,8 @@ function path_to_theme() { */ function theme_get_settings($key = NULL) { $defaults = array( - 'primary_links' => l('edit primary links', 'admin/themes/settings'), - 'secondary_links' => l('edit secondary links', 'admin/themes/settings'), + 'primary_links' => l(t('edit primary links'), 'admin/themes/settings'), + 'secondary_links' => l(t('edit secondary links'), 'admin/themes/settings'), 'mission' => '', 'default_logo' => 1, 'logo_path' => '', @@ -348,6 +348,20 @@ function theme_get_styles() { * * The theme system is described and defined in theme.inc. */ + +/** + * Format a dynamic text string for emphasised display in a placeholder. + * + * E.g. t('Added term %term', array('%term' => theme('placeholder', $term))) + * + * @param $text + * The text to format (plain-text). + * @return + * The formatted text (html). + */ +function theme_placeholder($text) { + return '<em>'. check_plain($text) .'</em>'; +} /** * Return an entire Drupal page displaying the supplied content. @@ -361,7 +375,7 @@ function theme_page($content) { $output = "<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Transitional//EN\" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd\">\n"; $output .= '<html xmlns="http://www.w3.org/1999/xhtml">'; $output .= '<head>'; - $output .= ' <title>'. (drupal_get_title() ? drupal_get_title() : variable_get('site_name', 'drupal')) .'</title>'; + $output .= ' <title>'. (drupal_get_title() ? strip_tags(drupal_get_title()) : variable_get('site_name', 'drupal')) .'</title>'; $output .= drupal_get_html_head(); $output .= theme_get_styles(); @@ -500,7 +514,7 @@ function theme_node($node, $teaser = FALSE, $page = FALSE) { } if ($page == 0) { - $output = '<h2 class="title">'. $node->title .'</h2> by '. format_name($node); + $output = '<h2 class="title">'. check_plain($node->title) .'</h2> by '. format_name($node); } else { $output = 'by '. format_name($node); diff --git a/modules/aggregator.module b/modules/aggregator.module index edd23ad1e..2374afd9c 100644 --- a/modules/aggregator.module +++ b/modules/aggregator.module @@ -198,11 +198,11 @@ function aggregator_block($op, $delta = 0, $edit = array()) { if ($op == 'list') { $result = db_query('SELECT cid, title FROM {aggregator_category} ORDER BY title'); while ($category = db_fetch_object($result)) { - $block['category:'. $category->cid]['info'] = t('%title category latest items', array('%title' => $category->title)); + $block['category:'. $category->cid]['info'] = t('%title category latest items', array('%title' => theme('placeholder', $category->title))); } $result = db_query('SELECT fid, title FROM {aggregator_feed} ORDER BY fid'); while ($feed = db_fetch_object($result)) { - $block['feed:'. $feed->fid]['info'] = t('%title feed latest items', array('%title' => $feed->title)); + $block['feed:'. $feed->fid]['info'] = t('%title feed latest items', array('%title' => theme('placeholder', $feed->title))); } } else if ($op == 'configure') { @@ -231,7 +231,7 @@ function aggregator_block($op, $delta = 0, $edit = array()) { switch ($type) { case 'feed': if ($feed = db_fetch_object(db_query('SELECT fid, title, block FROM {aggregator_feed} WHERE fid = %d', $id))) { - $block['subject'] = $feed->title; + $block['subject'] = check_plain($feed->title); $result = db_query_range('SELECT * FROM {aggregator_item} WHERE fid = %d ORDER BY timestamp DESC, iid DESC', $feed->fid, 0, $feed->block); $block['content'] = '<div class="more-link">'. l(t('more'), 'aggregator/sources/'. $feed->fid, array('title' => t('View this feed\'s recent news.'))) .'</div>'; } @@ -239,7 +239,7 @@ function aggregator_block($op, $delta = 0, $edit = array()) { case 'category': if ($category = db_fetch_object(db_query('SELECT cid, title, block FROM {aggregator_category} WHERE cid = %d', $id))) { - $block['subject'] = $category->title; + $block['subject'] = check_plain($category->title); $result = db_query_range('SELECT i.* FROM {aggregator_category_item} ci LEFT JOIN {aggregator_item} i ON ci.iid = i.iid WHERE ci.cid = %d ORDER BY i.timestamp DESC, i.iid DESC', $category->cid, 0, $category->block); $block['content'] = '<div class="more-link">'. l(t('more'), 'aggregator/categories/'. $category->cid, array('title' => t('View this category\'s recent news.'))) .'</div>'; } @@ -265,7 +265,7 @@ function aggregator_remove($feed) { } db_query('DELETE FROM {aggregator_item} WHERE fid = %d', $feed['fid']); db_query("UPDATE {aggregator_feed} SET checked = 0, etag = '', modified = 0 WHERE fid = %d", $feed['fid']); - drupal_set_message(t('Removed news items from %site.', array('%site' => '<em>'. $feed['title'] .'</em>'))); + drupal_set_message(t('Removed news items from %site.', array('%site' => theme('placeholder', $feed['title'])))); } /** @@ -345,11 +345,11 @@ function aggregator_refresh($feed) { switch ($result->code) { case 304: db_query('UPDATE {aggregator_feed} SET checked = %d WHERE fid = %d', time(), $feed['fid']); - drupal_set_message(t('No new syndicated content from %site.', array('%site' => '<em>'. $feed['title'] .'</em>'))); + drupal_set_message(t('No new syndicated content from %site.', array('%site' => theme('placeholder', $feed['title'])))); break; case 301: $feed['url'] = $result->redirect_url; - watchdog('aggregator', t('Updated URL for feed %title to %url.', array('%title' => '<em>'. $feed['title'] .'</em>', '%url' => '<em>'. $feed['url'] .'</em>'))); + watchdog('aggregator', t('Updated URL for feed %title to %url.', array('%title' => theme('placeholder', $feed['title']), '%url' => theme('placeholder', $feed['url'])))); break; case 200: @@ -397,13 +397,13 @@ function aggregator_refresh($feed) { cache_clear_all(); - $message = t('Syndicated content from %site.', array('%site' => '<em>'. $feed[title] .'</em>')); + $message = t('Syndicated content from %site.', array('%site' => theme('placeholder', $feed[title]))); watchdog('aggregator', $message); drupal_set_message($message); } break; default: - $message = t('Failed to parse RSS feed %site: %error.', array('%site' => '<em>'. $feed['title'] .'</em>', '%error' => "<em>$result->code $result->error</em>")); + $message = t('Failed to parse RSS feed %site: %error.', array('%site' => theme('placeholder', $feed['title']), '%error' => theme('placeholder', $result->code .' '. $result->error))); watchdog('aggregator', $message, WATCHDOG_WARNING); drupal_set_message($message); } @@ -461,7 +461,7 @@ function aggregator_parse_feed(&$data, $feed) { xml_set_character_data_handler($xml_parser, 'aggregator_element_data'); if (!xml_parse($xml_parser, $data, 1)) { - $message = t('Failed to parse RSS feed %site: %error at line %line.', array('%site' => '<em>'. $feed['title'] .'</em>', '%error' => xml_error_string(xml_get_error_code($xml_parser)), '%line' => xml_get_current_line_number($xml_parser))); + $message = t('Failed to parse RSS feed %site: %error at line %line.', array('%site' => theme('placeholder', $feed['title']), '%error' => xml_error_string(xml_get_error_code($xml_parser)), '%line' => xml_get_current_line_number($xml_parser))); watchdog('aggregator', $message, WATCHDOG_WARNING); drupal_set_message($message, 'error'); return 0; @@ -554,7 +554,7 @@ function aggregator_parse_feed(&$data, $feed) { } if (!valid_input_data($item['DESCRIPTION'])) { - drupal_set_message(t('Failed to parse entry from %site feed: suspicious input data.', array('%site' => '<em>'. $feed['title'] .'</em>')), 'error'); + drupal_set_message(t('Failed to parse entry from %site feed: suspicious input data.', array('%site' => theme('placeholder', $feed['title']))), 'error'); } else { aggregator_save_item(array('iid' => $entry->iid, 'fid' => $feed['fid'], 'timestamp' => $timestamp, 'title' => $title, 'link' => $link, 'author' => $item['AUTHOR'], 'description' => $item['DESCRIPTION'])); @@ -643,7 +643,7 @@ function aggregator_form_feed($edit = array()) { $categories = db_query('SELECT c.cid, c.title, f.fid FROM {aggregator_category} c LEFT JOIN {aggregator_category_feed} f ON c.cid = f.cid AND f.fid = %d ORDER BY title', $edit['fid']); while ($category = db_fetch_object($categories)) { $options[$category->cid] = $category->title; - if ($category->fid) $values[] = $category->cid; + if ($category->fid) $values[] = check_plain($category->cid); } if ($options) { $form .= form_checkboxes(t('Categorize news items'), 'category', $values, $options, t('New items in this feed will be automatically filed in the the checked categories as they are received.')); @@ -920,7 +920,7 @@ function _aggregator_page_list($sql, $op, $header = '') { $selected = array(); while ($category = db_fetch_object($categories_result)) { if (!$done) { - $categories[$category->cid] = check_form($category->title); + $categories[$category->cid] = check_plain($category->title); } if ($category->iid) { $selected[] = $category->cid; @@ -932,7 +932,7 @@ function _aggregator_page_list($sql, $op, $header = '') { else { $form = ''; while ($category = db_fetch_object($categories_result)) { - $form .= form_checkbox(check_form($category->title), 'categories]['. $item->iid .'][', $category->cid, !is_null($category->iid)); + $form .= form_checkbox(check_plain($category->title), 'categories]['. $item->iid .'][', $category->cid, !is_null($category->iid)); } } $rows[] = array(theme('aggregator_page_item', $item), array('data' => $form, 'class' => 'categorize-item')); @@ -960,7 +960,7 @@ function aggregator_page_sources() { $result = db_query('SELECT f.fid, f.title, f.description, f.image, MAX(i.timestamp) AS last FROM {aggregator_feed} f LEFT JOIN {aggregator_item} i ON f.fid = i.fid GROUP BY f.fid'); $output = "<div id=\"aggregator\">\n"; while ($feed = db_fetch_object($result)) { - $output .= "<h2>$feed->title</h2>\n"; + $output .= '<h2>'. check_plain($feed->title) ."</h2>\n"; // Most recent items: $list = array(); @@ -987,13 +987,13 @@ function aggregator_page_opml() { $output = "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n"; $output .= "<opml version=\"1.1\">\n"; $output .= "<head>\n"; - $output .= '<title>'. drupal_specialchars(variable_get('site_name', 'Drupal')) ."</title>\n"; + $output .= '<title>'. check_plain(variable_get('site_name', 'Drupal')) ."</title>\n"; $output .= '<dateModified>'. gmdate('r') ."</dateModified>\n"; $output .= "</head>\n"; $output .= "<body>\n"; while ($feed = db_fetch_object($result)) { - $output .= '<outline text="'. drupal_specialchars($feed->title) .'" xmlUrl="'. drupal_specialchars($feed->url) ."\" />\n"; + $output .= '<outline text="'. check_plain($feed->title) .'" xmlUrl="'. check_url($feed->url) ."\" />\n"; } $output .= "</body>\n"; @@ -1011,7 +1011,7 @@ function aggregator_page_categories() { $output = "<div id=\"aggregator\">\n"; while ($category = db_fetch_object($result)) { - $output .= "<h2>$category->title</h2>\n"; + $output .= '<h2>'. check_plain($category->title) ."</h2>\n"; if (variable_get('aggregator_summary_items', 3)) { $list = array(); $items = db_query_range('SELECT i.title, i.timestamp, i.link, f.title as feed_title, f.link as feed_link FROM {aggregator_category_item} ci LEFT JOIN {aggregator_item} i ON i.iid = ci.iid LEFT JOIN {aggregator_feed} f ON i.fid = f.fid WHERE ci.cid = %d ORDER BY i.timestamp DESC', $category->cid, 0, variable_get('aggregator_summary_items', 3)); @@ -1042,7 +1042,7 @@ function theme_aggregator_feed($feed) { $output .= $feed->description; $output .= '<h3>'. t('URL') ."</h3>\n"; $output .= theme('xml_icon', $feed->url); - $output .= "<a href=\"$feed->link\">$feed->link</a>\n"; + $output .= '<a href="'. check_url($feed->link) .'">'. check_plain($feed->link) ."</a>\n"; $output .= '<h3>'. t('Last update') ."</h3>\n"; $updated = t('%time ago', array('%time' => format_interval(time() - $feed->checked))); @@ -1066,12 +1066,12 @@ function theme_aggregator_block_item($item, $feed = 0) { if ($user->uid && module_exist('blog') && user_access('edit own blog')) { if ($image = theme('image', 'misc/blog.png', t('blog it'), t('blog it'))) { - $output .= '<div class="icon">'. l($image, 'node/add/blog', array('title' => t('Comment on this news item in your personal blog.'), 'class' => 'blog-it'), "iid=$item->iid") .'</div>'; + $output .= '<div class="icon">'. l($image, 'node/add/blog', array('title' => t('Comment on this news item in your personal blog.'), 'class' => 'blog-it'), "iid=$item->iid", NULL, FALSE, TRUE) .'</div>'; } } // Display the external link to the item. - $output .= "<a href=\"$item->link\">$item->title</a>\n"; + $output .= '<a href="'. check_url($item->link) .'">'. check_plain($item->title) ."</a>\n"; return $output; } @@ -1086,7 +1086,7 @@ function theme_aggregator_block_item($item, $feed = 0) { * @ingroup themeable */ function theme_aggregator_summary_item($item) { - $output = '<a href="'. check_url($item->link) .'">'. $item->title .'</a> <span class="age">'. t('%age old', array('%age' => format_interval(time() - $item->timestamp))) .'</span>'; + $output = '<a href="'. check_url($item->link) .'">'. check_plain($item->title) .'</a> <span class="age">'. t('%age old', array('%age' => format_interval(time() - $item->timestamp))) .'</span>'; if ($item->feed_link) { $output .= ', <span class="source"><a href="'. $item->feed_link .'">'. $item->feed_title .'</a></span>'; } @@ -1110,9 +1110,9 @@ function theme_aggregator_page_item($item) { $output .= "<div class=\"news-item\">\n"; $output .= ' <div class="date">'. date('H:i', $item->timestamp) ."</div>\n"; $output .= " <div class=\"body\">\n"; - $output .= " <div class=\"title\"><a href=\"$item->link\">$item->title</a></div>\n"; + $output .= ' <div class="title"><a href="'. check_url($item->link) .'">'. check_plain($item->title) ."</a></div>\n"; if ($item->description) { - $output .= " <div class=\"description\">$item->description</div>\n"; + $output .= ' <div class="description">'. check_plain($item->description) ."</div>\n"; } if ($item->ftitle && $item->fid) { $output .= ' <div class="source">'. t('Source') .': '. l($item->ftitle, "aggregator/sources/$item->fid") ."</div>\n"; diff --git a/modules/aggregator/aggregator.module b/modules/aggregator/aggregator.module index edd23ad1e..2374afd9c 100644 --- a/modules/aggregator/aggregator.module +++ b/modules/aggregator/aggregator.module @@ -198,11 +198,11 @@ function aggregator_block($op, $delta = 0, $edit = array()) { if ($op == 'list') { $result = db_query('SELECT cid, title FROM {aggregator_category} ORDER BY title'); while ($category = db_fetch_object($result)) { - $block['category:'. $category->cid]['info'] = t('%title category latest items', array('%title' => $category->title)); + $block['category:'. $category->cid]['info'] = t('%title category latest items', array('%title' => theme('placeholder', $category->title))); } $result = db_query('SELECT fid, title FROM {aggregator_feed} ORDER BY fid'); while ($feed = db_fetch_object($result)) { - $block['feed:'. $feed->fid]['info'] = t('%title feed latest items', array('%title' => $feed->title)); + $block['feed:'. $feed->fid]['info'] = t('%title feed latest items', array('%title' => theme('placeholder', $feed->title))); } } else if ($op == 'configure') { @@ -231,7 +231,7 @@ function aggregator_block($op, $delta = 0, $edit = array()) { switch ($type) { case 'feed': if ($feed = db_fetch_object(db_query('SELECT fid, title, block FROM {aggregator_feed} WHERE fid = %d', $id))) { - $block['subject'] = $feed->title; + $block['subject'] = check_plain($feed->title); $result = db_query_range('SELECT * FROM {aggregator_item} WHERE fid = %d ORDER BY timestamp DESC, iid DESC', $feed->fid, 0, $feed->block); $block['content'] = '<div class="more-link">'. l(t('more'), 'aggregator/sources/'. $feed->fid, array('title' => t('View this feed\'s recent news.'))) .'</div>'; } @@ -239,7 +239,7 @@ function aggregator_block($op, $delta = 0, $edit = array()) { case 'category': if ($category = db_fetch_object(db_query('SELECT cid, title, block FROM {aggregator_category} WHERE cid = %d', $id))) { - $block['subject'] = $category->title; + $block['subject'] = check_plain($category->title); $result = db_query_range('SELECT i.* FROM {aggregator_category_item} ci LEFT JOIN {aggregator_item} i ON ci.iid = i.iid WHERE ci.cid = %d ORDER BY i.timestamp DESC, i.iid DESC', $category->cid, 0, $category->block); $block['content'] = '<div class="more-link">'. l(t('more'), 'aggregator/categories/'. $category->cid, array('title' => t('View this category\'s recent news.'))) .'</div>'; } @@ -265,7 +265,7 @@ function aggregator_remove($feed) { } db_query('DELETE FROM {aggregator_item} WHERE fid = %d', $feed['fid']); db_query("UPDATE {aggregator_feed} SET checked = 0, etag = '', modified = 0 WHERE fid = %d", $feed['fid']); - drupal_set_message(t('Removed news items from %site.', array('%site' => '<em>'. $feed['title'] .'</em>'))); + drupal_set_message(t('Removed news items from %site.', array('%site' => theme('placeholder', $feed['title'])))); } /** @@ -345,11 +345,11 @@ function aggregator_refresh($feed) { switch ($result->code) { case 304: db_query('UPDATE {aggregator_feed} SET checked = %d WHERE fid = %d', time(), $feed['fid']); - drupal_set_message(t('No new syndicated content from %site.', array('%site' => '<em>'. $feed['title'] .'</em>'))); + drupal_set_message(t('No new syndicated content from %site.', array('%site' => theme('placeholder', $feed['title'])))); break; case 301: $feed['url'] = $result->redirect_url; - watchdog('aggregator', t('Updated URL for feed %title to %url.', array('%title' => '<em>'. $feed['title'] .'</em>', '%url' => '<em>'. $feed['url'] .'</em>'))); + watchdog('aggregator', t('Updated URL for feed %title to %url.', array('%title' => theme('placeholder', $feed['title']), '%url' => theme('placeholder', $feed['url'])))); break; case 200: @@ -397,13 +397,13 @@ function aggregator_refresh($feed) { cache_clear_all(); - $message = t('Syndicated content from %site.', array('%site' => '<em>'. $feed[title] .'</em>')); + $message = t('Syndicated content from %site.', array('%site' => theme('placeholder', $feed[title]))); watchdog('aggregator', $message); drupal_set_message($message); } break; default: - $message = t('Failed to parse RSS feed %site: %error.', array('%site' => '<em>'. $feed['title'] .'</em>', '%error' => "<em>$result->code $result->error</em>")); + $message = t('Failed to parse RSS feed %site: %error.', array('%site' => theme('placeholder', $feed['title']), '%error' => theme('placeholder', $result->code .' '. $result->error))); watchdog('aggregator', $message, WATCHDOG_WARNING); drupal_set_message($message); } @@ -461,7 +461,7 @@ function aggregator_parse_feed(&$data, $feed) { xml_set_character_data_handler($xml_parser, 'aggregator_element_data'); if (!xml_parse($xml_parser, $data, 1)) { - $message = t('Failed to parse RSS feed %site: %error at line %line.', array('%site' => '<em>'. $feed['title'] .'</em>', '%error' => xml_error_string(xml_get_error_code($xml_parser)), '%line' => xml_get_current_line_number($xml_parser))); + $message = t('Failed to parse RSS feed %site: %error at line %line.', array('%site' => theme('placeholder', $feed['title']), '%error' => xml_error_string(xml_get_error_code($xml_parser)), '%line' => xml_get_current_line_number($xml_parser))); watchdog('aggregator', $message, WATCHDOG_WARNING); drupal_set_message($message, 'error'); return 0; @@ -554,7 +554,7 @@ function aggregator_parse_feed(&$data, $feed) { } if (!valid_input_data($item['DESCRIPTION'])) { - drupal_set_message(t('Failed to parse entry from %site feed: suspicious input data.', array('%site' => '<em>'. $feed['title'] .'</em>')), 'error'); + drupal_set_message(t('Failed to parse entry from %site feed: suspicious input data.', array('%site' => theme('placeholder', $feed['title']))), 'error'); } else { aggregator_save_item(array('iid' => $entry->iid, 'fid' => $feed['fid'], 'timestamp' => $timestamp, 'title' => $title, 'link' => $link, 'author' => $item['AUTHOR'], 'description' => $item['DESCRIPTION'])); @@ -643,7 +643,7 @@ function aggregator_form_feed($edit = array()) { $categories = db_query('SELECT c.cid, c.title, f.fid FROM {aggregator_category} c LEFT JOIN {aggregator_category_feed} f ON c.cid = f.cid AND f.fid = %d ORDER BY title', $edit['fid']); while ($category = db_fetch_object($categories)) { $options[$category->cid] = $category->title; - if ($category->fid) $values[] = $category->cid; + if ($category->fid) $values[] = check_plain($category->cid); } if ($options) { $form .= form_checkboxes(t('Categorize news items'), 'category', $values, $options, t('New items in this feed will be automatically filed in the the checked categories as they are received.')); @@ -920,7 +920,7 @@ function _aggregator_page_list($sql, $op, $header = '') { $selected = array(); while ($category = db_fetch_object($categories_result)) { if (!$done) { - $categories[$category->cid] = check_form($category->title); + $categories[$category->cid] = check_plain($category->title); } if ($category->iid) { $selected[] = $category->cid; @@ -932,7 +932,7 @@ function _aggregator_page_list($sql, $op, $header = '') { else { $form = ''; while ($category = db_fetch_object($categories_result)) { - $form .= form_checkbox(check_form($category->title), 'categories]['. $item->iid .'][', $category->cid, !is_null($category->iid)); + $form .= form_checkbox(check_plain($category->title), 'categories]['. $item->iid .'][', $category->cid, !is_null($category->iid)); } } $rows[] = array(theme('aggregator_page_item', $item), array('data' => $form, 'class' => 'categorize-item')); @@ -960,7 +960,7 @@ function aggregator_page_sources() { $result = db_query('SELECT f.fid, f.title, f.description, f.image, MAX(i.timestamp) AS last FROM {aggregator_feed} f LEFT JOIN {aggregator_item} i ON f.fid = i.fid GROUP BY f.fid'); $output = "<div id=\"aggregator\">\n"; while ($feed = db_fetch_object($result)) { - $output .= "<h2>$feed->title</h2>\n"; + $output .= '<h2>'. check_plain($feed->title) ."</h2>\n"; // Most recent items: $list = array(); @@ -987,13 +987,13 @@ function aggregator_page_opml() { $output = "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n"; $output .= "<opml version=\"1.1\">\n"; $output .= "<head>\n"; - $output .= '<title>'. drupal_specialchars(variable_get('site_name', 'Drupal')) ."</title>\n"; + $output .= '<title>'. check_plain(variable_get('site_name', 'Drupal')) ."</title>\n"; $output .= '<dateModified>'. gmdate('r') ."</dateModified>\n"; $output .= "</head>\n"; $output .= "<body>\n"; while ($feed = db_fetch_object($result)) { - $output .= '<outline text="'. drupal_specialchars($feed->title) .'" xmlUrl="'. drupal_specialchars($feed->url) ."\" />\n"; + $output .= '<outline text="'. check_plain($feed->title) .'" xmlUrl="'. check_url($feed->url) ."\" />\n"; } $output .= "</body>\n"; @@ -1011,7 +1011,7 @@ function aggregator_page_categories() { $output = "<div id=\"aggregator\">\n"; while ($category = db_fetch_object($result)) { - $output .= "<h2>$category->title</h2>\n"; + $output .= '<h2>'. check_plain($category->title) ."</h2>\n"; if (variable_get('aggregator_summary_items', 3)) { $list = array(); $items = db_query_range('SELECT i.title, i.timestamp, i.link, f.title as feed_title, f.link as feed_link FROM {aggregator_category_item} ci LEFT JOIN {aggregator_item} i ON i.iid = ci.iid LEFT JOIN {aggregator_feed} f ON i.fid = f.fid WHERE ci.cid = %d ORDER BY i.timestamp DESC', $category->cid, 0, variable_get('aggregator_summary_items', 3)); @@ -1042,7 +1042,7 @@ function theme_aggregator_feed($feed) { $output .= $feed->description; $output .= '<h3>'. t('URL') ."</h3>\n"; $output .= theme('xml_icon', $feed->url); - $output .= "<a href=\"$feed->link\">$feed->link</a>\n"; + $output .= '<a href="'. check_url($feed->link) .'">'. check_plain($feed->link) ."</a>\n"; $output .= '<h3>'. t('Last update') ."</h3>\n"; $updated = t('%time ago', array('%time' => format_interval(time() - $feed->checked))); @@ -1066,12 +1066,12 @@ function theme_aggregator_block_item($item, $feed = 0) { if ($user->uid && module_exist('blog') && user_access('edit own blog')) { if ($image = theme('image', 'misc/blog.png', t('blog it'), t('blog it'))) { - $output .= '<div class="icon">'. l($image, 'node/add/blog', array('title' => t('Comment on this news item in your personal blog.'), 'class' => 'blog-it'), "iid=$item->iid") .'</div>'; + $output .= '<div class="icon">'. l($image, 'node/add/blog', array('title' => t('Comment on this news item in your personal blog.'), 'class' => 'blog-it'), "iid=$item->iid", NULL, FALSE, TRUE) .'</div>'; } } // Display the external link to the item. - $output .= "<a href=\"$item->link\">$item->title</a>\n"; + $output .= '<a href="'. check_url($item->link) .'">'. check_plain($item->title) ."</a>\n"; return $output; } @@ -1086,7 +1086,7 @@ function theme_aggregator_block_item($item, $feed = 0) { * @ingroup themeable */ function theme_aggregator_summary_item($item) { - $output = '<a href="'. check_url($item->link) .'">'. $item->title .'</a> <span class="age">'. t('%age old', array('%age' => format_interval(time() - $item->timestamp))) .'</span>'; + $output = '<a href="'. check_url($item->link) .'">'. check_plain($item->title) .'</a> <span class="age">'. t('%age old', array('%age' => format_interval(time() - $item->timestamp))) .'</span>'; if ($item->feed_link) { $output .= ', <span class="source"><a href="'. $item->feed_link .'">'. $item->feed_title .'</a></span>'; } @@ -1110,9 +1110,9 @@ function theme_aggregator_page_item($item) { $output .= "<div class=\"news-item\">\n"; $output .= ' <div class="date">'. date('H:i', $item->timestamp) ."</div>\n"; $output .= " <div class=\"body\">\n"; - $output .= " <div class=\"title\"><a href=\"$item->link\">$item->title</a></div>\n"; + $output .= ' <div class="title"><a href="'. check_url($item->link) .'">'. check_plain($item->title) ."</a></div>\n"; if ($item->description) { - $output .= " <div class=\"description\">$item->description</div>\n"; + $output .= ' <div class="description">'. check_plain($item->description) ."</div>\n"; } if ($item->ftitle && $item->fid) { $output .= ' <div class="source">'. t('Source') .': '. l($item->ftitle, "aggregator/sources/$item->fid") ."</div>\n"; diff --git a/modules/archive.module b/modules/archive.module index 446071c33..de6b87948 100644 --- a/modules/archive.module +++ b/modules/archive.module @@ -91,7 +91,7 @@ function archive_calendar($original = 0) { $output .= "\n<!-- calendar -->\n"; $output .= '<div class="calendar">'; $output .= '<table summary="'. t('A calendar to browse the archives') .".\">\n"; - $output .= ' <caption>'. l('«', 'archive/'. date('Y/m/d', $prev), array('title' => t('Previous month'))) .' '. format_date($requested, 'custom', 'F') . date(' Y', $requested) .' '. ($nextmonth <= time() ? l('»', 'archive/'. date('Y/m/d', $next), array('title' => t('Next month'))) : ' ') ."</caption>\n"; + $output .= ' <caption>'. l('«', 'archive/'. date('Y/m/d', $prev), array('title' => t('Previous month'))) .' '. format_date($requested, 'custom', 'F') . date(' Y', $requested) .' '. ($nextmonth <= time() ? l('»', 'archive/'. date('Y/m/d', $next), array('title' => t('Next month'))) : ' ') ."</caption>\n"; // First day of week (0 => Sunday, 1 => Monday, ...) $weekstart = variable_get('date_first_day', 0); diff --git a/modules/archive/archive.module b/modules/archive/archive.module index 446071c33..de6b87948 100644 --- a/modules/archive/archive.module +++ b/modules/archive/archive.module @@ -91,7 +91,7 @@ function archive_calendar($original = 0) { $output .= "\n<!-- calendar -->\n"; $output .= '<div class="calendar">'; $output .= '<table summary="'. t('A calendar to browse the archives') .".\">\n"; - $output .= ' <caption>'. l('«', 'archive/'. date('Y/m/d', $prev), array('title' => t('Previous month'))) .' '. format_date($requested, 'custom', 'F') . date(' Y', $requested) .' '. ($nextmonth <= time() ? l('»', 'archive/'. date('Y/m/d', $next), array('title' => t('Next month'))) : ' ') ."</caption>\n"; + $output .= ' <caption>'. l('«', 'archive/'. date('Y/m/d', $prev), array('title' => t('Previous month'))) .' '. format_date($requested, 'custom', 'F') . date(' Y', $requested) .' '. ($nextmonth <= time() ? l('»', 'archive/'. date('Y/m/d', $next), array('title' => t('Next month'))) : ' ') ."</caption>\n"; // First day of week (0 => Sunday, 1 => Monday, ...) $weekstart = variable_get('date_first_day', 0); diff --git a/modules/block.module b/modules/block.module index 78a848f5e..caeee3691 100644 --- a/modules/block.module +++ b/modules/block.module @@ -86,7 +86,7 @@ function block_block($op = 'list', $delta = 0, $edit = array()) { case 'list': $result = db_query('SELECT bid, title, info FROM {boxes} ORDER BY title'); while ($block = db_fetch_object($result)) { - $blocks[$block->bid]['info'] = $block->info ? $block->info : $block->title; + $blocks[$block->bid]['info'] = $block->info ? check_plain($block->info) : check_plain($block->title); } return $blocks; @@ -103,7 +103,7 @@ function block_block($op = 'list', $delta = 0, $edit = array()) { case 'view': $block = db_fetch_object(db_query('SELECT * FROM {boxes} WHERE bid = %d', $delta)); - $data['subject'] = $block->title; + $data['subject'] = check_plain($block->title); $data['content'] = check_output($block->body, $block->format); return $data; } @@ -335,13 +335,13 @@ function block_box_delete($bid = 0) { if ($_POST['edit']['confirm']) { db_query('DELETE FROM {boxes} WHERE bid = %d', $bid); - drupal_set_message(t('The block %name has been deleted.', array('%name' => '<em>'. $info .'</em>'))); + drupal_set_message(t('The block %name has been deleted.', array('%name' => theme('placeholder', $info)))); cache_clear_all(); drupal_goto('admin/block'); } else { $output = theme('confirm', - t('Are you sure you want to delete the block %name?', array('%name' => '<em>'. $info .'</em>')), + t('Are you sure you want to delete the block %name?', array('%name' => theme('placeholder', $info))), 'admin/block', NULL, t('Delete')); diff --git a/modules/block/block.module b/modules/block/block.module index 78a848f5e..caeee3691 100644 --- a/modules/block/block.module +++ b/modules/block/block.module @@ -86,7 +86,7 @@ function block_block($op = 'list', $delta = 0, $edit = array()) { case 'list': $result = db_query('SELECT bid, title, info FROM {boxes} ORDER BY title'); while ($block = db_fetch_object($result)) { - $blocks[$block->bid]['info'] = $block->info ? $block->info : $block->title; + $blocks[$block->bid]['info'] = $block->info ? check_plain($block->info) : check_plain($block->title); } return $blocks; @@ -103,7 +103,7 @@ function block_block($op = 'list', $delta = 0, $edit = array()) { case 'view': $block = db_fetch_object(db_query('SELECT * FROM {boxes} WHERE bid = %d', $delta)); - $data['subject'] = $block->title; + $data['subject'] = check_plain($block->title); $data['content'] = check_output($block->body, $block->format); return $data; } @@ -335,13 +335,13 @@ function block_box_delete($bid = 0) { if ($_POST['edit']['confirm']) { db_query('DELETE FROM {boxes} WHERE bid = %d', $bid); - drupal_set_message(t('The block %name has been deleted.', array('%name' => '<em>'. $info .'</em>'))); + drupal_set_message(t('The block %name has been deleted.', array('%name' => theme('placeholder', $info)))); cache_clear_all(); drupal_goto('admin/block'); } else { $output = theme('confirm', - t('Are you sure you want to delete the block %name?', array('%name' => '<em>'. $info .'</em>')), + t('Are you sure you want to delete the block %name?', array('%name' => theme('placeholder', $info))), 'admin/block', NULL, t('Delete')); diff --git a/modules/blogapi.module b/modules/blogapi.module index a3a5c75de..58807c87b 100644 --- a/modules/blogapi.module +++ b/modules/blogapi.module @@ -153,7 +153,7 @@ function blogapi_new_post($req_params) { $nid = node_save($node); if ($nid) { - watchdog('content', t('%type: added %title using blog API.', array('%type' => '<em>'. t($node->type) .'</em>', '%title' => "<em>$node->title</em>")), WATCHDOG_NOTICE, l(t('view'), "node/$nid")); + watchdog('content', t('%type: added %title using blog API.', array('%type' => '<em>'. t($node->type) .'</em>', '%title' => theme('placeholder', $node->title))), WATCHDOG_NOTICE, l(t('view'), "node/$nid")); return new xmlrpcresp(new xmlrpcval($nid, 'string')); } @@ -215,7 +215,7 @@ function blogapi_edit_post($req_params) { } $nid = node_save($node); if ($nid) { - watchdog('content', t('%type: updated %title using blog API.', array('%type' => '<em>'. t($node->type) .'</em>', '%title' => "<em>$node->title</em>")), WATCHDOG_NOTICE, l(t('view'), "node/$nid")); + watchdog('content', t('%type: updated %title using blog API.', array('%type' => '<em>'. t($node->type) .'</em>', '%title' => theme('placeholder', $node->title))), WATCHDOG_NOTICE, l(t('view'), "node/$nid")); return new xmlrpcresp(new xmlrpcval(true, 'boolean')); } diff --git a/modules/blogapi/blogapi.module b/modules/blogapi/blogapi.module index a3a5c75de..58807c87b 100644 --- a/modules/blogapi/blogapi.module +++ b/modules/blogapi/blogapi.module @@ -153,7 +153,7 @@ function blogapi_new_post($req_params) { $nid = node_save($node); if ($nid) { - watchdog('content', t('%type: added %title using blog API.', array('%type' => '<em>'. t($node->type) .'</em>', '%title' => "<em>$node->title</em>")), WATCHDOG_NOTICE, l(t('view'), "node/$nid")); + watchdog('content', t('%type: added %title using blog API.', array('%type' => '<em>'. t($node->type) .'</em>', '%title' => theme('placeholder', $node->title))), WATCHDOG_NOTICE, l(t('view'), "node/$nid")); return new xmlrpcresp(new xmlrpcval($nid, 'string')); } @@ -215,7 +215,7 @@ function blogapi_edit_post($req_params) { } $nid = node_save($node); if ($nid) { - watchdog('content', t('%type: updated %title using blog API.', array('%type' => '<em>'. t($node->type) .'</em>', '%title' => "<em>$node->title</em>")), WATCHDOG_NOTICE, l(t('view'), "node/$nid")); + watchdog('content', t('%type: updated %title using blog API.', array('%type' => '<em>'. t($node->type) .'</em>', '%title' => theme('placeholder', $node->title))), WATCHDOG_NOTICE, l(t('view'), "node/$nid")); return new xmlrpcresp(new xmlrpcval(true, 'boolean')); } diff --git a/modules/book.module b/modules/book.module index 76bb98b60..576f8fd1a 100644 --- a/modules/book.module +++ b/modules/book.module @@ -148,7 +148,7 @@ function book_block($op = 'list', $delta = 0) { $expand[] = $node->nid; } - $block['subject'] = $path[0]->title; + $block['subject'] = check_plain($path[0]->title); $block['content'] = book_tree($expand[0], 5, $expand); } } @@ -287,7 +287,7 @@ function book_outline() { $output .= form_submit(t('Add to book outline')); } - drupal_set_title($node->title); + drupal_set_title(check_plain($node->title)); print theme('page', form($output)); } } @@ -477,7 +477,7 @@ function theme_book_navigation($node) { $links .= '<div class="prev">'; $links .= l(t('previous'), 'node/'. $prev->nid, array('title' => t('View the previous page.'))); $links .= '</div>'; - $titles .= '<div class="prev">'. $prev->title .'</div>'; + $titles .= '<div class="prev">'. check_plain($prev->title) .'</div>'; } else { $links .= '<div class="prev"> </div>'; // Make an empty div to fill the space. @@ -486,7 +486,7 @@ function theme_book_navigation($node) { $links .= '<div class="next">'; $links .= l(t('next'), 'node/'. $next->nid, array('title' => t('View the next page.'))); $links .= '</div>'; - $titles .= '<div class="next">'. $next->title .'</div>'; + $titles .= '<div class="next">'. check_plain($next->title) .'</div>'; } else { $links .= '<div class="next"> </div>'; // Make an empty div to fill the space. @@ -633,7 +633,7 @@ function book_print($nid = 0, $depth = 1) { // Allow modules to change $node->body before viewing. node_invoke_nodeapi($node, 'view', $node->body, false); - $output .= '<h1 id="'. $node->nid .'" name="'. $node->nid .'" class="book-h'. $depth .'">'. $node->title .'</h1>'; + $output .= '<h1 id="'. $node->nid .'" name="'. $node->nid .'" class="book-h'. $depth .'">'. check_plain($node->title) .'</h1>'; if ($node->body) { $output .= $node->body; @@ -643,7 +643,7 @@ function book_print($nid = 0, $depth = 1) { $output .= book_print_recurse($nid, $depth); - $html = '<html><head><title>'. $node->title .'</title>'; + $html = '<html><head><title>'. check_plain($node->title) .'</title>'; $html .= '<base href="'. $base_url .'/" />'; $html .= "<style type=\"text/css\">\n@import url(misc/print.css);\n</style>"; $html .= '</head><body>'. $output .'</body></html>'; @@ -671,7 +671,7 @@ function book_print_recurse($parent = '', $depth = 1) { // Allow modules to change $node->body before viewing. node_invoke_nodeapi($node, 'view', $node->body, false); - $output .= '<h1 id="'. $node->nid .'" name="'. $node->nid .'" class="book-h'. $depth .'">'. $node->title .'</h1>'; + $output .= '<h1 id="'. $node->nid .'" name="'. $node->nid .'" class="book-h'. $depth .'">'. check_plain($node->title) .'</h1>'; if ($node->body) { $output .= '<ul>'. $node->body .'</ul>'; @@ -707,7 +707,7 @@ function book_admin_view($nid, $depth = 0) { if ($nid) { $node = node_load(array('nid' => $nid)); - $output .= '<h3>'. $node->title .'</h3>'; + $output .= '<h3>'. check_plain($node->title) .'</h3>'; $header = array(t('Title'), t('Weight'), array('data' => t('Operations'), 'colspan' => '3')); $rows[] = book_admin_view_line($node); @@ -738,7 +738,7 @@ function book_admin_save($nid, $edit = array()) { } } - $message = t('Updated book %title.', array('%title' => "<em>$book->title</em>")); + $message = t('Updated book %title.', array('%title' => theme('placeholder', $book->title))); watchdog('content', $message); return $message; diff --git a/modules/book/book.module b/modules/book/book.module index 76bb98b60..576f8fd1a 100644 --- a/modules/book/book.module +++ b/modules/book/book.module @@ -148,7 +148,7 @@ function book_block($op = 'list', $delta = 0) { $expand[] = $node->nid; } - $block['subject'] = $path[0]->title; + $block['subject'] = check_plain($path[0]->title); $block['content'] = book_tree($expand[0], 5, $expand); } } @@ -287,7 +287,7 @@ function book_outline() { $output .= form_submit(t('Add to book outline')); } - drupal_set_title($node->title); + drupal_set_title(check_plain($node->title)); print theme('page', form($output)); } } @@ -477,7 +477,7 @@ function theme_book_navigation($node) { $links .= '<div class="prev">'; $links .= l(t('previous'), 'node/'. $prev->nid, array('title' => t('View the previous page.'))); $links .= '</div>'; - $titles .= '<div class="prev">'. $prev->title .'</div>'; + $titles .= '<div class="prev">'. check_plain($prev->title) .'</div>'; } else { $links .= '<div class="prev"> </div>'; // Make an empty div to fill the space. @@ -486,7 +486,7 @@ function theme_book_navigation($node) { $links .= '<div class="next">'; $links .= l(t('next'), 'node/'. $next->nid, array('title' => t('View the next page.'))); $links .= '</div>'; - $titles .= '<div class="next">'. $next->title .'</div>'; + $titles .= '<div class="next">'. check_plain($next->title) .'</div>'; } else { $links .= '<div class="next"> </div>'; // Make an empty div to fill the space. @@ -633,7 +633,7 @@ function book_print($nid = 0, $depth = 1) { // Allow modules to change $node->body before viewing. node_invoke_nodeapi($node, 'view', $node->body, false); - $output .= '<h1 id="'. $node->nid .'" name="'. $node->nid .'" class="book-h'. $depth .'">'. $node->title .'</h1>'; + $output .= '<h1 id="'. $node->nid .'" name="'. $node->nid .'" class="book-h'. $depth .'">'. check_plain($node->title) .'</h1>'; if ($node->body) { $output .= $node->body; @@ -643,7 +643,7 @@ function book_print($nid = 0, $depth = 1) { $output .= book_print_recurse($nid, $depth); - $html = '<html><head><title>'. $node->title .'</title>'; + $html = '<html><head><title>'. check_plain($node->title) .'</title>'; $html .= '<base href="'. $base_url .'/" />'; $html .= "<style type=\"text/css\">\n@import url(misc/print.css);\n</style>"; $html .= '</head><body>'. $output .'</body></html>'; @@ -671,7 +671,7 @@ function book_print_recurse($parent = '', $depth = 1) { // Allow modules to change $node->body before viewing. node_invoke_nodeapi($node, 'view', $node->body, false); - $output .= '<h1 id="'. $node->nid .'" name="'. $node->nid .'" class="book-h'. $depth .'">'. $node->title .'</h1>'; + $output .= '<h1 id="'. $node->nid .'" name="'. $node->nid .'" class="book-h'. $depth .'">'. check_plain($node->title) .'</h1>'; if ($node->body) { $output .= '<ul>'. $node->body .'</ul>'; @@ -707,7 +707,7 @@ function book_admin_view($nid, $depth = 0) { if ($nid) { $node = node_load(array('nid' => $nid)); - $output .= '<h3>'. $node->title .'</h3>'; + $output .= '<h3>'. check_plain($node->title) .'</h3>'; $header = array(t('Title'), t('Weight'), array('data' => t('Operations'), 'colspan' => '3')); $rows[] = book_admin_view_line($node); @@ -738,7 +738,7 @@ function book_admin_save($nid, $edit = array()) { } } - $message = t('Updated book %title.', array('%title' => "<em>$book->title</em>")); + $message = t('Updated book %title.', array('%title' => theme('placeholder', $book->title))); watchdog('content', $message); return $message; diff --git a/modules/comment.module b/modules/comment.module index a22da2242..876e89bff 100644 --- a/modules/comment.module +++ b/modules/comment.module @@ -274,7 +274,7 @@ function comment_nodeapi(&$node, $op, $arg = 0) { $text = ''; $comments = db_query('SELECT subject, comment, format FROM {comments} WHERE nid = %d AND status = 0', $node->nid); while ($comment = db_fetch_object($comments)) { - $text .= '<h2>'. $comment->subject .'</h2>'. check_output($comment->comment, $comment->format); + $text .= '<h2>'. check_plain($comment->subject) .'</h2>'. check_output($comment->comment, $comment->format); } return $text; @@ -431,9 +431,12 @@ function comment_validate_form($edit) { // Validate the comment's subject. If not specified, extract // one from the comment's body. - $edit['subject'] = strip_tags($edit['subject']); - if ($edit['subject'] == '') { - $edit['subject'] = truncate_utf8(strip_tags($edit['comment']), 29, TRUE); + if (trim($edit['subject']) == '') { + // The body may be in any format, so we: + // 1) Filter it into HTML + // 2) Strip out all HTML tags + // 3) Convert entities back to plain-text. + $edit['subject'] = truncate_utf8(decode_entities(strip_tags(check_output($edit['comment'], $edit['format']))), 29, TRUE); } // Validate the comment's body. @@ -450,7 +453,7 @@ function comment_validate_form($edit) { if (!$user->uid) { if (variable_get('comment_anonymous', 0) > 0) { if ($edit['name']) { - $taken = db_result(db_query("SELECT COUNT(uid) FROM {users} WHERE LOWER(name) = '%s'", strip_tags($edit['name'])), 0); + $taken = db_result(db_query("SELECT COUNT(uid) FROM {users} WHERE LOWER(name) = '%s'", $edit['name']), 0); if ($taken != 0) { form_set_error('name', t('The name you used belongs to a registered user.')); @@ -494,7 +497,7 @@ function comment_preview($edit) { // Attach the user and time information. $comment->uid = $user->uid; $comment->timestamp = time(); - $comment->name = $user->name ? $user->name : $comment->name; + $comment->name = check_plain($user->name ? $user->name : $comment->name); // Preview the comment. $output .= theme('comment_view', $comment, theme('links', module_invoke_all('link', 'comment', $comment, 1))); @@ -523,7 +526,7 @@ function comment_post($edit) { // validated/filtered data to perform such check. $duplicate = db_result(db_query("SELECT COUNT(cid) FROM {comments} WHERE pid = %d AND nid = %d AND subject = '%s' AND comment = '%s'", $edit['pid'], $edit['nid'], $edit['subject'], $edit['comment']), 0); if ($duplicate != 0) { - watchdog('content', t('Comment: duplicate %subject.', array('%subject' => '<em>'. $edit['subject'] .'</em>')), WATCHDOG_WARNING); + watchdog('content', t('Comment: duplicate %subject.', array('%subject' => theme('placeholder', $edit['subject']))), WATCHDOG_WARNING); } if ($edit['cid']) { @@ -538,7 +541,7 @@ function comment_post($edit) { module_invoke_all('comment', 'update', $edit); // Add an entry to the watchdog log. - watchdog('content', t('Comment: updated %subject.', array('%subject' => '<em>'. $edit['subject'] .'</em>')), WATCHDOG_NOTICE, l(t('view'), 'node/'. $edit['nid'], NULL, NULL, 'comment-'. $edit['cid'])); + watchdog('content', t('Comment: updated %subject.', array('%subject' => theme('placeholder', $edit['subject']))), WATCHDOG_NOTICE, l(t('view'), 'node/'. $edit['nid'], NULL, NULL, 'comment-'. $edit['cid'])); } else { // Add the comment to database. @@ -641,7 +644,7 @@ function comment_post($edit) { module_invoke_all('comment', 'insert', $edit); // Add an entry to the watchdog log. - watchdog('content', t('Comment: added %subject.', array('%subject' => '<em>'. $edit['subject'] .'</em>')), WATCHDOG_NOTICE, l(t('view'), 'node/'. $edit['nid'], NULL, NULL, 'comment-'. $edit['cid'])); + watchdog('content', t('Comment: added %subject.', array('%subject' => theme('placeholder', $edit['subject']))), WATCHDOG_NOTICE, l(t('view'), 'node/'. $edit['nid'], NULL, NULL, 'comment-'. $edit['cid'])); } // Clear the cache so an anonymous user can see his comment being added. @@ -662,7 +665,7 @@ function comment_post($edit) { } } else { - watchdog('content', t('Comment: unauthorized comment submitted or comment submitted to a closed node %subject.', array('%subject' => '<em>'. $edit['subject'] .'</em>')), WATCHDOG_WARNING); + watchdog('content', t('Comment: unauthorized comment submitted or comment submitted to a closed node (%subject).', array('%subject' => theme('placeholder', $edit['subject']))), WATCHDOG_WARNING); } } @@ -974,7 +977,7 @@ function comment_delete($cid) { } else if ($comment->cid) { $output = theme('confirm', - t('Are you sure you want to delete the comment %title?', array('%title' => '<em>'. $comment->subject .'</em>')), + t('Are you sure you want to delete the comment %title?', array('%title' => theme('placeholder', $comment->subject))), 'node/'. $comment->nid, t('Any replies to this comment will be lost. This action cannot be undone.'), t('Delete')); @@ -992,7 +995,7 @@ function comment_delete($cid) { function comment_save($id, $edit) { db_query("UPDATE {comments} SET subject = '%s', comment = '%s', status = %d, format = '%s', name = '%s', mail = '%s', homepage = '%s' WHERE cid = %d", $edit['subject'], $edit['comment'], $edit['status'], $edit['format'], $edit['name'], $edit['mail'], $edit['homepage'], $id); - watchdog('content', t('Comment: modified %subject.', array('%subject' => '<em>'. $edit['subject'] .'</em>'))); + watchdog('content', t('Comment: modified %subject.', array('%subject' => theme('placeholder', $edit['subject'])))); drupal_set_message(t('The comment has been saved.')); _comment_update_node_statistics($edit['nid']); @@ -1023,7 +1026,7 @@ function comment_admin_overview($type = 'new') { while ($comment = db_fetch_object($result)) { $comment->name = $comment->uid ? $comment->registered_name : $comment->name; $rows[] = array( - l($comment->subject, "node/$comment->nid", array('title' => htmlspecialchars(truncate_utf8($comment->comment, 128))), NULL, "comment-$comment->cid") ." ". theme('mark', node_mark($comment->nid, $comment->timestamp)), + l($comment->subject, "node/$comment->nid", array('title' => truncate_utf8($comment->comment, 128)), NULL, "comment-$comment->cid") ." ". theme('mark', node_mark($comment->nid, $comment->timestamp)), format_name($comment), ($comment->status == 0 ? t('Published') : t('Not published')), format_date($comment->timestamp, 'small'), @@ -1624,7 +1627,7 @@ function theme_comment_post_forbidden() { function _comment_delete_thread($comment) { // Delete the comment: db_query('DELETE FROM {comments} WHERE cid = %d', $comment->cid); - watchdog('content', t('Comment: deleted %subject.', array('%subject' => "<em>$comment->subject</em>"))); + watchdog('content', t('Comment: deleted %subject.', array('%subject' => theme('placeholder', $comment->subject)))); module_invoke_all('comment', 'delete', $comment); diff --git a/modules/comment/comment.module b/modules/comment/comment.module index a22da2242..876e89bff 100644 --- a/modules/comment/comment.module +++ b/modules/comment/comment.module @@ -274,7 +274,7 @@ function comment_nodeapi(&$node, $op, $arg = 0) { $text = ''; $comments = db_query('SELECT subject, comment, format FROM {comments} WHERE nid = %d AND status = 0', $node->nid); while ($comment = db_fetch_object($comments)) { - $text .= '<h2>'. $comment->subject .'</h2>'. check_output($comment->comment, $comment->format); + $text .= '<h2>'. check_plain($comment->subject) .'</h2>'. check_output($comment->comment, $comment->format); } return $text; @@ -431,9 +431,12 @@ function comment_validate_form($edit) { // Validate the comment's subject. If not specified, extract // one from the comment's body. - $edit['subject'] = strip_tags($edit['subject']); - if ($edit['subject'] == '') { - $edit['subject'] = truncate_utf8(strip_tags($edit['comment']), 29, TRUE); + if (trim($edit['subject']) == '') { + // The body may be in any format, so we: + // 1) Filter it into HTML + // 2) Strip out all HTML tags + // 3) Convert entities back to plain-text. + $edit['subject'] = truncate_utf8(decode_entities(strip_tags(check_output($edit['comment'], $edit['format']))), 29, TRUE); } // Validate the comment's body. @@ -450,7 +453,7 @@ function comment_validate_form($edit) { if (!$user->uid) { if (variable_get('comment_anonymous', 0) > 0) { if ($edit['name']) { - $taken = db_result(db_query("SELECT COUNT(uid) FROM {users} WHERE LOWER(name) = '%s'", strip_tags($edit['name'])), 0); + $taken = db_result(db_query("SELECT COUNT(uid) FROM {users} WHERE LOWER(name) = '%s'", $edit['name']), 0); if ($taken != 0) { form_set_error('name', t('The name you used belongs to a registered user.')); @@ -494,7 +497,7 @@ function comment_preview($edit) { // Attach the user and time information. $comment->uid = $user->uid; $comment->timestamp = time(); - $comment->name = $user->name ? $user->name : $comment->name; + $comment->name = check_plain($user->name ? $user->name : $comment->name); // Preview the comment. $output .= theme('comment_view', $comment, theme('links', module_invoke_all('link', 'comment', $comment, 1))); @@ -523,7 +526,7 @@ function comment_post($edit) { // validated/filtered data to perform such check. $duplicate = db_result(db_query("SELECT COUNT(cid) FROM {comments} WHERE pid = %d AND nid = %d AND subject = '%s' AND comment = '%s'", $edit['pid'], $edit['nid'], $edit['subject'], $edit['comment']), 0); if ($duplicate != 0) { - watchdog('content', t('Comment: duplicate %subject.', array('%subject' => '<em>'. $edit['subject'] .'</em>')), WATCHDOG_WARNING); + watchdog('content', t('Comment: duplicate %subject.', array('%subject' => theme('placeholder', $edit['subject']))), WATCHDOG_WARNING); } if ($edit['cid']) { @@ -538,7 +541,7 @@ function comment_post($edit) { module_invoke_all('comment', 'update', $edit); // Add an entry to the watchdog log. - watchdog('content', t('Comment: updated %subject.', array('%subject' => '<em>'. $edit['subject'] .'</em>')), WATCHDOG_NOTICE, l(t('view'), 'node/'. $edit['nid'], NULL, NULL, 'comment-'. $edit['cid'])); + watchdog('content', t('Comment: updated %subject.', array('%subject' => theme('placeholder', $edit['subject']))), WATCHDOG_NOTICE, l(t('view'), 'node/'. $edit['nid'], NULL, NULL, 'comment-'. $edit['cid'])); } else { // Add the comment to database. @@ -641,7 +644,7 @@ function comment_post($edit) { module_invoke_all('comment', 'insert', $edit); // Add an entry to the watchdog log. - watchdog('content', t('Comment: added %subject.', array('%subject' => '<em>'. $edit['subject'] .'</em>')), WATCHDOG_NOTICE, l(t('view'), 'node/'. $edit['nid'], NULL, NULL, 'comment-'. $edit['cid'])); + watchdog('content', t('Comment: added %subject.', array('%subject' => theme('placeholder', $edit['subject']))), WATCHDOG_NOTICE, l(t('view'), 'node/'. $edit['nid'], NULL, NULL, 'comment-'. $edit['cid'])); } // Clear the cache so an anonymous user can see his comment being added. @@ -662,7 +665,7 @@ function comment_post($edit) { } } else { - watchdog('content', t('Comment: unauthorized comment submitted or comment submitted to a closed node %subject.', array('%subject' => '<em>'. $edit['subject'] .'</em>')), WATCHDOG_WARNING); + watchdog('content', t('Comment: unauthorized comment submitted or comment submitted to a closed node (%subject).', array('%subject' => theme('placeholder', $edit['subject']))), WATCHDOG_WARNING); } } @@ -974,7 +977,7 @@ function comment_delete($cid) { } else if ($comment->cid) { $output = theme('confirm', - t('Are you sure you want to delete the comment %title?', array('%title' => '<em>'. $comment->subject .'</em>')), + t('Are you sure you want to delete the comment %title?', array('%title' => theme('placeholder', $comment->subject))), 'node/'. $comment->nid, t('Any replies to this comment will be lost. This action cannot be undone.'), t('Delete')); @@ -992,7 +995,7 @@ function comment_delete($cid) { function comment_save($id, $edit) { db_query("UPDATE {comments} SET subject = '%s', comment = '%s', status = %d, format = '%s', name = '%s', mail = '%s', homepage = '%s' WHERE cid = %d", $edit['subject'], $edit['comment'], $edit['status'], $edit['format'], $edit['name'], $edit['mail'], $edit['homepage'], $id); - watchdog('content', t('Comment: modified %subject.', array('%subject' => '<em>'. $edit['subject'] .'</em>'))); + watchdog('content', t('Comment: modified %subject.', array('%subject' => theme('placeholder', $edit['subject'])))); drupal_set_message(t('The comment has been saved.')); _comment_update_node_statistics($edit['nid']); @@ -1023,7 +1026,7 @@ function comment_admin_overview($type = 'new') { while ($comment = db_fetch_object($result)) { $comment->name = $comment->uid ? $comment->registered_name : $comment->name; $rows[] = array( - l($comment->subject, "node/$comment->nid", array('title' => htmlspecialchars(truncate_utf8($comment->comment, 128))), NULL, "comment-$comment->cid") ." ". theme('mark', node_mark($comment->nid, $comment->timestamp)), + l($comment->subject, "node/$comment->nid", array('title' => truncate_utf8($comment->comment, 128)), NULL, "comment-$comment->cid") ." ". theme('mark', node_mark($comment->nid, $comment->timestamp)), format_name($comment), ($comment->status == 0 ? t('Published') : t('Not published')), format_date($comment->timestamp, 'small'), @@ -1624,7 +1627,7 @@ function theme_comment_post_forbidden() { function _comment_delete_thread($comment) { // Delete the comment: db_query('DELETE FROM {comments} WHERE cid = %d', $comment->cid); - watchdog('content', t('Comment: deleted %subject.', array('%subject' => "<em>$comment->subject</em>"))); + watchdog('content', t('Comment: deleted %subject.', array('%subject' => theme('placeholder', $comment->subject)))); module_invoke_all('comment', 'delete', $comment); diff --git a/modules/contact.module b/modules/contact.module index 627f6ca3a..b86989963 100644 --- a/modules/contact.module +++ b/modules/contact.module @@ -88,7 +88,7 @@ function contact_mail_user() { // Tidy up the body: foreach ($message as $key => $value) { - $message[$key] = wordwrap(strip_tags($value)); + $message[$key] = wordwrap(check_plain($value)); } // Prepare all fields: diff --git a/modules/contact/contact.module b/modules/contact/contact.module index 627f6ca3a..b86989963 100644 --- a/modules/contact/contact.module +++ b/modules/contact/contact.module @@ -88,7 +88,7 @@ function contact_mail_user() { // Tidy up the body: foreach ($message as $key => $value) { - $message[$key] = wordwrap(strip_tags($value)); + $message[$key] = wordwrap(check_plain($value)); } // Prepare all fields: diff --git a/modules/drupal.module b/modules/drupal.module index 9158221bf..08add863c 100644 --- a/modules/drupal.module +++ b/modules/drupal.module @@ -95,7 +95,7 @@ function drupal_directory_ping($arguments) { db_query("DELETE FROM {directory} WHERE link = '%s' OR mail = '%s'", $link, $mail); db_query("INSERT INTO {directory} (link, name, mail, slogan, mission, timestamp) VALUES ('%s', '%s', '%s', '%s', '%s', %d)", $link, $name, $mail, $slogan, $mission, time()); - watchdog('directory ping', t('Ping from %name (%link).', array('%name' => "<em>$name</em>", '%link' => "<em>$link</em>")), WATCHDOG_NOTICE, "<a href=\"$link\">view</a>"); + watchdog('directory ping', t('Ping from %name (%link).', array('%name' => theme('placeholder', $name), '%link' => theme('placeholder', $link))), WATCHDOG_NOTICE, '<a href="'. check_url($link) .'">view</a>'); return new xmlrpcresp(new xmlrpcval(1, 'int')); } @@ -143,7 +143,7 @@ function drupal_notify($server) { $result = $client->send($message, 5); if (!$result || $result->faultCode()) { - watchdog('directory ping', t('Failed to notify %url at %path: %error.', array('%url' => '<em>'. $url["host"] .'</em>', '%path' => '<em>'. $url["path"] .'</em>', '%error' => '<em>'. $result->faultString() .'</em>')), WATCHDOG_WARNING); + watchdog('directory ping', t('Failed to notify %url at %path: %error.', array('%url' => theme('placeholder', $url['host']), '%path' => theme('placeholder', $url['path']), '%error' => theme('placeholder', $result->faultString()))), WATCHDOG_WARNING); } } diff --git a/modules/drupal/drupal.module b/modules/drupal/drupal.module index 9158221bf..08add863c 100644 --- a/modules/drupal/drupal.module +++ b/modules/drupal/drupal.module @@ -95,7 +95,7 @@ function drupal_directory_ping($arguments) { db_query("DELETE FROM {directory} WHERE link = '%s' OR mail = '%s'", $link, $mail); db_query("INSERT INTO {directory} (link, name, mail, slogan, mission, timestamp) VALUES ('%s', '%s', '%s', '%s', '%s', %d)", $link, $name, $mail, $slogan, $mission, time()); - watchdog('directory ping', t('Ping from %name (%link).', array('%name' => "<em>$name</em>", '%link' => "<em>$link</em>")), WATCHDOG_NOTICE, "<a href=\"$link\">view</a>"); + watchdog('directory ping', t('Ping from %name (%link).', array('%name' => theme('placeholder', $name), '%link' => theme('placeholder', $link))), WATCHDOG_NOTICE, '<a href="'. check_url($link) .'">view</a>'); return new xmlrpcresp(new xmlrpcval(1, 'int')); } @@ -143,7 +143,7 @@ function drupal_notify($server) { $result = $client->send($message, 5); if (!$result || $result->faultCode()) { - watchdog('directory ping', t('Failed to notify %url at %path: %error.', array('%url' => '<em>'. $url["host"] .'</em>', '%path' => '<em>'. $url["path"] .'</em>', '%error' => '<em>'. $result->faultString() .'</em>')), WATCHDOG_WARNING); + watchdog('directory ping', t('Failed to notify %url at %path: %error.', array('%url' => theme('placeholder', $url['host']), '%path' => theme('placeholder', $url['path']), '%error' => theme('placeholder', $result->faultString()))), WATCHDOG_WARNING); } } diff --git a/modules/filter.module b/modules/filter.module index 74e95e079..2fa406d75 100644 --- a/modules/filter.module +++ b/modules/filter.module @@ -60,9 +60,9 @@ function filter_filter_tips($delta, $format, $long = false) { if ($allowed_html = variable_get("allowed_html_$format", '<a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd>')) { switch ($long) { case 0: - return t('Allowed HTML tags') .': '. drupal_specialchars($allowed_html); + return t('Allowed HTML tags') .': '. check_plain($allowed_html); case 1: - $output = '<p>'. t('Allowed HTML tags') .': '. drupal_specialchars($allowed_html) .'</p>'; + $output = '<p>'. t('Allowed HTML tags') .': '. check_plain($allowed_html) .'</p>'; if (!variable_get("filter_html_help_$format", 1)) { return $output; } @@ -111,14 +111,14 @@ function filter_filter_tips($delta, $format, $long = false) { if ($tips[$tag]) { $rows[] = array( array('data' => $tips[$tag][0], 'class' => 'description'), - array('data' => '<code>'. drupal_specialchars($tips[$tag][1]) .'</code>', 'class' => 'type'), + array('data' => '<code>'. check_plain($tips[$tag][1]) .'</code>', 'class' => 'type'), array('data' => $tips[$tag][1], 'class' => 'get') ); } } else { $rows[] = array( - array('data' => t('No help provided for tag %tag.', array('%tag' => drupal_specialchars($tag))), 'class' => 'description', 'colspan' => 3), + array('data' => t('No help provided for tag %tag.', array('%tag' => check_plain($tag))), 'class' => 'description', 'colspan' => 3), ); } } @@ -137,7 +137,7 @@ function filter_filter_tips($delta, $format, $long = false) { foreach ($entities as $entity) { $rows[] = array( array('data' => $entity[0], 'class' => 'description'), - array('data' => '<code>'. drupal_specialchars($entity[1]) .'</code>', 'class' => 'type'), + array('data' => '<code>'. check_plain($entity[1]) .'</code>', 'class' => 'type'), array('data' => $entity[1], 'class' => 'get') ); } @@ -365,7 +365,7 @@ function filter_admin_add() { db_query("INSERT INTO {filter_formats} (name) VALUES ('%s')", $name); } - drupal_set_message(t('Added input format %format.', array('%format' => '<em>'. $edit['name'] .'</em>'))); + drupal_set_message(t('Added input format %format.', array('%format' => theme('placeholder', $edit['name'])))); drupal_goto('admin/filters'); } @@ -386,7 +386,7 @@ function filter_admin_delete() { cache_clear_all('filter:'. $edit['format'], true); - drupal_set_message(t('Deleted input format %format.', array('%format' => '<em>'. $edit['name'] .'</em>'))); + drupal_set_message(t('Deleted input format %format.', array('%format' => theme('placeholder', $edit['name'])))); } drupal_goto('admin/filters'); } @@ -397,7 +397,7 @@ function filter_admin_delete() { $extra = form_hidden('format', $format->format); $extra .= form_hidden('name', $format->name); $output = theme('confirm', - t('Are you sure you want to delete the input format %format?', array('%format' => '<em>'. $format->name .'</em>')), + t('Are you sure you want to delete the input format %format?', array('%format' => theme('placeholder', $format->name))), 'admin/filters', t('If you have any content left in this input format, it will be switched to the default input format. This action cannot be undone.'), t('Delete'), @@ -927,7 +927,7 @@ function _filter_html($text, $format) { if (variable_get("filter_html_$format", FILTER_HTML_STRIP) == FILTER_HTML_ESCAPE) { // Escape HTML - $text = drupal_specialchars($text); + $text = check_plain($text); } if (variable_get("filter_html_nofollow_$format", FALSE)) { diff --git a/modules/filter/filter.module b/modules/filter/filter.module index 74e95e079..2fa406d75 100644 --- a/modules/filter/filter.module +++ b/modules/filter/filter.module @@ -60,9 +60,9 @@ function filter_filter_tips($delta, $format, $long = false) { if ($allowed_html = variable_get("allowed_html_$format", '<a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd>')) { switch ($long) { case 0: - return t('Allowed HTML tags') .': '. drupal_specialchars($allowed_html); + return t('Allowed HTML tags') .': '. check_plain($allowed_html); case 1: - $output = '<p>'. t('Allowed HTML tags') .': '. drupal_specialchars($allowed_html) .'</p>'; + $output = '<p>'. t('Allowed HTML tags') .': '. check_plain($allowed_html) .'</p>'; if (!variable_get("filter_html_help_$format", 1)) { return $output; } @@ -111,14 +111,14 @@ function filter_filter_tips($delta, $format, $long = false) { if ($tips[$tag]) { $rows[] = array( array('data' => $tips[$tag][0], 'class' => 'description'), - array('data' => '<code>'. drupal_specialchars($tips[$tag][1]) .'</code>', 'class' => 'type'), + array('data' => '<code>'. check_plain($tips[$tag][1]) .'</code>', 'class' => 'type'), array('data' => $tips[$tag][1], 'class' => 'get') ); } } else { $rows[] = array( - array('data' => t('No help provided for tag %tag.', array('%tag' => drupal_specialchars($tag))), 'class' => 'description', 'colspan' => 3), + array('data' => t('No help provided for tag %tag.', array('%tag' => check_plain($tag))), 'class' => 'description', 'colspan' => 3), ); } } @@ -137,7 +137,7 @@ function filter_filter_tips($delta, $format, $long = false) { foreach ($entities as $entity) { $rows[] = array( array('data' => $entity[0], 'class' => 'description'), - array('data' => '<code>'. drupal_specialchars($entity[1]) .'</code>', 'class' => 'type'), + array('data' => '<code>'. check_plain($entity[1]) .'</code>', 'class' => 'type'), array('data' => $entity[1], 'class' => 'get') ); } @@ -365,7 +365,7 @@ function filter_admin_add() { db_query("INSERT INTO {filter_formats} (name) VALUES ('%s')", $name); } - drupal_set_message(t('Added input format %format.', array('%format' => '<em>'. $edit['name'] .'</em>'))); + drupal_set_message(t('Added input format %format.', array('%format' => theme('placeholder', $edit['name'])))); drupal_goto('admin/filters'); } @@ -386,7 +386,7 @@ function filter_admin_delete() { cache_clear_all('filter:'. $edit['format'], true); - drupal_set_message(t('Deleted input format %format.', array('%format' => '<em>'. $edit['name'] .'</em>'))); + drupal_set_message(t('Deleted input format %format.', array('%format' => theme('placeholder', $edit['name'])))); } drupal_goto('admin/filters'); } @@ -397,7 +397,7 @@ function filter_admin_delete() { $extra = form_hidden('format', $format->format); $extra .= form_hidden('name', $format->name); $output = theme('confirm', - t('Are you sure you want to delete the input format %format?', array('%format' => '<em>'. $format->name .'</em>')), + t('Are you sure you want to delete the input format %format?', array('%format' => theme('placeholder', $format->name))), 'admin/filters', t('If you have any content left in this input format, it will be switched to the default input format. This action cannot be undone.'), t('Delete'), @@ -927,7 +927,7 @@ function _filter_html($text, $format) { if (variable_get("filter_html_$format", FILTER_HTML_STRIP) == FILTER_HTML_ESCAPE) { // Escape HTML - $text = drupal_specialchars($text); + $text = check_plain($text); } if (variable_get("filter_html_nofollow_$format", FALSE)) { diff --git a/modules/forum.module b/modules/forum.module index e086cf991..dae76244f 100644 --- a/modules/forum.module +++ b/modules/forum.module @@ -228,10 +228,10 @@ function forum_overview() { if ($tree) { foreach ($tree as $term) { if (in_array($term->tid, variable_get('forum_containers', array()))) { - $rows[] = array(_forum_depth($term->depth) .' '. $term->name, l(t('edit container'), "admin/forum/edit/container/$term->tid")); + $rows[] = array(_forum_depth($term->depth) .' '. check_plain($term->name), l(t('edit container'), "admin/forum/edit/container/$term->tid")); } else { - $rows[] = array(_forum_depth($term->depth) .' '. $term->name, l(t('edit forum'), "admin/forum/edit/forum/$term->tid")); + $rows[] = array(_forum_depth($term->depth) .' '. check_plain($term->name), l(t('edit forum'), "admin/forum/edit/forum/$term->tid")); } } @@ -381,11 +381,11 @@ function forum_link($type, $node = 0, $main = 0) { } if ($prev) { - $links[] = l(t('previous forum topic'), "node/$prev->nid", array('title' => $prev->title)); + $links[] = l(t('previous forum topic'), "node/$prev->nid", array('title' => check_plain($prev->title))); } if ($next) { - $links[] = l(t('next forum topic'), "node/$next->nid", array('title' => $next->title)); + $links[] = l(t('next forum topic'), "node/$next->nid", array('title' => check_plain($next->title))); } } @@ -478,7 +478,7 @@ function forum_validate(&$node) { if (db_result(db_query('SELECT COUNT(*) FROM {term_data} WHERE tid = %d AND vid = %d', $term, $vocabulary))) { if (in_array($term, $containers)) { $term = taxonomy_get_term($term); - form_set_error('taxonomy', t('The item %forum is only a container for forums. Please select one of the forums below it.', array('%forum' => "<em>$term->name</em>"))); + form_set_error('taxonomy', t('The item %forum is only a container for forums. Please select one of the forums below it.', array('%forum' => theme('placeholder', $term->name)))); } else { $node->tid = $term; @@ -878,7 +878,7 @@ function theme_forum_topic_list($tid, $topics, $sortby, $forum_per_page) { if ($topic->tid != $tid) { $rows[] = array( array('data' => _forum_icon($topic->new, $topic->num_comments, $topic->comment_mode, $topic->sticky), 'class' => 'icon'), - array('data' => $topic->title, 'class' => 'title'), + array('data' => check_plain($topic->title), 'class' => 'title'), array('data' => l(t('This topic has been moved'), "forum/$topic->tid"), 'colspan' => '3') ); } diff --git a/modules/forum/forum.module b/modules/forum/forum.module index e086cf991..dae76244f 100644 --- a/modules/forum/forum.module +++ b/modules/forum/forum.module @@ -228,10 +228,10 @@ function forum_overview() { if ($tree) { foreach ($tree as $term) { if (in_array($term->tid, variable_get('forum_containers', array()))) { - $rows[] = array(_forum_depth($term->depth) .' '. $term->name, l(t('edit container'), "admin/forum/edit/container/$term->tid")); + $rows[] = array(_forum_depth($term->depth) .' '. check_plain($term->name), l(t('edit container'), "admin/forum/edit/container/$term->tid")); } else { - $rows[] = array(_forum_depth($term->depth) .' '. $term->name, l(t('edit forum'), "admin/forum/edit/forum/$term->tid")); + $rows[] = array(_forum_depth($term->depth) .' '. check_plain($term->name), l(t('edit forum'), "admin/forum/edit/forum/$term->tid")); } } @@ -381,11 +381,11 @@ function forum_link($type, $node = 0, $main = 0) { } if ($prev) { - $links[] = l(t('previous forum topic'), "node/$prev->nid", array('title' => $prev->title)); + $links[] = l(t('previous forum topic'), "node/$prev->nid", array('title' => check_plain($prev->title))); } if ($next) { - $links[] = l(t('next forum topic'), "node/$next->nid", array('title' => $next->title)); + $links[] = l(t('next forum topic'), "node/$next->nid", array('title' => check_plain($next->title))); } } @@ -478,7 +478,7 @@ function forum_validate(&$node) { if (db_result(db_query('SELECT COUNT(*) FROM {term_data} WHERE tid = %d AND vid = %d', $term, $vocabulary))) { if (in_array($term, $containers)) { $term = taxonomy_get_term($term); - form_set_error('taxonomy', t('The item %forum is only a container for forums. Please select one of the forums below it.', array('%forum' => "<em>$term->name</em>"))); + form_set_error('taxonomy', t('The item %forum is only a container for forums. Please select one of the forums below it.', array('%forum' => theme('placeholder', $term->name)))); } else { $node->tid = $term; @@ -878,7 +878,7 @@ function theme_forum_topic_list($tid, $topics, $sortby, $forum_per_page) { if ($topic->tid != $tid) { $rows[] = array( array('data' => _forum_icon($topic->new, $topic->num_comments, $topic->comment_mode, $topic->sticky), 'class' => 'icon'), - array('data' => $topic->title, 'class' => 'title'), + array('data' => check_plain($topic->title), 'class' => 'title'), array('data' => l(t('This topic has been moved'), "forum/$topic->tid"), 'colspan' => '3') ); } diff --git a/modules/locale.module b/modules/locale.module index 3f31ff755..493d34a99 100644 --- a/modules/locale.module +++ b/modules/locale.module @@ -107,6 +107,7 @@ function locale_user($type, $edit, &$user, $category = NULL) { if ($user->language == '') { $user->language = key($languages['name']); } + $languages['name'] = array_map('check_plain', $languages['name']); return array(array('title' => t('Interface language settings'), 'data' => form_radios(t("Language"), 'language', $user->language, $languages['name'], t("Selecting a different locale will change the interface language of the site.")))); } } @@ -299,7 +300,7 @@ function locale_admin_manage_delete_screen() { if (isset($languages['name'][$edit['langcode']])) { db_query("DELETE FROM {locales_meta} WHERE locale = '%s'", $edit['langcode']); db_query("DELETE FROM {locales_target} WHERE locale = '%s'", $edit['langcode']); - $message = t('%locale language removed.', array('%locale' => '<em>'. t($languages['name'][$edit['langcode']]) .'</em>')); + $message = t('%locale language removed.', array('%locale' => theme('placeholder', t($languages['name'][$edit['langcode']])))); drupal_set_message($message); watchdog('locale', $message); } @@ -320,7 +321,7 @@ function locale_admin_manage_delete_screen() { $extra = form_hidden('langcode', $langcode); $output = theme('confirm', - t('Are you sure you want to delete the language %name?', array('%name' => '<em>'. t($languages['name'][$langcode]) .'</em>')), + t('Are you sure you want to delete the language %name?', array('%name' => theme('placeholder', t($languages['name'][$langcode])))), 'admin/locale/language/overview', t('Deleting a language will remove all data associated with it. This action cannot be undone.'), t('Delete'), @@ -359,7 +360,7 @@ function locale_admin_manage_add() { drupal_set_message(t('You need to specify both the language code and the English name of the new language.'), 'error'); } else { - drupal_set_message(t('The language %language (%code) is already set up.', array('%language' => '<em>'. $edit['langname'] .'</em>', '%code' => '<em>'. $edit['langcode'] .'</em>')), 'error'); + drupal_set_message(t('The language %language (%code) is already set up.', array('%language' => '<em>'. check_plain($edit['langname']) .'</em>', '%code' => theme('placeholder', $edit['langcode']))), 'error'); } break; } @@ -388,7 +389,7 @@ function locale_admin_import() { // Now import strings into the language $file = file_check_upload('file'); if ($ret = _locale_import_po($file, $edit['langcode'], $edit['mode']) == FALSE) { - $message = t('Translation import of %filename failed.', array('%filename' => "<em>$file->filename</em>")); + $message = t('Translation import of %filename failed.', array('%filename' => theme('placeholder', $file->filename))); drupal_set_message($message, 'error'); watchdog('locale', $message, WATCHDOG_ERROR); } diff --git a/modules/locale/locale.module b/modules/locale/locale.module index 3f31ff755..493d34a99 100644 --- a/modules/locale/locale.module +++ b/modules/locale/locale.module @@ -107,6 +107,7 @@ function locale_user($type, $edit, &$user, $category = NULL) { if ($user->language == '') { $user->language = key($languages['name']); } + $languages['name'] = array_map('check_plain', $languages['name']); return array(array('title' => t('Interface language settings'), 'data' => form_radios(t("Language"), 'language', $user->language, $languages['name'], t("Selecting a different locale will change the interface language of the site.")))); } } @@ -299,7 +300,7 @@ function locale_admin_manage_delete_screen() { if (isset($languages['name'][$edit['langcode']])) { db_query("DELETE FROM {locales_meta} WHERE locale = '%s'", $edit['langcode']); db_query("DELETE FROM {locales_target} WHERE locale = '%s'", $edit['langcode']); - $message = t('%locale language removed.', array('%locale' => '<em>'. t($languages['name'][$edit['langcode']]) .'</em>')); + $message = t('%locale language removed.', array('%locale' => theme('placeholder', t($languages['name'][$edit['langcode']])))); drupal_set_message($message); watchdog('locale', $message); } @@ -320,7 +321,7 @@ function locale_admin_manage_delete_screen() { $extra = form_hidden('langcode', $langcode); $output = theme('confirm', - t('Are you sure you want to delete the language %name?', array('%name' => '<em>'. t($languages['name'][$langcode]) .'</em>')), + t('Are you sure you want to delete the language %name?', array('%name' => theme('placeholder', t($languages['name'][$langcode])))), 'admin/locale/language/overview', t('Deleting a language will remove all data associated with it. This action cannot be undone.'), t('Delete'), @@ -359,7 +360,7 @@ function locale_admin_manage_add() { drupal_set_message(t('You need to specify both the language code and the English name of the new language.'), 'error'); } else { - drupal_set_message(t('The language %language (%code) is already set up.', array('%language' => '<em>'. $edit['langname'] .'</em>', '%code' => '<em>'. $edit['langcode'] .'</em>')), 'error'); + drupal_set_message(t('The language %language (%code) is already set up.', array('%language' => '<em>'. check_plain($edit['langname']) .'</em>', '%code' => theme('placeholder', $edit['langcode']))), 'error'); } break; } @@ -388,7 +389,7 @@ function locale_admin_import() { // Now import strings into the language $file = file_check_upload('file'); if ($ret = _locale_import_po($file, $edit['langcode'], $edit['mode']) == FALSE) { - $message = t('Translation import of %filename failed.', array('%filename' => "<em>$file->filename</em>")); + $message = t('Translation import of %filename failed.', array('%filename' => theme('placeholder', $file->filename))); drupal_set_message($message, 'error'); watchdog('locale', $message, WATCHDOG_ERROR); } diff --git a/modules/menu.module b/modules/menu.module index 0a972ec39..28e207f92 100644 --- a/modules/menu.module +++ b/modules/menu.module @@ -120,7 +120,7 @@ function menu_reset() { break; default: $output = theme('confirm', - t('Are you sure you want to reset all menu items to their default settings?', array('%item' => '<em>'. $title .'</em>')), + t('Are you sure you want to reset all menu items to their default settings?'), 'admin/menu', t('Any custom additions or changes to the menu will be lost.'), t('Reset all')); @@ -167,7 +167,7 @@ function menu_reset_item($mid) { default: $title = db_result(db_query('SELECT title FROM {menu} WHERE mid = %d', $mid)); $output = theme('confirm', - t('Are you sure you want to reset the item %item to its default values?', array('%item' => '<em>'. $title .'</em>')), + t('Are you sure you want to reset the item %item to its default values?', array('%item' => theme('placeholder', $title))), 'admin/menu', t('Any customizations will be lost. This action cannot be undone.'), t('Reset')); @@ -198,10 +198,10 @@ function menu_delete_item($mid) { break; default: if ($menu->type & MENU_IS_ROOT) { - $message = t('Are you sure you want to delete the menu %item?', array('%item' => '<em>'. $menu->title .'</em>')); + $message = t('Are you sure you want to delete the menu %item?', array('%item' => theme('placeholder', $menu->title))); } else { - $message = t('Are you sure you want to delete the custom menu item %item?', array('%item' => '<em>'. $menu->title .'</em>')); + $message = t('Are you sure you want to delete the custom menu item %item?', array('%item' => theme('placeholder', $menu->title))); } $output = theme('confirm', $message, 'admin/menu', t('This action cannot be undone.'), t('Delete')); print theme('page', $output); @@ -348,16 +348,16 @@ function menu_edit_item_save($edit) { if ($edit['mid']) { db_query("UPDATE {menu} SET pid = %d, path = '%s', title = '%s', description = '%s', weight = %d, type = %d WHERE mid = %d", $edit['pid'], $edit['path'], $edit['title'], $edit['description'], $edit['weight'], $edit['type'] | MENU_MODIFIED_BY_ADMIN, $edit['mid']); - drupal_set_message(t('Updated menu item %title.', array('%title' => '<em>'. $edit['title'] .'</em>'))); + drupal_set_message(t('Updated menu item %title.', array('%title' => theme('placeholder', $edit['title'])))); } else { $mid = db_next_id('{menu}_mid'); db_query("INSERT INTO {menu} (mid, pid, path, title, description, weight, type) VALUES (%d, %d, '%s', '%s', '%s', %d, %d)", $mid, $edit['pid'], $edit['path'], $edit['title'], $edit['description'], $edit['weight'], $edit['type'] | MENU_MODIFIED_BY_ADMIN); - drupal_set_message(t('Created new menu item %title.', array('%title' => '<em>'. $edit['title'] .'</em>'))); + drupal_set_message(t('Created new menu item %title.', array('%title' => theme('placeholder', $edit['title'])))); if (array_key_exists($edit['path'], $menu['path index'])) { $old_mid = $menu['path index'][$edit['path']]; $old_item = $menu['items'][$old_mid]; - drupal_set_message(t('Since a menu item %old already exists for %path, this new menu item was created as a shortcut to that location.', array('%old' => l('<em>'. $old_item['title'] .'</em>', 'admin/menu/item/edit/'. $old_mid), '%path' => '<em>'. $edit['path'] .'</em>'))); + drupal_set_message(t('Since a menu item %old already exists for %path, this new menu item was created as a shortcut to that location.', array('%old' => l(theme('placeholder', $old_item['title']), 'admin/menu/item/edit/'. $old_mid, array(), NULL, NULL, FALSE, TRUE), '%path' => theme('placeholder', $edit['path'])))); } } } diff --git a/modules/menu/menu.module b/modules/menu/menu.module index 0a972ec39..28e207f92 100644 --- a/modules/menu/menu.module +++ b/modules/menu/menu.module @@ -120,7 +120,7 @@ function menu_reset() { break; default: $output = theme('confirm', - t('Are you sure you want to reset all menu items to their default settings?', array('%item' => '<em>'. $title .'</em>')), + t('Are you sure you want to reset all menu items to their default settings?'), 'admin/menu', t('Any custom additions or changes to the menu will be lost.'), t('Reset all')); @@ -167,7 +167,7 @@ function menu_reset_item($mid) { default: $title = db_result(db_query('SELECT title FROM {menu} WHERE mid = %d', $mid)); $output = theme('confirm', - t('Are you sure you want to reset the item %item to its default values?', array('%item' => '<em>'. $title .'</em>')), + t('Are you sure you want to reset the item %item to its default values?', array('%item' => theme('placeholder', $title))), 'admin/menu', t('Any customizations will be lost. This action cannot be undone.'), t('Reset')); @@ -198,10 +198,10 @@ function menu_delete_item($mid) { break; default: if ($menu->type & MENU_IS_ROOT) { - $message = t('Are you sure you want to delete the menu %item?', array('%item' => '<em>'. $menu->title .'</em>')); + $message = t('Are you sure you want to delete the menu %item?', array('%item' => theme('placeholder', $menu->title))); } else { - $message = t('Are you sure you want to delete the custom menu item %item?', array('%item' => '<em>'. $menu->title .'</em>')); + $message = t('Are you sure you want to delete the custom menu item %item?', array('%item' => theme('placeholder', $menu->title))); } $output = theme('confirm', $message, 'admin/menu', t('This action cannot be undone.'), t('Delete')); print theme('page', $output); @@ -348,16 +348,16 @@ function menu_edit_item_save($edit) { if ($edit['mid']) { db_query("UPDATE {menu} SET pid = %d, path = '%s', title = '%s', description = '%s', weight = %d, type = %d WHERE mid = %d", $edit['pid'], $edit['path'], $edit['title'], $edit['description'], $edit['weight'], $edit['type'] | MENU_MODIFIED_BY_ADMIN, $edit['mid']); - drupal_set_message(t('Updated menu item %title.', array('%title' => '<em>'. $edit['title'] .'</em>'))); + drupal_set_message(t('Updated menu item %title.', array('%title' => theme('placeholder', $edit['title'])))); } else { $mid = db_next_id('{menu}_mid'); db_query("INSERT INTO {menu} (mid, pid, path, title, description, weight, type) VALUES (%d, %d, '%s', '%s', '%s', %d, %d)", $mid, $edit['pid'], $edit['path'], $edit['title'], $edit['description'], $edit['weight'], $edit['type'] | MENU_MODIFIED_BY_ADMIN); - drupal_set_message(t('Created new menu item %title.', array('%title' => '<em>'. $edit['title'] .'</em>'))); + drupal_set_message(t('Created new menu item %title.', array('%title' => theme('placeholder', $edit['title'])))); if (array_key_exists($edit['path'], $menu['path index'])) { $old_mid = $menu['path index'][$edit['path']]; $old_item = $menu['items'][$old_mid]; - drupal_set_message(t('Since a menu item %old already exists for %path, this new menu item was created as a shortcut to that location.', array('%old' => l('<em>'. $old_item['title'] .'</em>', 'admin/menu/item/edit/'. $old_mid), '%path' => '<em>'. $edit['path'] .'</em>'))); + drupal_set_message(t('Since a menu item %old already exists for %path, this new menu item was created as a shortcut to that location.', array('%old' => l(theme('placeholder', $old_item['title']), 'admin/menu/item/edit/'. $old_mid, array(), NULL, NULL, FALSE, TRUE), '%path' => theme('placeholder', $edit['path'])))); } } } diff --git a/modules/node.module b/modules/node.module index 29aae45cb..adf40d94c 100644 --- a/modules/node.module +++ b/modules/node.module @@ -990,7 +990,7 @@ function node_revision_overview($nid) { if (user_access('administer nodes')) { $node = node_load(array('nid' => $nid)); - drupal_set_title($node->title); + drupal_set_title(check_plain($node->title)); if ($node->revisions) { $header = array(t('Older revisions'), array('colspan' => '3', 'data' => t('Operations'))); @@ -1059,7 +1059,7 @@ function node_revision_rollback($nid, $revision) { node_save($rev, $filter); - drupal_set_message(t('Rolled back to revision %revision of %title', array('%revision' => "<em>#$revision</em>", '%title' => "<em>$node->title</em>"))); + drupal_set_message(t('Rolled back to revision %revision of %title', array('%revision' => "<em>#$revision</em>", '%title' => theme('placeholder', $node->title)))); drupal_goto('node/'. $nid .'/revisions'); } } @@ -1075,7 +1075,7 @@ function node_revision_delete($nid, $revision) { node_save($node, array('nid', 'revisions')); - drupal_set_message(t('Deleted revision %revision of %title', array('%revision' => "<em>#$revision</em>", '%title' => "<em>$node->title</em>"))); + drupal_set_message(t('Deleted revision %revision of %title', array('%revision' => "<em>#$revision</em>", '%title' => theme('placeholder', $node->title)))); drupal_goto('node/'. $nid . (count($node->revisions) ? '/revisions' : '')); } } @@ -1199,9 +1199,8 @@ function node_validate($node) { // Validate the title field. if (isset($node->title)) { - $node->title = strip_tags($node->title); - if (!$node->title) { - form_set_error('title', t('You have to specify a valid title.')); + if (trim($node->title) == '') { + form_set_error('title', t('You have to specify a title.')); } } @@ -1242,7 +1241,7 @@ function node_validate($node) { $node->uid = $account->uid; } else { - form_set_error('name', t('The name %name does not exist.', array ('%name' => "<em>$node->name</em>"))); + form_set_error('name', t('The username %name does not exist.', array ('%name' => theme('placeholder', $node->name)))); } // Validate the "authored on" field. @@ -1309,7 +1308,7 @@ function node_form($edit) { $output .= '<div class="node-form">'; // Add hidden 'op' variable, which specifies the default operation (Preview). - $output .= '<input type="hidden" name="op" value="'. check_form(t('Preview')) ."\" />\n"; + $output .= '<input type="hidden" name="op" value="'. check_plain(t('Preview')) ."\" />\n"; // Add the admin-specific parts. if (user_access('administer nodes')) { @@ -1455,7 +1454,7 @@ function node_edit($id) { $node = node_load(array('nid' => $id)); - drupal_set_title($node->title); + drupal_set_title(check_plain($node->title)); $output = node_form($node); @@ -1560,7 +1559,7 @@ function node_submit(&$node) { // perform this operation: if (node_access('update', $node)) { $node->nid = node_save($node); - watchdog('content', t('%type: updated %title.', array('%type' => '<em>'. t($node->type) .'</em>', '%title' => "<em>$node->title</em>")), WATCHDOG_NOTICE, l(t('view'), 'node/'. $node->nid)); + watchdog('content', t('%type: updated %title.', array('%type' => theme('placeholder', t($node->type)), '%title' => theme('placeholder', $node->title))), WATCHDOG_NOTICE, l(t('view'), 'node/'. $node->nid)); $msg = t('The %post was updated.', array ('%post' => node_invoke($node, 'node_name'))); } } @@ -1569,7 +1568,7 @@ function node_submit(&$node) { // perform this operation: if (node_access('create', $node)) { $node->nid = node_save($node); - watchdog('content', t('%type: added %title.', array('%type' => '<em>'. t($node->type) .'</em>', '%title' => "<em>$node->title</em>")), WATCHDOG_NOTICE, l(t('view'), "node/$node->nid")); + watchdog('content', t('%type: added %title.', array('%type' => theme('placeholder', t($node->type)), '%title' => theme('placeholder', $node->title))), WATCHDOG_NOTICE, l(t('view'), "node/$node->nid")); $msg = t('Your %post was created.', array ('%post' => node_invoke($node, 'node_name'))); } } @@ -1603,12 +1602,12 @@ function node_delete($edit) { search_wipe($node->nid, 'node'); } - watchdog('content', t('%type: deleted %title.', array('%type' => '<em>'. t($node->type) .'</em>', '%title' => "<em>$node->title</em>"))); + watchdog('content', t('%type: deleted %title.', array('%type' => theme('placeholder', t($node->type)), '%title' => theme('placeholder', $node->title)))); } else { $extra = form_hidden('nid', $node->nid); $output = theme('confirm', - t('Are you sure you want to delete %title?', array('%title' => '<em>'. $node->title .'</em>')), + t('Are you sure you want to delete %title?', array('%title' => theme('placeholder', $node->title))), $_GET['destination'] ? $_GET['destination'] : 'node/'. $node->nid, t('This action cannot be undone.'), t('Delete'), @@ -1681,7 +1680,7 @@ function node_page() { if (is_numeric(arg(1))) { $node = node_load(array('nid' => arg(1)), $_GET['revision']); if ($node->nid) { - drupal_set_title($node->title); + drupal_set_title(check_plain($node->title)); print theme('page', node_show($node, arg(2))); } else { @@ -1758,7 +1757,7 @@ function node_update_index() { // Allow modules to change $node->body before viewing. node_invoke_nodeapi($node, 'view', false, false); - $text = '<h1>'. drupal_specialchars($node->title) .'</h1>'. $node->body; + $text = '<h1>'. check_plain($node->title) .'</h1>'. $node->body; // Fetch extra data normally not visible $extra = node_invoke_nodeapi($node, 'update index'); diff --git a/modules/node/node.module b/modules/node/node.module index 29aae45cb..adf40d94c 100644 --- a/modules/node/node.module +++ b/modules/node/node.module @@ -990,7 +990,7 @@ function node_revision_overview($nid) { if (user_access('administer nodes')) { $node = node_load(array('nid' => $nid)); - drupal_set_title($node->title); + drupal_set_title(check_plain($node->title)); if ($node->revisions) { $header = array(t('Older revisions'), array('colspan' => '3', 'data' => t('Operations'))); @@ -1059,7 +1059,7 @@ function node_revision_rollback($nid, $revision) { node_save($rev, $filter); - drupal_set_message(t('Rolled back to revision %revision of %title', array('%revision' => "<em>#$revision</em>", '%title' => "<em>$node->title</em>"))); + drupal_set_message(t('Rolled back to revision %revision of %title', array('%revision' => "<em>#$revision</em>", '%title' => theme('placeholder', $node->title)))); drupal_goto('node/'. $nid .'/revisions'); } } @@ -1075,7 +1075,7 @@ function node_revision_delete($nid, $revision) { node_save($node, array('nid', 'revisions')); - drupal_set_message(t('Deleted revision %revision of %title', array('%revision' => "<em>#$revision</em>", '%title' => "<em>$node->title</em>"))); + drupal_set_message(t('Deleted revision %revision of %title', array('%revision' => "<em>#$revision</em>", '%title' => theme('placeholder', $node->title)))); drupal_goto('node/'. $nid . (count($node->revisions) ? '/revisions' : '')); } } @@ -1199,9 +1199,8 @@ function node_validate($node) { // Validate the title field. if (isset($node->title)) { - $node->title = strip_tags($node->title); - if (!$node->title) { - form_set_error('title', t('You have to specify a valid title.')); + if (trim($node->title) == '') { + form_set_error('title', t('You have to specify a title.')); } } @@ -1242,7 +1241,7 @@ function node_validate($node) { $node->uid = $account->uid; } else { - form_set_error('name', t('The name %name does not exist.', array ('%name' => "<em>$node->name</em>"))); + form_set_error('name', t('The username %name does not exist.', array ('%name' => theme('placeholder', $node->name)))); } // Validate the "authored on" field. @@ -1309,7 +1308,7 @@ function node_form($edit) { $output .= '<div class="node-form">'; // Add hidden 'op' variable, which specifies the default operation (Preview). - $output .= '<input type="hidden" name="op" value="'. check_form(t('Preview')) ."\" />\n"; + $output .= '<input type="hidden" name="op" value="'. check_plain(t('Preview')) ."\" />\n"; // Add the admin-specific parts. if (user_access('administer nodes')) { @@ -1455,7 +1454,7 @@ function node_edit($id) { $node = node_load(array('nid' => $id)); - drupal_set_title($node->title); + drupal_set_title(check_plain($node->title)); $output = node_form($node); @@ -1560,7 +1559,7 @@ function node_submit(&$node) { // perform this operation: if (node_access('update', $node)) { $node->nid = node_save($node); - watchdog('content', t('%type: updated %title.', array('%type' => '<em>'. t($node->type) .'</em>', '%title' => "<em>$node->title</em>")), WATCHDOG_NOTICE, l(t('view'), 'node/'. $node->nid)); + watchdog('content', t('%type: updated %title.', array('%type' => theme('placeholder', t($node->type)), '%title' => theme('placeholder', $node->title))), WATCHDOG_NOTICE, l(t('view'), 'node/'. $node->nid)); $msg = t('The %post was updated.', array ('%post' => node_invoke($node, 'node_name'))); } } @@ -1569,7 +1568,7 @@ function node_submit(&$node) { // perform this operation: if (node_access('create', $node)) { $node->nid = node_save($node); - watchdog('content', t('%type: added %title.', array('%type' => '<em>'. t($node->type) .'</em>', '%title' => "<em>$node->title</em>")), WATCHDOG_NOTICE, l(t('view'), "node/$node->nid")); + watchdog('content', t('%type: added %title.', array('%type' => theme('placeholder', t($node->type)), '%title' => theme('placeholder', $node->title))), WATCHDOG_NOTICE, l(t('view'), "node/$node->nid")); $msg = t('Your %post was created.', array ('%post' => node_invoke($node, 'node_name'))); } } @@ -1603,12 +1602,12 @@ function node_delete($edit) { search_wipe($node->nid, 'node'); } - watchdog('content', t('%type: deleted %title.', array('%type' => '<em>'. t($node->type) .'</em>', '%title' => "<em>$node->title</em>"))); + watchdog('content', t('%type: deleted %title.', array('%type' => theme('placeholder', t($node->type)), '%title' => theme('placeholder', $node->title)))); } else { $extra = form_hidden('nid', $node->nid); $output = theme('confirm', - t('Are you sure you want to delete %title?', array('%title' => '<em>'. $node->title .'</em>')), + t('Are you sure you want to delete %title?', array('%title' => theme('placeholder', $node->title))), $_GET['destination'] ? $_GET['destination'] : 'node/'. $node->nid, t('This action cannot be undone.'), t('Delete'), @@ -1681,7 +1680,7 @@ function node_page() { if (is_numeric(arg(1))) { $node = node_load(array('nid' => arg(1)), $_GET['revision']); if ($node->nid) { - drupal_set_title($node->title); + drupal_set_title(check_plain($node->title)); print theme('page', node_show($node, arg(2))); } else { @@ -1758,7 +1757,7 @@ function node_update_index() { // Allow modules to change $node->body before viewing. node_invoke_nodeapi($node, 'view', false, false); - $text = '<h1>'. drupal_specialchars($node->title) .'</h1>'. $node->body; + $text = '<h1>'. check_plain($node->title) .'</h1>'. $node->body; // Fetch extra data normally not visible $extra = node_invoke_nodeapi($node, 'update index'); diff --git a/modules/path.module b/modules/path.module index e48589c05..ba2251490 100644 --- a/modules/path.module +++ b/modules/path.module @@ -296,15 +296,15 @@ function path_save($edit) { $pid = $edit['pid']; if (!valid_url($src)) { - form_set_error('src', t('The system path %path is invalid.', array('%path' => "<em>$src</em>"))); + form_set_error('src', t('The system path %path is invalid.', array('%path' => theme('placeholder', $src)))); } if (!valid_url($dst)) { - form_set_error('dst', t('The alias %alias is invalid.', array('%alias' => "<em>$dst</em>"))); + form_set_error('dst', t('The alias %alias is invalid.', array('%alias' => theme('placeholder', $dst)))); } if (db_result(db_query("SELECT COUNT(dst) FROM {url_alias} WHERE pid != %d AND dst = '%s'", $pid, $dst))) { - form_set_error('dst', t('The alias %alias is already in use.', array('%alias' => "<em>$dst</em>"))); + form_set_error('dst', t('The alias %alias is already in use.', array('%alias' => theme('placeholder', $dst)))); } if (form_get_errors()) { diff --git a/modules/path/path.module b/modules/path/path.module index e48589c05..ba2251490 100644 --- a/modules/path/path.module +++ b/modules/path/path.module @@ -296,15 +296,15 @@ function path_save($edit) { $pid = $edit['pid']; if (!valid_url($src)) { - form_set_error('src', t('The system path %path is invalid.', array('%path' => "<em>$src</em>"))); + form_set_error('src', t('The system path %path is invalid.', array('%path' => theme('placeholder', $src)))); } if (!valid_url($dst)) { - form_set_error('dst', t('The alias %alias is invalid.', array('%alias' => "<em>$dst</em>"))); + form_set_error('dst', t('The alias %alias is invalid.', array('%alias' => theme('placeholder', $dst)))); } if (db_result(db_query("SELECT COUNT(dst) FROM {url_alias} WHERE pid != %d AND dst = '%s'", $pid, $dst))) { - form_set_error('dst', t('The alias %alias is already in use.', array('%alias' => "<em>$dst</em>"))); + form_set_error('dst', t('The alias %alias is already in use.', array('%alias' => theme('placeholder', $dst)))); } if (form_get_errors()) { diff --git a/modules/poll.module b/modules/poll.module index d5eae590a..933c1067a 100644 --- a/modules/poll.module +++ b/modules/poll.module @@ -307,9 +307,9 @@ function poll_view_voting(&$node, $teaser, $page, $block) { if ($node->choice) { $list = array(); foreach ($node->choice as $i => $choice) { - $list[$i] = drupal_specialchars($choice['chtext']); + $list[$i] = check_plain($choice['chtext']); } - $form .= form_radios($page ? '' : $node->title, 'choice', -1, $list); + $form .= form_radios($page ? '' : check_plain($node->title), 'choice', -1, $list); } $form .= '</div>'; $form .= form_hidden('nid', $node->nid); @@ -336,12 +336,12 @@ function poll_view_results(&$node, $teaser, $page, $block) { // Output the divs for the text, bars and percentages $output .= '<div class="poll">'; if ($block) { - $output .= '<div class="title">'. $node->title .'</div>'; + $output .= '<div class="title">'. check_plain($node->title) .'</div>'; } foreach ($node->choice as $i => $choice) { if ($choice['chtext'] != '') { $percentage = round($choice['chvotes'] * 100 / max($votestotal, 1)); - $output .= '<div class="text">'. drupal_specialchars($choice['chtext']) .'</div>'; + $output .= '<div class="text">'. check_plain($choice['chtext']) .'</div>'; $output .= '<div class="bar">'; $output .= '<div style="width: '. $percentage .'%;" class="foreground"></div>'; $output .= '</div>'; @@ -360,7 +360,7 @@ function poll_view_results(&$node, $teaser, $page, $block) { */ function poll_results() { if ($node = node_load(array('nid' => arg(1)))) { - drupal_set_title($node->title); + drupal_set_title(check_plain($node->title)); print theme('page', node_show($node, 0)); } else { diff --git a/modules/poll/poll.module b/modules/poll/poll.module index d5eae590a..933c1067a 100644 --- a/modules/poll/poll.module +++ b/modules/poll/poll.module @@ -307,9 +307,9 @@ function poll_view_voting(&$node, $teaser, $page, $block) { if ($node->choice) { $list = array(); foreach ($node->choice as $i => $choice) { - $list[$i] = drupal_specialchars($choice['chtext']); + $list[$i] = check_plain($choice['chtext']); } - $form .= form_radios($page ? '' : $node->title, 'choice', -1, $list); + $form .= form_radios($page ? '' : check_plain($node->title), 'choice', -1, $list); } $form .= '</div>'; $form .= form_hidden('nid', $node->nid); @@ -336,12 +336,12 @@ function poll_view_results(&$node, $teaser, $page, $block) { // Output the divs for the text, bars and percentages $output .= '<div class="poll">'; if ($block) { - $output .= '<div class="title">'. $node->title .'</div>'; + $output .= '<div class="title">'. check_plain($node->title) .'</div>'; } foreach ($node->choice as $i => $choice) { if ($choice['chtext'] != '') { $percentage = round($choice['chvotes'] * 100 / max($votestotal, 1)); - $output .= '<div class="text">'. drupal_specialchars($choice['chtext']) .'</div>'; + $output .= '<div class="text">'. check_plain($choice['chtext']) .'</div>'; $output .= '<div class="bar">'; $output .= '<div style="width: '. $percentage .'%;" class="foreground"></div>'; $output .= '</div>'; @@ -360,7 +360,7 @@ function poll_view_results(&$node, $teaser, $page, $block) { */ function poll_results() { if ($node = node_load(array('nid' => arg(1)))) { - drupal_set_title($node->title); + drupal_set_title(check_plain($node->title)); print theme('page', node_show($node, 0)); } else { diff --git a/modules/profile.module b/modules/profile.module index 8e9c2bdbc..d47caa400 100644 --- a/modules/profile.module +++ b/modules/profile.module @@ -107,7 +107,7 @@ function profile_browse() { $output .= theme('pager', NULL, 20); if ($field->type == 'selection' || $field->type == 'list') { - $title = strtr($field->page, array('%value' => $value)); + $title = strtr($field->page, array('%value' => theme('placeholder', $value))); } else { $title = $field->page; @@ -178,15 +178,15 @@ function profile_view_field($user, $field) { if ($value = $user->{$field->name}) { switch ($field->type) { case 'textfield': - return drupal_specialchars($value); + return check_plain($value); case 'textarea': return check_output($value); case 'selection': - return $browse ? l(drupal_specialchars($value), "profile/$field->name/". check_url($value)) : drupal_specialchars($value); + return $browse ? l($value, "profile/$field->name/$value") : check_plain($value); case 'checkbox': - return $browse ? l(strip_tags($field->title), "profile/$field->name") : drupal_specialchars($field->title); + return $browse ? l($field->title, "profile/$field->name") : check_plain($field->title); case 'url': - return '<a href="'. check_url($value) .'">'. drupal_specialchars($value) .'</a>'; + return '<a href="'. check_url($value) .'">'. check_plain($value) .'</a>'; case 'date': list($format) = explode(' - ', variable_get('date_format_short', 'm/d/Y - H:i'), 2); // Note: we avoid PHP's date() because it does not handle dates before @@ -203,7 +203,7 @@ function profile_view_field($user, $field) { $fields = array(); foreach ($values as $value) { if ($value = trim($value)) { - $fields[] = $browse ? l(drupal_specialchars($value), "profile/$field->name/". check_url($value)) : drupal_specialchars($value); + $fields[] = $browse ? l($value, "profile/$field->name/$value") : check_plain($value); } } return implode(', ', $fields); @@ -226,7 +226,7 @@ function profile_view_profile($user) { while ($field = db_fetch_object($result)) { if ($value = profile_view_field($user, $field)) { $description = ($field->visibility == PROFILE_PRIVATE) ? t('The content of this field is private and only visible to yourself.') : ''; - $title = ($field->type != 'checkbox') ? $field->title : ''; + $title = ($field->type != 'checkbox') ? check_plain($field->title) : ''; $fields[$field->category] .= form_item($title, $value, $description); } } @@ -264,16 +264,16 @@ function profile_form_profile($edit, $user, $category) { switch ($field->type) { case 'textfield': case 'url': - $fields[$category] .= form_textfield($field->title, $field->name, $edit[$field->name], 70, 255, _profile_form_explanation($field), NULL, $field->required); + $fields[$category] .= form_textfield(check_plain($field->title), $field->name, $edit[$field->name], 70, 255, _profile_form_explanation($field), NULL, $field->required); break; case 'textarea': - $fields[$category] .= form_textarea($field->title, $field->name, $edit[$field->name], 70, 5, _profile_form_explanation($field), NULL, $field->required); + $fields[$category] .= form_textarea(check_plain($field->title), $field->name, $edit[$field->name], 70, 5, _profile_form_explanation($field), NULL, $field->required); break; case 'list': - $fields[$category] .= form_textarea($field->title, $field->name, $edit[$field->name], 70, 5, _profile_form_explanation($field), NULL, $field->required); + $fields[$category] .= form_textarea(check_plain($field->title), $field->name, $edit[$field->name], 70, 5, _profile_form_explanation($field), NULL, $field->required); break; case 'checkbox': - $fields[$category] .= form_checkbox($field->title, $field->name, 1, $edit[$field->name], _profile_form_explanation($field), NULL, $field->required); + $fields[$category] .= form_checkbox(check_plain($field->title), $field->name, 1, $edit[$field->name], _profile_form_explanation($field), NULL, $field->required); break; case 'selection': $options = array('--'); @@ -284,7 +284,7 @@ function profile_form_profile($edit, $user, $category) { } } - $fields[$category] .= form_select($field->title, $field->name, $edit[$field->name], $options, _profile_form_explanation($field), 0, 0, $field->required); + $fields[$category] .= form_select(check_plain($field->title), $field->name, $edit[$field->name], $options, _profile_form_explanation($field), 0, 0, $field->required); break; case 'date': $fields[$category] .= _profile_date_field($field, $edit); @@ -338,7 +338,7 @@ function _profile_date_field($field, $edit) { } $output .= '</div>'; - return form_item($field->title, $output, _profile_form_explanation($field), NULL, $field->required); + return form_item(check_plain($field->title), $output, _profile_form_explanation($field), NULL, $field->required); } /** @@ -362,12 +362,12 @@ function profile_validate_profile($edit, $category) { if ($edit[$field->name]) { if ($field->type == 'url') { if (!valid_url($edit[$field->name], true)) { - form_set_error($field->name, t('The value provided for %field is not a valid URL.', array('%field' => "<em>$field->title</em>"))); - } + form_set_error($field->name, t('The value provided for %field is not a valid URL.', array('%field' => theme('placeholder', $field->title)))); + } } } else if ($field->required && !user_access('administer users')) { - form_set_error($field->name, t('The field %field is required.', array('%field' => "<em>$field->title</em>"))); + form_set_error($field->name, t('The field %field is required.', array('%field' => theme('placeholder', $field->title)))); } } @@ -377,7 +377,7 @@ function profile_validate_profile($edit, $category) { function profile_categories() { $result = db_query("SELECT DISTINCT(category) FROM {profile_fields}"); while ($category = db_fetch_object($result)) { - $data[] = array('name' => drupal_specialchars($category->category), 'title' => $category->category, 'weight' => 3); + $data[] = array('name' => check_plain($category->category), 'title' => $category->category, 'weight' => 3); } return $data; } @@ -539,7 +539,7 @@ function profile_admin_overview() { $result = db_query('SELECT * FROM {profile_fields} ORDER BY category, weight'); $rows = array(); while ($field = db_fetch_object($result)) { - $rows[] = array($field->title, $field->name, _profile_field_types($field->type), $field->category, l(t('edit'), "admin/settings/profile/edit/$field->fid"), l(t('delete'), "admin/settings/profile/delete/$field->fid")); + $rows[] = array(check_plain($field->title), $field->name, _profile_field_types($field->type), $field->category, l(t('edit'), "admin/settings/profile/edit/$field->fid"), l(t('delete'), "admin/settings/profile/delete/$field->fid")); } if (count($rows) == 0) { $rows[] = array(array('data' => t('No fields defined.'), 'colspan' => '6')); diff --git a/modules/profile/profile.module b/modules/profile/profile.module index 8e9c2bdbc..d47caa400 100644 --- a/modules/profile/profile.module +++ b/modules/profile/profile.module @@ -107,7 +107,7 @@ function profile_browse() { $output .= theme('pager', NULL, 20); if ($field->type == 'selection' || $field->type == 'list') { - $title = strtr($field->page, array('%value' => $value)); + $title = strtr($field->page, array('%value' => theme('placeholder', $value))); } else { $title = $field->page; @@ -178,15 +178,15 @@ function profile_view_field($user, $field) { if ($value = $user->{$field->name}) { switch ($field->type) { case 'textfield': - return drupal_specialchars($value); + return check_plain($value); case 'textarea': return check_output($value); case 'selection': - return $browse ? l(drupal_specialchars($value), "profile/$field->name/". check_url($value)) : drupal_specialchars($value); + return $browse ? l($value, "profile/$field->name/$value") : check_plain($value); case 'checkbox': - return $browse ? l(strip_tags($field->title), "profile/$field->name") : drupal_specialchars($field->title); + return $browse ? l($field->title, "profile/$field->name") : check_plain($field->title); case 'url': - return '<a href="'. check_url($value) .'">'. drupal_specialchars($value) .'</a>'; + return '<a href="'. check_url($value) .'">'. check_plain($value) .'</a>'; case 'date': list($format) = explode(' - ', variable_get('date_format_short', 'm/d/Y - H:i'), 2); // Note: we avoid PHP's date() because it does not handle dates before @@ -203,7 +203,7 @@ function profile_view_field($user, $field) { $fields = array(); foreach ($values as $value) { if ($value = trim($value)) { - $fields[] = $browse ? l(drupal_specialchars($value), "profile/$field->name/". check_url($value)) : drupal_specialchars($value); + $fields[] = $browse ? l($value, "profile/$field->name/$value") : check_plain($value); } } return implode(', ', $fields); @@ -226,7 +226,7 @@ function profile_view_profile($user) { while ($field = db_fetch_object($result)) { if ($value = profile_view_field($user, $field)) { $description = ($field->visibility == PROFILE_PRIVATE) ? t('The content of this field is private and only visible to yourself.') : ''; - $title = ($field->type != 'checkbox') ? $field->title : ''; + $title = ($field->type != 'checkbox') ? check_plain($field->title) : ''; $fields[$field->category] .= form_item($title, $value, $description); } } @@ -264,16 +264,16 @@ function profile_form_profile($edit, $user, $category) { switch ($field->type) { case 'textfield': case 'url': - $fields[$category] .= form_textfield($field->title, $field->name, $edit[$field->name], 70, 255, _profile_form_explanation($field), NULL, $field->required); + $fields[$category] .= form_textfield(check_plain($field->title), $field->name, $edit[$field->name], 70, 255, _profile_form_explanation($field), NULL, $field->required); break; case 'textarea': - $fields[$category] .= form_textarea($field->title, $field->name, $edit[$field->name], 70, 5, _profile_form_explanation($field), NULL, $field->required); + $fields[$category] .= form_textarea(check_plain($field->title), $field->name, $edit[$field->name], 70, 5, _profile_form_explanation($field), NULL, $field->required); break; case 'list': - $fields[$category] .= form_textarea($field->title, $field->name, $edit[$field->name], 70, 5, _profile_form_explanation($field), NULL, $field->required); + $fields[$category] .= form_textarea(check_plain($field->title), $field->name, $edit[$field->name], 70, 5, _profile_form_explanation($field), NULL, $field->required); break; case 'checkbox': - $fields[$category] .= form_checkbox($field->title, $field->name, 1, $edit[$field->name], _profile_form_explanation($field), NULL, $field->required); + $fields[$category] .= form_checkbox(check_plain($field->title), $field->name, 1, $edit[$field->name], _profile_form_explanation($field), NULL, $field->required); break; case 'selection': $options = array('--'); @@ -284,7 +284,7 @@ function profile_form_profile($edit, $user, $category) { } } - $fields[$category] .= form_select($field->title, $field->name, $edit[$field->name], $options, _profile_form_explanation($field), 0, 0, $field->required); + $fields[$category] .= form_select(check_plain($field->title), $field->name, $edit[$field->name], $options, _profile_form_explanation($field), 0, 0, $field->required); break; case 'date': $fields[$category] .= _profile_date_field($field, $edit); @@ -338,7 +338,7 @@ function _profile_date_field($field, $edit) { } $output .= '</div>'; - return form_item($field->title, $output, _profile_form_explanation($field), NULL, $field->required); + return form_item(check_plain($field->title), $output, _profile_form_explanation($field), NULL, $field->required); } /** @@ -362,12 +362,12 @@ function profile_validate_profile($edit, $category) { if ($edit[$field->name]) { if ($field->type == 'url') { if (!valid_url($edit[$field->name], true)) { - form_set_error($field->name, t('The value provided for %field is not a valid URL.', array('%field' => "<em>$field->title</em>"))); - } + form_set_error($field->name, t('The value provided for %field is not a valid URL.', array('%field' => theme('placeholder', $field->title)))); + } } } else if ($field->required && !user_access('administer users')) { - form_set_error($field->name, t('The field %field is required.', array('%field' => "<em>$field->title</em>"))); + form_set_error($field->name, t('The field %field is required.', array('%field' => theme('placeholder', $field->title)))); } } @@ -377,7 +377,7 @@ function profile_validate_profile($edit, $category) { function profile_categories() { $result = db_query("SELECT DISTINCT(category) FROM {profile_fields}"); while ($category = db_fetch_object($result)) { - $data[] = array('name' => drupal_specialchars($category->category), 'title' => $category->category, 'weight' => 3); + $data[] = array('name' => check_plain($category->category), 'title' => $category->category, 'weight' => 3); } return $data; } @@ -539,7 +539,7 @@ function profile_admin_overview() { $result = db_query('SELECT * FROM {profile_fields} ORDER BY category, weight'); $rows = array(); while ($field = db_fetch_object($result)) { - $rows[] = array($field->title, $field->name, _profile_field_types($field->type), $field->category, l(t('edit'), "admin/settings/profile/edit/$field->fid"), l(t('delete'), "admin/settings/profile/delete/$field->fid")); + $rows[] = array(check_plain($field->title), $field->name, _profile_field_types($field->type), $field->category, l(t('edit'), "admin/settings/profile/edit/$field->fid"), l(t('delete'), "admin/settings/profile/delete/$field->fid")); } if (count($rows) == 0) { $rows[] = array(array('data' => t('No fields defined.'), 'colspan' => '6')); diff --git a/modules/queue.module b/modules/queue.module index b37d4b5fd..0aef36ebb 100644 --- a/modules/queue.module +++ b/modules/queue.module @@ -78,34 +78,34 @@ function queue_vote($node, $vote) { $node->moderate = 0; $node->promote = 1; node_save($node); - watchdog('content', t('Moderation: approved %title.', array('%title' => "<em>$node->title</em>"))); + watchdog('content', t('Moderation: approved %title.', array('%title' => theme('placeholder', $node->title)))); drupal_set_message(t('The post is promoted.')); } else if (variable_get('queue_threshold_dump', -2) >= $node->score) { if ($node->revisions) { node_revision_rollback($node, end(node_revision_list($node))); - watchdog('content', t('Moderation: declined %title (rollback).', array('%title' => "<em>$node->title</em>"))); + watchdog('content', t('Moderation: declined %title (rollback).', array('%title' => theme('placeholder', $node->title)))); drupal_set_message(t('The post has been declined and the previous version has been restored.')); } else { $node->moderate = 0; $node->status = 0; node_save($node); - watchdog('content', t('Moderation: declined %title.', array('%title' => "<em>$node->title</em>"))); + watchdog('content', t('Moderation: declined %title.', array('%title' => theme('placeholder', $node->title)))); drupal_set_message(t('The post has been declined.')); } } else if (variable_get('queue_threshold_expire', 8) <= $node->votes) { if ($node->revisions) { node_revision_rollback($node, end(node_revision_list($node))); - watchdog('content', t('Moderation: expired %title (rollback).', array('%title' => "<em>$node->title</em>"))); + watchdog('content', t('Moderation: expired %title (rollback).', array('%title' => theme('placeholder', $node->title)))); drupal_set_message(t('The post has expired and the previous version has been restored.')); } else { $node->moderate = 0; $node->status = 0; node_save($node); - watchdog('content', t('Moderation: expired %title.', array('%title' => "<em>$node->title</em>"))); + watchdog('content', t('Moderation: expired %title.', array('%title' => theme('placeholder', $node->title)))); drupal_set_message(t('The post has expired.')); } } diff --git a/modules/search.module b/modules/search.module index 7b8862239..8fa3f1e5d 100644 --- a/modules/search.module +++ b/modules/search.module @@ -503,7 +503,7 @@ function do_search($keywords, $type, $join = '', $where = '1', $variation = true $message = format_plural(count($refused), 'The word %words was not included because it is too short.', 'The words %words were not included because they were too short.'); - drupal_set_message(strtr($message, array('%words' => '<em>'. drupal_specialchars(implode(', ', $refused)) .'</em>'))); + drupal_set_message(strtr($message, array('%words' => theme('placeholder', implode(', ', $refused))))); } if (count($words) == 0) { @@ -559,7 +559,7 @@ function search_view() { if ($type == '') { $type = 'node'; } - drupal_goto('search/'. $type .'/'. urlencode($_POST['edit']['keys'])); + drupal_goto('search/'. urlencode($type) .'/'. urlencode($_POST['edit']['keys'])); } else if ($type == '') { // Note: search/node can not be a default tab because it would take on the @@ -574,9 +574,9 @@ function search_view() { if (trim($keys)) { // Log the search keys: watchdog('search', - t('Search: %keys (%type).', array('%keys' => "<em>$keys</em>", '%type' => module_invoke($type, 'search', 'name'))), + t('Search: %keys (%type).', array('%keys' => theme('placeholder', $keys), '%type' => module_invoke($type, 'search', 'name'))), WATCHDOG_NOTICE, - l(t('results'), 'search', NULL, 'keys='. urlencode($keys) . '&type='. urlencode($type)) + l(t('results'), 'search/'. urlencode($type) .'/'. urlencode($keys)) ); // Collect the search results: @@ -833,7 +833,7 @@ function theme_search_item($item, $type) { $output = module_invoke($type, 'search_item', $item); } else { - $output = ' <dt class="title"><a href="'. $item['link'] .'">'. $item['title'] .'</a></dt>'; + $output = ' <dt class="title"><a href="'. check_url($item['link']) .'">'. check_plain($item['title']) .'</a></dt>'; $info = array(); if ($item['type']) { $info[] = $item['type']; diff --git a/modules/search/search.module b/modules/search/search.module index 7b8862239..8fa3f1e5d 100644 --- a/modules/search/search.module +++ b/modules/search/search.module @@ -503,7 +503,7 @@ function do_search($keywords, $type, $join = '', $where = '1', $variation = true $message = format_plural(count($refused), 'The word %words was not included because it is too short.', 'The words %words were not included because they were too short.'); - drupal_set_message(strtr($message, array('%words' => '<em>'. drupal_specialchars(implode(', ', $refused)) .'</em>'))); + drupal_set_message(strtr($message, array('%words' => theme('placeholder', implode(', ', $refused))))); } if (count($words) == 0) { @@ -559,7 +559,7 @@ function search_view() { if ($type == '') { $type = 'node'; } - drupal_goto('search/'. $type .'/'. urlencode($_POST['edit']['keys'])); + drupal_goto('search/'. urlencode($type) .'/'. urlencode($_POST['edit']['keys'])); } else if ($type == '') { // Note: search/node can not be a default tab because it would take on the @@ -574,9 +574,9 @@ function search_view() { if (trim($keys)) { // Log the search keys: watchdog('search', - t('Search: %keys (%type).', array('%keys' => "<em>$keys</em>", '%type' => module_invoke($type, 'search', 'name'))), + t('Search: %keys (%type).', array('%keys' => theme('placeholder', $keys), '%type' => module_invoke($type, 'search', 'name'))), WATCHDOG_NOTICE, - l(t('results'), 'search', NULL, 'keys='. urlencode($keys) . '&type='. urlencode($type)) + l(t('results'), 'search/'. urlencode($type) .'/'. urlencode($keys)) ); // Collect the search results: @@ -833,7 +833,7 @@ function theme_search_item($item, $type) { $output = module_invoke($type, 'search_item', $item); } else { - $output = ' <dt class="title"><a href="'. $item['link'] .'">'. $item['title'] .'</a></dt>'; + $output = ' <dt class="title"><a href="'. check_url($item['link']) .'">'. check_plain($item['title']) .'</a></dt>'; $info = array(); if ($item['type']) { $info[] = $item['type']; diff --git a/modules/statistics.module b/modules/statistics.module index bc57b0ab2..8261758bc 100644 --- a/modules/statistics.module +++ b/modules/statistics.module @@ -183,7 +183,7 @@ function statistics_node_tracker() { $rows[] = array(array('data' => $pager, 'colspan' => '4')); } - drupal_set_title($node->title); + drupal_set_title(check_plain($node->title)); print theme('page', theme('table', $header, $rows)); } else { diff --git a/modules/statistics/statistics.module b/modules/statistics/statistics.module index bc57b0ab2..8261758bc 100644 --- a/modules/statistics/statistics.module +++ b/modules/statistics/statistics.module @@ -183,7 +183,7 @@ function statistics_node_tracker() { $rows[] = array(array('data' => $pager, 'colspan' => '4')); } - drupal_set_title($node->title); + drupal_set_title(check_plain($node->title)); print theme('page', theme('table', $header, $rows)); } else { diff --git a/modules/taxonomy.module b/modules/taxonomy.module index 17de7a520..9ebc1aebf 100644 --- a/modules/taxonomy.module +++ b/modules/taxonomy.module @@ -130,7 +130,7 @@ function taxonomy_save_vocabulary($edit) { db_query("INSERT INTO {vocabulary_node_types} (vid, type) VALUES (%d, '%s')", $edit['vid'], $type); } module_invoke_all('taxonomy', 'update', 'vocabulary', $edit); - $message = t('Updated vocabulary %name.', array('%name' => '<em>'. $edit['name'] .'</em>')); + $message = t('Updated vocabulary %name.', array('%name' => theme('placeholder', $edit['name']))); } else if ($edit['vid']) { $message = taxonomy_del_vocabulary($edit['vid']); @@ -142,7 +142,7 @@ function taxonomy_save_vocabulary($edit) { db_query("INSERT INTO {vocabulary_node_types} (vid, type) VALUES (%d, '%s')", $edit['vid'], $type); } module_invoke_all('taxonomy', 'insert', 'vocabulary', $edit); - $message = t('Created new vocabulary %name.', array('%name' => '<em>'. $edit['name'] .'</em>')); + $message = t('Created new vocabulary %name.', array('%name' => theme('placeholder', $edit['name']))); } cache_clear_all(); @@ -236,7 +236,7 @@ function taxonomy_save_term($edit) { db_query('UPDATE {term_data} SET '. _taxonomy_prepare_update($data) .' WHERE tid = %d', $edit['tid']); module_invoke_all('taxonomy', 'update', 'term', $edit); - $message = t('The term %term has been updated.', array('%term' => '<em>'. $edit['name'] .'</em>')); + $message = t('The term %term has been updated.', array('%term' => theme('placeholder', $edit['name']))); } else if ($edit['tid']) { return taxonomy_del_term($edit['tid']); @@ -246,7 +246,7 @@ function taxonomy_save_term($edit) { $data = array('tid' => $edit['tid'], 'name' => $edit['name'], 'description' => $edit['description'], 'vid' => $edit['vid'], 'weight' => $edit['weight']); db_query('INSERT INTO {term_data} '. _taxonomy_prepare_insert($data, 1) .' VALUES '. _taxonomy_prepare_insert($data, 2)); module_invoke_all('taxonomy', 'insert', 'term', $edit); - $message = t('Created new term %term.', array('%term' => '<em>'. $edit['name'] .'</em>')); + $message = t('Created new term %term.', array('%term' => theme('placeholder', $edit['name']))); } db_query('DELETE FROM {term_relation} WHERE tid1 = %d OR tid2 = %d', $edit['tid'], $edit['tid']); @@ -315,7 +315,7 @@ function taxonomy_del_term($tid) { db_query('DELETE FROM {term_node} WHERE tid = %d', $tid); module_invoke_all('taxonomy', 'delete', 'term', $term); - drupal_set_message(t('Deleted term %name.', array('%name' => '<em>'. $term->name .'</em>'))); + drupal_set_message(t('Deleted term %name.', array('%name' => theme('placeholder', $term->name)))); } $tids = $orphans; @@ -331,7 +331,7 @@ function _taxonomy_confirm_del_term($tid) { $extra .= form_hidden('tid', $tid); $output = theme('confirm', - t('Are you sure you want to delete the term %title?', array('%title' => '<em>'. $term->name .'</em>')), + t('Are you sure you want to delete the term %title?', array('%title' => theme('placeholder', $term->name))), 'admin/taxonomy', t('Deleting a term will delete all its children if there are any. This action cannot be undone.'), t('Delete'), @@ -357,13 +357,13 @@ function taxonomy_overview() { $types[] = $node_type ? $node_type : $type; } - $rows[] = array($vocabulary->name, implode(', ', $types), l(t('edit vocabulary'), "admin/taxonomy/edit/vocabulary/$vocabulary->vid"), l(t('add term'), "admin/taxonomy/add/term/$vocabulary->vid"), l(t('preview form'), "admin/taxonomy/preview/vocabulary/$vocabulary->vid")); + $rows[] = array(check_plain($vocabulary->name), implode(', ', $types), l(t('edit vocabulary'), "admin/taxonomy/edit/vocabulary/$vocabulary->vid"), l(t('add term'), "admin/taxonomy/add/term/$vocabulary->vid"), l(t('preview form'), "admin/taxonomy/preview/vocabulary/$vocabulary->vid")); $tree = taxonomy_get_tree($vocabulary->vid); if ($tree) { unset($data); foreach ($tree as $term) { - $data .= _taxonomy_depth($term->depth) .' '. $term->name .' ('. l(t('edit term'), "admin/taxonomy/edit/term/$term->tid") .')<br />'; + $data .= _taxonomy_depth($term->depth) .' '. check_plain($term->name) .' ('. l(t('edit term'), "admin/taxonomy/edit/term/$term->tid") .')<br />'; } $rows[] = array(array('data' => $data, 'colspan' => '5')); } @@ -390,7 +390,7 @@ function taxonomy_form($vid, $value = 0, $help = NULL, $name = 'taxonomy') { $blank = '<'. t('none') .'>'; } - return _taxonomy_term_select($vocabulary->name, $name, $value, $vid, $help, intval($vocabulary->multiple), $blank); + return _taxonomy_term_select(check_plain($vocabulary->name), $name, $value, $vid, $help, intval($vocabulary->multiple), $blank); } /** diff --git a/modules/taxonomy/taxonomy.module b/modules/taxonomy/taxonomy.module index 17de7a520..9ebc1aebf 100644 --- a/modules/taxonomy/taxonomy.module +++ b/modules/taxonomy/taxonomy.module @@ -130,7 +130,7 @@ function taxonomy_save_vocabulary($edit) { db_query("INSERT INTO {vocabulary_node_types} (vid, type) VALUES (%d, '%s')", $edit['vid'], $type); } module_invoke_all('taxonomy', 'update', 'vocabulary', $edit); - $message = t('Updated vocabulary %name.', array('%name' => '<em>'. $edit['name'] .'</em>')); + $message = t('Updated vocabulary %name.', array('%name' => theme('placeholder', $edit['name']))); } else if ($edit['vid']) { $message = taxonomy_del_vocabulary($edit['vid']); @@ -142,7 +142,7 @@ function taxonomy_save_vocabulary($edit) { db_query("INSERT INTO {vocabulary_node_types} (vid, type) VALUES (%d, '%s')", $edit['vid'], $type); } module_invoke_all('taxonomy', 'insert', 'vocabulary', $edit); - $message = t('Created new vocabulary %name.', array('%name' => '<em>'. $edit['name'] .'</em>')); + $message = t('Created new vocabulary %name.', array('%name' => theme('placeholder', $edit['name']))); } cache_clear_all(); @@ -236,7 +236,7 @@ function taxonomy_save_term($edit) { db_query('UPDATE {term_data} SET '. _taxonomy_prepare_update($data) .' WHERE tid = %d', $edit['tid']); module_invoke_all('taxonomy', 'update', 'term', $edit); - $message = t('The term %term has been updated.', array('%term' => '<em>'. $edit['name'] .'</em>')); + $message = t('The term %term has been updated.', array('%term' => theme('placeholder', $edit['name']))); } else if ($edit['tid']) { return taxonomy_del_term($edit['tid']); @@ -246,7 +246,7 @@ function taxonomy_save_term($edit) { $data = array('tid' => $edit['tid'], 'name' => $edit['name'], 'description' => $edit['description'], 'vid' => $edit['vid'], 'weight' => $edit['weight']); db_query('INSERT INTO {term_data} '. _taxonomy_prepare_insert($data, 1) .' VALUES '. _taxonomy_prepare_insert($data, 2)); module_invoke_all('taxonomy', 'insert', 'term', $edit); - $message = t('Created new term %term.', array('%term' => '<em>'. $edit['name'] .'</em>')); + $message = t('Created new term %term.', array('%term' => theme('placeholder', $edit['name']))); } db_query('DELETE FROM {term_relation} WHERE tid1 = %d OR tid2 = %d', $edit['tid'], $edit['tid']); @@ -315,7 +315,7 @@ function taxonomy_del_term($tid) { db_query('DELETE FROM {term_node} WHERE tid = %d', $tid); module_invoke_all('taxonomy', 'delete', 'term', $term); - drupal_set_message(t('Deleted term %name.', array('%name' => '<em>'. $term->name .'</em>'))); + drupal_set_message(t('Deleted term %name.', array('%name' => theme('placeholder', $term->name)))); } $tids = $orphans; @@ -331,7 +331,7 @@ function _taxonomy_confirm_del_term($tid) { $extra .= form_hidden('tid', $tid); $output = theme('confirm', - t('Are you sure you want to delete the term %title?', array('%title' => '<em>'. $term->name .'</em>')), + t('Are you sure you want to delete the term %title?', array('%title' => theme('placeholder', $term->name))), 'admin/taxonomy', t('Deleting a term will delete all its children if there are any. This action cannot be undone.'), t('Delete'), @@ -357,13 +357,13 @@ function taxonomy_overview() { $types[] = $node_type ? $node_type : $type; } - $rows[] = array($vocabulary->name, implode(', ', $types), l(t('edit vocabulary'), "admin/taxonomy/edit/vocabulary/$vocabulary->vid"), l(t('add term'), "admin/taxonomy/add/term/$vocabulary->vid"), l(t('preview form'), "admin/taxonomy/preview/vocabulary/$vocabulary->vid")); + $rows[] = array(check_plain($vocabulary->name), implode(', ', $types), l(t('edit vocabulary'), "admin/taxonomy/edit/vocabulary/$vocabulary->vid"), l(t('add term'), "admin/taxonomy/add/term/$vocabulary->vid"), l(t('preview form'), "admin/taxonomy/preview/vocabulary/$vocabulary->vid")); $tree = taxonomy_get_tree($vocabulary->vid); if ($tree) { unset($data); foreach ($tree as $term) { - $data .= _taxonomy_depth($term->depth) .' '. $term->name .' ('. l(t('edit term'), "admin/taxonomy/edit/term/$term->tid") .')<br />'; + $data .= _taxonomy_depth($term->depth) .' '. check_plain($term->name) .' ('. l(t('edit term'), "admin/taxonomy/edit/term/$term->tid") .')<br />'; } $rows[] = array(array('data' => $data, 'colspan' => '5')); } @@ -390,7 +390,7 @@ function taxonomy_form($vid, $value = 0, $help = NULL, $name = 'taxonomy') { $blank = '<'. t('none') .'>'; } - return _taxonomy_term_select($vocabulary->name, $name, $value, $vid, $help, intval($vocabulary->multiple), $blank); + return _taxonomy_term_select(check_plain($vocabulary->name), $name, $value, $vid, $help, intval($vocabulary->multiple), $blank); } /** diff --git a/modules/upload.module b/modules/upload.module index e6cbae3fc..768092136 100644 --- a/modules/upload.module +++ b/modules/upload.module @@ -169,7 +169,7 @@ function upload_nodeapi(&$node, $op, $arg) { $total_usersize = upload_count_size($user->uid) + $filesize; if ($maxsize && $total_size > $maxsize) { - form_set_error('upload', t('Error attaching file %name: total file size exceeded', array('%name' => "<em>$file->filename</em>"))); + form_set_error('upload', t('Error attaching file %name: total file size exceeded', array('%name' => theme('placeholder', $file->filename)))); break; } @@ -207,13 +207,13 @@ function upload_nodeapi(&$node, $op, $arg) { } if ($error['extension'] == count($user->roles) && $user->uid != 1) { - form_set_error('upload', t('Error attaching file %name: invalid extension', array('%name' => "<em>$file->filename</em>"))); + form_set_error('upload', t('Error attaching file %name: invalid extension', array('%name' => theme('placeholder', $file->filename)))); } elseif ($error['uploadsize'] == count($user->roles) && $user->uid != 1) { - form_set_error('upload', t('Error attaching file %name: exceeds maximum file size', array('%name' => "<em>$file->filename</em>"))); + form_set_error('upload', t('Error attaching file %name: exceeds maximum file size', array('%name' => theme('placeholder', $file->filename)))); } elseif ($error['usersize'] == count($user->roles) && $user->uid != 1) { - form_set_error('upload', t('Error attaching file %name: exceeds maximum file size', array('%name' => "<em>$file->filename</em>"))); + form_set_error('upload', t('Error attaching file %name: exceeds maximum file size', array('%name' => theme('placeholder', $file->filename)))); } else { $key = 'upload_'. count($_SESSION['file_uploads']); diff --git a/modules/upload/upload.module b/modules/upload/upload.module index e6cbae3fc..768092136 100644 --- a/modules/upload/upload.module +++ b/modules/upload/upload.module @@ -169,7 +169,7 @@ function upload_nodeapi(&$node, $op, $arg) { $total_usersize = upload_count_size($user->uid) + $filesize; if ($maxsize && $total_size > $maxsize) { - form_set_error('upload', t('Error attaching file %name: total file size exceeded', array('%name' => "<em>$file->filename</em>"))); + form_set_error('upload', t('Error attaching file %name: total file size exceeded', array('%name' => theme('placeholder', $file->filename)))); break; } @@ -207,13 +207,13 @@ function upload_nodeapi(&$node, $op, $arg) { } if ($error['extension'] == count($user->roles) && $user->uid != 1) { - form_set_error('upload', t('Error attaching file %name: invalid extension', array('%name' => "<em>$file->filename</em>"))); + form_set_error('upload', t('Error attaching file %name: invalid extension', array('%name' => theme('placeholder', $file->filename)))); } elseif ($error['uploadsize'] == count($user->roles) && $user->uid != 1) { - form_set_error('upload', t('Error attaching file %name: exceeds maximum file size', array('%name' => "<em>$file->filename</em>"))); + form_set_error('upload', t('Error attaching file %name: exceeds maximum file size', array('%name' => theme('placeholder', $file->filename)))); } elseif ($error['usersize'] == count($user->roles) && $user->uid != 1) { - form_set_error('upload', t('Error attaching file %name: exceeds maximum file size', array('%name' => "<em>$file->filename</em>"))); + form_set_error('upload', t('Error attaching file %name: exceeds maximum file size', array('%name' => theme('placeholder', $file->filename)))); } else { $key = 'upload_'. count($_SESSION['file_uploads']); diff --git a/modules/user.module b/modules/user.module index 34caea9a0..4e873303f 100644 --- a/modules/user.module +++ b/modules/user.module @@ -216,13 +216,13 @@ function user_validate_name($name) { if (ereg(' ', $name)) return t('The username cannot contain multiple spaces in a row.'); if (ereg("[^\x80-\xF7 [:alnum:]@_.-]", $name)) return t('The username contains an illegal character.'); if (ereg('@', $name) && !eregi('@([0-9a-z](-?[0-9a-z])*.)+[a-z]{2}([zmuvtg]|fo|me)?$', $name)) return t('The username is not a valid authentication ID.'); - if (strlen($name) > 56) return t('The username %name is too long: it must be less than 56 characters.', array('%name' => "<em>$name</em>")); + if (strlen($name) > 56) return t('The username %name is too long: it must be less than 56 characters.', array('%name' => theme('placeholder', $name))); } function user_validate_mail($mail) { if (!$mail) return t('You must enter an e-mail address.'); if (!valid_email_address($mail)) { - return t('The e-mail address %mail is not valid.', array('%mail' => "<em>$mail</em>")); + return t('The e-mail address %mail is not valid.', array('%mail' => theme('placeholder', $mail))); } } @@ -262,7 +262,7 @@ function user_validate_authmap($account, $authname, $module) { $result = db_query("SELECT COUNT(*) from {authmap} WHERE uid != %d AND authname = '%s'", $account->uid, $authname); if (db_result($result) > 0) { $name = module_invoke($module, 'info', 'name'); - return t('The %u ID %s is already taken.', array('%u' => $name, '%s' => "<em>$authname</em>")); + return t('The %u ID %s is already taken.', array('%u' => $name, '%s' => theme('placeholder', $authname))); } } @@ -594,7 +594,7 @@ function theme_user_picture($account) { $alt = t('%user\'s picture', array('%user' => $account->name ? $account->name : variable_get('anonymous', 'Anonymous'))); $picture = theme('image', $picture, $alt, $alt, '', false); if ($account->uid) { - $picture = l($picture, "user/$account->uid", array('title' => t('View user profile.'))); + $picture = l($picture, "user/$account->uid", array('title' => t('View user profile.')), NULL, NULL, FALSE, TRUE); } return "<div class=\"picture\">$picture</div>"; @@ -786,7 +786,7 @@ function user_login($edit = array(), $msg = '') { } if (user_deny('user', $edit['name'])) { - $error = t('The name %s has been denied access.', array('%s' => '<em>'. $edit['name'] .'</em>')); + $error = t('The name %s has been denied access.', array('%s' => theme('placeholder', $edit['name']))); } else if ($edit['name'] && $edit['pass']) { @@ -795,7 +795,7 @@ function user_login($edit = array(), $msg = '') { } if ($user->uid) { - watchdog('user', t('Session opened for %name.', array('%name' => "<em>$user->name</em>"))); + watchdog('user', t('Session opened for %name.', array('%name' => theme('placeholder', $user->name)))); // Update the user table timestamp noting user has logged in. db_query("UPDATE {users} SET changed = '%d' WHERE uid = '%s'", time(), $user->uid); @@ -807,9 +807,9 @@ function user_login($edit = array(), $msg = '') { } else { if (!$error) { - $error = t('Sorry. Unrecognized username or password.') .' '. l(t('Have you forgotten your password?'), 'user/password'); + $error = t('Sorry. Unrecognized username or password.') .' '. l(t('Have you forgotten your password?'), 'user/password'); } - watchdog('user', t('Login attempt failed for %user: %error.', array('%user' => '<em>'. $edit['name'] .'</em>', '%error' => '<em>'. $error .'</em>'))); + watchdog('user', t('Login attempt failed for %user: %error.', array('%user' => theme('placeholder', $edit['name']), '%error' => theme('placeholder', $error)))); } } @@ -851,10 +851,10 @@ function user_authenticate($name, $pass) { if (!$user->uid && $server && $result = user_get_authmaps("$name@$server")) { if (module_invoke(key($result), 'auth', $name, $pass, $server)) { $user = user_external_load("$name@$server"); - watchdog('user', t('External load by %user using module %module.', array('%user' => "<em>$name@$server</em>", '%module' => '<em>'. key($result) .'</em>'))); + watchdog('user', t('External load by %user using module %module.', array('%user' => theme('placeholder', $name .'@'. $server), '%module' => theme('placeholder', key($result))))); } else { - $error = t('Invalid password for %s.', array('%s' => "<em>$name@$server</em>")); + $error = t('Invalid password for %s.', array('%s' => theme('placeholder', $name .'@'. $server))); } } @@ -868,7 +868,7 @@ function user_authenticate($name, $pass) { $account = user_load(array('name' => "$name@$server")); if (!$account->uid) { // Register this new user. $user = user_save('', array('name' => "$name@$server", 'pass' => user_password(), 'init' => "$name@$server", 'status' => 1, "authname_$module" => "$name@$server", 'roles' => array(_user_authenticated_id()))); - watchdog('user', t('New external user: %user using module %module.', array('%user' => "<em>$name@$server</em>", '%module' => "<em>$module</em>")), WATCHDOG_NOTICE, l(t('edit'), 'user/'. $user->uid .'/edit')); + watchdog('user', t('New external user: %user using module %module.', array('%user' => theme('placeholder', $name .'@'. $server), '%module' => theme('placeholder', $module))), WATCHDOG_NOTICE, l(t('edit'), 'user/'. $user->uid .'/edit')); break; } } @@ -889,7 +889,7 @@ function _user_authenticated_id() { function user_logout() { global $user; - watchdog('user', t('Session closed for %name.', array('%name' => '<em>'. $user->name .'</em>'))); + watchdog('user', t('Session closed for %name.', array('%name' => theme('placeholder', $user->name)))); // Destroy the current session: session_destroy(); @@ -904,10 +904,10 @@ function user_pass() { $edit = $_POST['edit']; if ($edit['name'] && !($account = user_load(array('name' => $edit['name'], 'status' => 1)))) { - form_set_error('name', t('Sorry. The username %name is not recognized.', array('%name' => '<em>'. $edit['name'] .'</em>'))); + form_set_error('name', t('Sorry. The username %name is not recognized.', array('%name' => theme('placeholder', $edit['name'])))); } else if ($edit['mail'] && !($account = user_load(array('mail' => $edit['mail'], 'status' => 1)))) { - form_set_error('mail', t('Sorry. The e-mail address %email is not recognized.', array('%email' => '<em>'. $edit['mail'] .'</em>'))); + form_set_error('mail', t('Sorry. The e-mail address %email is not recognized.', array('%email' => theme('placeholder', $edit['mail'])))); } if ($account) { $from = variable_get('site_mail', ini_get('sendmail_from')); @@ -924,11 +924,11 @@ function user_pass() { $mail_success = user_mail($account->mail, $subject, $body, $headers); if ($mail_success) { - watchdog('user', t('Password mailed to %name at %email.', array('%name' => '<em>'. $account->name .'</em>', '%email' => '<em>'. $account->mail .'</em>'))); + watchdog('user', t('Password mailed to %name at %email.', array('%name' => theme('placeholder', $account->mail)))); drupal_set_message(t('Your password and further instructions have been sent to your e-mail address.')); } else { - watchdog('user', t('Error mailing password to %name at %email.', array('%name' => '<em>'. $account->name .'</em>', '%email' => '<em>'. $account->mail .'</em>')), WATCHDOG_ERROR); + watchdog('user', t('Error mailing password to %name at %email.', array('%name' => theme('placeholder', $account->name), '%email' => theme('placeholder', $account->mail))), WATCHDOG_ERROR); drupal_set_message(t('Unable to send mail. Please contact the site admin.')); } drupal_goto('user'); @@ -964,7 +964,7 @@ function user_register($edit = array()) { // TODO: Is this necessary? Won't session_write() replicate this? unset($edit['session']); $account = user_save('', array_merge(array('name' => $edit['name'], 'pass' => $pass, 'init' => $edit['mail'], 'mail' => $edit['mail'], 'roles' => array(_user_authenticated_id()), 'status' => (variable_get('user_register', 1) == 1 ? 1 : 0)), $edit)); - watchdog('user', t('New user: %name %email.', array('%name' => '<em>'. $edit['name'] .'</em>', '%email' => '<em><'. $edit['mail'] .'></em>')), WATCHDOG_NOTICE, l(t('edit'), 'user/'. $account->uid .'/edit')); + watchdog('user', t('New user: %name %email.', array('%name' => theme('placeholder', $edit['name']), '%email' => theme('placeholder', '<'. $edit['mail'] .'>'))), WATCHDOG_NOTICE, l(t('edit'), 'user/'. $account->uid .'/edit')); $variables = array('%username' => $edit['name'], '%site' => variable_get('site_name', 'drupal'), '%password' => $pass, '%uri' => $base_url, '%uri_brief' => substr($base_url, strlen('http://')), '%mailto' => $edit['mail'], '%date' => format_date(time()), '%login_uri' => url('user', NULL, NULL, TRUE), '%edit_uri' => url('user/'. $account->uid .'/edit', NULL, NULL, TRUE)); @@ -1057,10 +1057,10 @@ function user_edit_validate($uid, &$edit) { form_set_error('name', $error); } else if (db_num_rows(db_query("SELECT uid FROM {users} WHERE uid != %d AND LOWER(name) = LOWER('%s')", $uid, $edit['name'])) > 0) { - form_set_error('name', t('The name %name is already taken.', array('%name' => '<em>'. $edit['name'] .'</em>'))); + form_set_error('name', t('The name %name is already taken.', array('%name' => theme('placeholder', $edit['name'])))); } else if (user_deny('user', $edit['name'])) { - form_set_error('name', t('The name %name has been denied access.', array('%name' => '<em>'. $edit['name'] .'</em>'))); + form_set_error('name', t('The name %name has been denied access.', array('%name' => theme('placeholder', $edit['name'])))); } // Validate the e-mail address: @@ -1068,10 +1068,10 @@ function user_edit_validate($uid, &$edit) { form_set_error('mail', $error); } else if (db_num_rows(db_query("SELECT uid FROM {users} WHERE uid != %d AND LOWER(mail) = LOWER('%s')", $uid, $edit['mail'])) > 0) { - form_set_error('mail', t('The e-mail address %email is already taken.', array('%email' => '<em>'. $edit['mail'] .'</em>'))); + form_set_error('mail', t('The e-mail address %email is already taken.', array('%email' => theme('placeholder', $edit['mail'])))); } else if (user_deny('mail', $edit['mail'])) { - form_set_error('mail', t('The e-mail address %email has been denied access.', array('%email' => '<em>'. $edit['mail'] .'</em>'))); + form_set_error('mail', t('The e-mail address %email has been denied access.', array('%email' => theme('placeholder', $edit['mail'])))); } // Validate the user roles: @@ -1150,7 +1150,7 @@ function user_edit($category = 'account') { } else { $output = theme('confirm', - t('Are you sure you want to delete the account %name?', array('%name' => '<em>'. $account->name .'</em>')), + t('Are you sure you want to delete the account %name?', array('%name' => theme('placeholder', $account->name))), 'user/'. $account->uid, t('Deleting a user will remove all their submissions as well. This action cannot be undone.'), t('Delete')); @@ -1296,11 +1296,11 @@ function user_admin_create($edit = array()) { user_module_invoke('validate', $edit, $edit, 'account'); if (!form_get_errors()) { - watchdog('user', t('New user: %name %email.', array('%name' => '<em>'. $edit['name'] .'</em>', '%email' => '<em><'. $edit['mail'] .'></em>'))); + watchdog('user', t('New user: %name %email.', array('%name' => theme('placeholder', $edit['name']), '%email' => theme('placeholder', '<'. $edit['mail'] .'>')))); user_save('', array('name' => $edit['name'], 'pass' => $edit['pass'], 'init' => $edit['mail'], 'mail' => $edit['mail'], 'roles' => $edit['roles'], 'status' => 1)); - drupal_set_message(t('Created a new user account. No e-mail has been sent.')); + drupal_set_message(t('Created a new user account. No e-mail has been sent.')); return; } @@ -1327,10 +1327,10 @@ function user_admin_access_check() { if ($op) { if (user_deny($edit['type'], $edit['test'])) { - drupal_set_message(t('%test is not allowed.', array('%test' => '<em>'. $edit['test'] .'</em>'))); + drupal_set_message(t('%test is not allowed.', array('%test' => theme('placeholder', $edit['test'])))); } else { - drupal_set_message(t('%test is allowed.', array('%test' => '<em>'. $edit['test'] .'</em>'))); + drupal_set_message(t('%test is allowed.', array('%test' => theme('placeholder', $edit['test'])))); } } @@ -1383,7 +1383,7 @@ function user_admin_access_delete($aid = 0) { $edit = db_fetch_object(db_query('SELECT aid, type, status, mask FROM {access} WHERE aid = %d', $aid)); $output = theme('confirm', - t('Are you sure you want to delete the %type rule for %rule?', array('%type' => $access_types[$edit->type], '%rule' => '<em>'. $edit->mask .'</em>')), + t('Are you sure you want to delete the %type rule for %rule?', array('%type' => $access_types[$edit->type], '%rule' => theme('placeholder', $edit->mask))), 'admin/access/rules', t('This action cannot be undone.'), t('Delete'), @@ -1580,7 +1580,7 @@ function user_admin_role() { // Display the role form. $role = db_fetch_object(db_query('SELECT * FROM {role} WHERE rid = %d', $id)); - $output .= form_textfield(t('Role name'), 'name', $role->name, 32, 64, t('The name for this role. Example: "moderator", "editorial board", "site architect".')); + $output .= form_textfield(t('Role name'), 'name', $role->name, 32, 64, t('The name for this role. Example: "moderator", "editorial board", "site architect".')); $output .= form_submit(t('Save role')); $output .= form_submit(t('Delete role')); @@ -1615,7 +1615,7 @@ function user_admin_account() { array('data' => t('Username'), 'field' => 'u.name'), array('data' => t('Status'), 'field' => 'u.status'), array('data' => t('Roles')), - array('data' => t('Last access'), 'field' => 'u.changed', 'sort' => 'desc'), + array('data' => t('Last access'), 'field' => 'u.changed', 'sort' => 'desc'), t('Operations') ); $sql = 'SELECT u.uid, u.name, u.status, u.changed FROM {users} u WHERE uid != 0'; diff --git a/modules/user/user.module b/modules/user/user.module index 34caea9a0..4e873303f 100644 --- a/modules/user/user.module +++ b/modules/user/user.module @@ -216,13 +216,13 @@ function user_validate_name($name) { if (ereg(' ', $name)) return t('The username cannot contain multiple spaces in a row.'); if (ereg("[^\x80-\xF7 [:alnum:]@_.-]", $name)) return t('The username contains an illegal character.'); if (ereg('@', $name) && !eregi('@([0-9a-z](-?[0-9a-z])*.)+[a-z]{2}([zmuvtg]|fo|me)?$', $name)) return t('The username is not a valid authentication ID.'); - if (strlen($name) > 56) return t('The username %name is too long: it must be less than 56 characters.', array('%name' => "<em>$name</em>")); + if (strlen($name) > 56) return t('The username %name is too long: it must be less than 56 characters.', array('%name' => theme('placeholder', $name))); } function user_validate_mail($mail) { if (!$mail) return t('You must enter an e-mail address.'); if (!valid_email_address($mail)) { - return t('The e-mail address %mail is not valid.', array('%mail' => "<em>$mail</em>")); + return t('The e-mail address %mail is not valid.', array('%mail' => theme('placeholder', $mail))); } } @@ -262,7 +262,7 @@ function user_validate_authmap($account, $authname, $module) { $result = db_query("SELECT COUNT(*) from {authmap} WHERE uid != %d AND authname = '%s'", $account->uid, $authname); if (db_result($result) > 0) { $name = module_invoke($module, 'info', 'name'); - return t('The %u ID %s is already taken.', array('%u' => $name, '%s' => "<em>$authname</em>")); + return t('The %u ID %s is already taken.', array('%u' => $name, '%s' => theme('placeholder', $authname))); } } @@ -594,7 +594,7 @@ function theme_user_picture($account) { $alt = t('%user\'s picture', array('%user' => $account->name ? $account->name : variable_get('anonymous', 'Anonymous'))); $picture = theme('image', $picture, $alt, $alt, '', false); if ($account->uid) { - $picture = l($picture, "user/$account->uid", array('title' => t('View user profile.'))); + $picture = l($picture, "user/$account->uid", array('title' => t('View user profile.')), NULL, NULL, FALSE, TRUE); } return "<div class=\"picture\">$picture</div>"; @@ -786,7 +786,7 @@ function user_login($edit = array(), $msg = '') { } if (user_deny('user', $edit['name'])) { - $error = t('The name %s has been denied access.', array('%s' => '<em>'. $edit['name'] .'</em>')); + $error = t('The name %s has been denied access.', array('%s' => theme('placeholder', $edit['name']))); } else if ($edit['name'] && $edit['pass']) { @@ -795,7 +795,7 @@ function user_login($edit = array(), $msg = '') { } if ($user->uid) { - watchdog('user', t('Session opened for %name.', array('%name' => "<em>$user->name</em>"))); + watchdog('user', t('Session opened for %name.', array('%name' => theme('placeholder', $user->name)))); // Update the user table timestamp noting user has logged in. db_query("UPDATE {users} SET changed = '%d' WHERE uid = '%s'", time(), $user->uid); @@ -807,9 +807,9 @@ function user_login($edit = array(), $msg = '') { } else { if (!$error) { - $error = t('Sorry. Unrecognized username or password.') .' '. l(t('Have you forgotten your password?'), 'user/password'); + $error = t('Sorry. Unrecognized username or password.') .' '. l(t('Have you forgotten your password?'), 'user/password'); } - watchdog('user', t('Login attempt failed for %user: %error.', array('%user' => '<em>'. $edit['name'] .'</em>', '%error' => '<em>'. $error .'</em>'))); + watchdog('user', t('Login attempt failed for %user: %error.', array('%user' => theme('placeholder', $edit['name']), '%error' => theme('placeholder', $error)))); } } @@ -851,10 +851,10 @@ function user_authenticate($name, $pass) { if (!$user->uid && $server && $result = user_get_authmaps("$name@$server")) { if (module_invoke(key($result), 'auth', $name, $pass, $server)) { $user = user_external_load("$name@$server"); - watchdog('user', t('External load by %user using module %module.', array('%user' => "<em>$name@$server</em>", '%module' => '<em>'. key($result) .'</em>'))); + watchdog('user', t('External load by %user using module %module.', array('%user' => theme('placeholder', $name .'@'. $server), '%module' => theme('placeholder', key($result))))); } else { - $error = t('Invalid password for %s.', array('%s' => "<em>$name@$server</em>")); + $error = t('Invalid password for %s.', array('%s' => theme('placeholder', $name .'@'. $server))); } } @@ -868,7 +868,7 @@ function user_authenticate($name, $pass) { $account = user_load(array('name' => "$name@$server")); if (!$account->uid) { // Register this new user. $user = user_save('', array('name' => "$name@$server", 'pass' => user_password(), 'init' => "$name@$server", 'status' => 1, "authname_$module" => "$name@$server", 'roles' => array(_user_authenticated_id()))); - watchdog('user', t('New external user: %user using module %module.', array('%user' => "<em>$name@$server</em>", '%module' => "<em>$module</em>")), WATCHDOG_NOTICE, l(t('edit'), 'user/'. $user->uid .'/edit')); + watchdog('user', t('New external user: %user using module %module.', array('%user' => theme('placeholder', $name .'@'. $server), '%module' => theme('placeholder', $module))), WATCHDOG_NOTICE, l(t('edit'), 'user/'. $user->uid .'/edit')); break; } } @@ -889,7 +889,7 @@ function _user_authenticated_id() { function user_logout() { global $user; - watchdog('user', t('Session closed for %name.', array('%name' => '<em>'. $user->name .'</em>'))); + watchdog('user', t('Session closed for %name.', array('%name' => theme('placeholder', $user->name)))); // Destroy the current session: session_destroy(); @@ -904,10 +904,10 @@ function user_pass() { $edit = $_POST['edit']; if ($edit['name'] && !($account = user_load(array('name' => $edit['name'], 'status' => 1)))) { - form_set_error('name', t('Sorry. The username %name is not recognized.', array('%name' => '<em>'. $edit['name'] .'</em>'))); + form_set_error('name', t('Sorry. The username %name is not recognized.', array('%name' => theme('placeholder', $edit['name'])))); } else if ($edit['mail'] && !($account = user_load(array('mail' => $edit['mail'], 'status' => 1)))) { - form_set_error('mail', t('Sorry. The e-mail address %email is not recognized.', array('%email' => '<em>'. $edit['mail'] .'</em>'))); + form_set_error('mail', t('Sorry. The e-mail address %email is not recognized.', array('%email' => theme('placeholder', $edit['mail'])))); } if ($account) { $from = variable_get('site_mail', ini_get('sendmail_from')); @@ -924,11 +924,11 @@ function user_pass() { $mail_success = user_mail($account->mail, $subject, $body, $headers); if ($mail_success) { - watchdog('user', t('Password mailed to %name at %email.', array('%name' => '<em>'. $account->name .'</em>', '%email' => '<em>'. $account->mail .'</em>'))); + watchdog('user', t('Password mailed to %name at %email.', array('%name' => theme('placeholder', $account->mail)))); drupal_set_message(t('Your password and further instructions have been sent to your e-mail address.')); } else { - watchdog('user', t('Error mailing password to %name at %email.', array('%name' => '<em>'. $account->name .'</em>', '%email' => '<em>'. $account->mail .'</em>')), WATCHDOG_ERROR); + watchdog('user', t('Error mailing password to %name at %email.', array('%name' => theme('placeholder', $account->name), '%email' => theme('placeholder', $account->mail))), WATCHDOG_ERROR); drupal_set_message(t('Unable to send mail. Please contact the site admin.')); } drupal_goto('user'); @@ -964,7 +964,7 @@ function user_register($edit = array()) { // TODO: Is this necessary? Won't session_write() replicate this? unset($edit['session']); $account = user_save('', array_merge(array('name' => $edit['name'], 'pass' => $pass, 'init' => $edit['mail'], 'mail' => $edit['mail'], 'roles' => array(_user_authenticated_id()), 'status' => (variable_get('user_register', 1) == 1 ? 1 : 0)), $edit)); - watchdog('user', t('New user: %name %email.', array('%name' => '<em>'. $edit['name'] .'</em>', '%email' => '<em><'. $edit['mail'] .'></em>')), WATCHDOG_NOTICE, l(t('edit'), 'user/'. $account->uid .'/edit')); + watchdog('user', t('New user: %name %email.', array('%name' => theme('placeholder', $edit['name']), '%email' => theme('placeholder', '<'. $edit['mail'] .'>'))), WATCHDOG_NOTICE, l(t('edit'), 'user/'. $account->uid .'/edit')); $variables = array('%username' => $edit['name'], '%site' => variable_get('site_name', 'drupal'), '%password' => $pass, '%uri' => $base_url, '%uri_brief' => substr($base_url, strlen('http://')), '%mailto' => $edit['mail'], '%date' => format_date(time()), '%login_uri' => url('user', NULL, NULL, TRUE), '%edit_uri' => url('user/'. $account->uid .'/edit', NULL, NULL, TRUE)); @@ -1057,10 +1057,10 @@ function user_edit_validate($uid, &$edit) { form_set_error('name', $error); } else if (db_num_rows(db_query("SELECT uid FROM {users} WHERE uid != %d AND LOWER(name) = LOWER('%s')", $uid, $edit['name'])) > 0) { - form_set_error('name', t('The name %name is already taken.', array('%name' => '<em>'. $edit['name'] .'</em>'))); + form_set_error('name', t('The name %name is already taken.', array('%name' => theme('placeholder', $edit['name'])))); } else if (user_deny('user', $edit['name'])) { - form_set_error('name', t('The name %name has been denied access.', array('%name' => '<em>'. $edit['name'] .'</em>'))); + form_set_error('name', t('The name %name has been denied access.', array('%name' => theme('placeholder', $edit['name'])))); } // Validate the e-mail address: @@ -1068,10 +1068,10 @@ function user_edit_validate($uid, &$edit) { form_set_error('mail', $error); } else if (db_num_rows(db_query("SELECT uid FROM {users} WHERE uid != %d AND LOWER(mail) = LOWER('%s')", $uid, $edit['mail'])) > 0) { - form_set_error('mail', t('The e-mail address %email is already taken.', array('%email' => '<em>'. $edit['mail'] .'</em>'))); + form_set_error('mail', t('The e-mail address %email is already taken.', array('%email' => theme('placeholder', $edit['mail'])))); } else if (user_deny('mail', $edit['mail'])) { - form_set_error('mail', t('The e-mail address %email has been denied access.', array('%email' => '<em>'. $edit['mail'] .'</em>'))); + form_set_error('mail', t('The e-mail address %email has been denied access.', array('%email' => theme('placeholder', $edit['mail'])))); } // Validate the user roles: @@ -1150,7 +1150,7 @@ function user_edit($category = 'account') { } else { $output = theme('confirm', - t('Are you sure you want to delete the account %name?', array('%name' => '<em>'. $account->name .'</em>')), + t('Are you sure you want to delete the account %name?', array('%name' => theme('placeholder', $account->name))), 'user/'. $account->uid, t('Deleting a user will remove all their submissions as well. This action cannot be undone.'), t('Delete')); @@ -1296,11 +1296,11 @@ function user_admin_create($edit = array()) { user_module_invoke('validate', $edit, $edit, 'account'); if (!form_get_errors()) { - watchdog('user', t('New user: %name %email.', array('%name' => '<em>'. $edit['name'] .'</em>', '%email' => '<em><'. $edit['mail'] .'></em>'))); + watchdog('user', t('New user: %name %email.', array('%name' => theme('placeholder', $edit['name']), '%email' => theme('placeholder', '<'. $edit['mail'] .'>')))); user_save('', array('name' => $edit['name'], 'pass' => $edit['pass'], 'init' => $edit['mail'], 'mail' => $edit['mail'], 'roles' => $edit['roles'], 'status' => 1)); - drupal_set_message(t('Created a new user account. No e-mail has been sent.')); + drupal_set_message(t('Created a new user account. No e-mail has been sent.')); return; } @@ -1327,10 +1327,10 @@ function user_admin_access_check() { if ($op) { if (user_deny($edit['type'], $edit['test'])) { - drupal_set_message(t('%test is not allowed.', array('%test' => '<em>'. $edit['test'] .'</em>'))); + drupal_set_message(t('%test is not allowed.', array('%test' => theme('placeholder', $edit['test'])))); } else { - drupal_set_message(t('%test is allowed.', array('%test' => '<em>'. $edit['test'] .'</em>'))); + drupal_set_message(t('%test is allowed.', array('%test' => theme('placeholder', $edit['test'])))); } } @@ -1383,7 +1383,7 @@ function user_admin_access_delete($aid = 0) { $edit = db_fetch_object(db_query('SELECT aid, type, status, mask FROM {access} WHERE aid = %d', $aid)); $output = theme('confirm', - t('Are you sure you want to delete the %type rule for %rule?', array('%type' => $access_types[$edit->type], '%rule' => '<em>'. $edit->mask .'</em>')), + t('Are you sure you want to delete the %type rule for %rule?', array('%type' => $access_types[$edit->type], '%rule' => theme('placeholder', $edit->mask))), 'admin/access/rules', t('This action cannot be undone.'), t('Delete'), @@ -1580,7 +1580,7 @@ function user_admin_role() { // Display the role form. $role = db_fetch_object(db_query('SELECT * FROM {role} WHERE rid = %d', $id)); - $output .= form_textfield(t('Role name'), 'name', $role->name, 32, 64, t('The name for this role. Example: "moderator", "editorial board", "site architect".')); + $output .= form_textfield(t('Role name'), 'name', $role->name, 32, 64, t('The name for this role. Example: "moderator", "editorial board", "site architect".')); $output .= form_submit(t('Save role')); $output .= form_submit(t('Delete role')); @@ -1615,7 +1615,7 @@ function user_admin_account() { array('data' => t('Username'), 'field' => 'u.name'), array('data' => t('Status'), 'field' => 'u.status'), array('data' => t('Roles')), - array('data' => t('Last access'), 'field' => 'u.changed', 'sort' => 'desc'), + array('data' => t('Last access'), 'field' => 'u.changed', 'sort' => 'desc'), t('Operations') ); $sql = 'SELECT u.uid, u.name, u.status, u.changed FROM {users} u WHERE uid != 0'; diff --git a/themes/chameleon/chameleon.theme b/themes/chameleon/chameleon.theme index 78d0cc5e3..86c774c10 100644 --- a/themes/chameleon/chameleon.theme +++ b/themes/chameleon/chameleon.theme @@ -18,10 +18,12 @@ function chameleon_features() { function chameleon_page($content) { $language = $GLOBALS['locale']; + $title = drupal_get_title(); + $output = "<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Strict//EN\" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd\">\n"; $output .= "<html xmlns=\"http://www.w3.org/1999/xhtml\" lang=\"$language\" xml:lang=\"$language\">\n"; $output .= "<head>\n"; - $output .= " <title>". ($title ? $title ." | ". variable_get("site_name", "drupal") : variable_get("site_name", "drupal") ." | ". variable_get("site_slogan", "")) ."</title>\n"; + $output .= " <title>". ($title ? strip_tags($title) ." | ". variable_get("site_name", "drupal") : variable_get("site_name", "drupal") ." | ". variable_get("site_slogan", "")) ."</title>\n"; $output .= drupal_get_html_head(); $output .= " <link rel=\"stylesheet\" type=\"text/css\" href=\"themes/chameleon/common.css\" />\n"; $output .= theme_get_styles(); @@ -63,7 +65,7 @@ function chameleon_page($content) { $output .= " <td id=\"main\">\n"; - if ($title = drupal_get_title()) { + if ($title) { $output .= theme("breadcrumb", drupal_get_breadcrumb()); $output .= "<h2>$title</h2>"; } @@ -107,7 +109,7 @@ function chameleon_node($node, $main = 0, $page = 0) { $output = "<div class=\"node\">\n"; if (!$page) { - $output .= " <h2 class=\"title\">". ($main ? l($node->title, "node/$node->nid") : $node->title) ."</h2>\n"; + $output .= " <h2 class=\"title\">". ($main ? l($node->title, "node/$node->nid") : check_plain($node->title)) ."</h2>\n"; } $output .= " <div class=\"content\">\n"; diff --git a/themes/engines/xtemplate/xtemplate.engine b/themes/engines/xtemplate/xtemplate.engine index 0a5a16a43..c7bb12d18 100644 --- a/themes/engines/xtemplate/xtemplate.engine +++ b/themes/engines/xtemplate/xtemplate.engine @@ -45,7 +45,7 @@ function xtemplate_node($node, $main = 0, $page = 0) { array("%a" => format_name($node), "%b" => format_date($node->created))) : '', "link" => url("node/$node->nid"), - "title" => $node->title, + "title" => check_plain($node->title), "author" => format_name($node), "date" => format_date($node->created), "sticky" => ($main && $node->sticky) ? 'sticky' : '', @@ -116,7 +116,7 @@ function xtemplate_page($content) { $xtemplate->template->assign(array( "language" => $GLOBALS['locale'], - "head_title" => (drupal_get_title() ? drupal_get_title() ." | ". variable_get("site_name", "drupal") : variable_get("site_name", "drupal") ." | ". variable_get("site_slogan", "")), + "head_title" => (drupal_get_title() ? strip_tags(drupal_get_title()) ." | ". variable_get("site_name", "drupal") : variable_get("site_name", "drupal") ." | ". variable_get("site_slogan", "")), "head" => drupal_get_html_head(), "styles" => theme_get_styles(), "onload_attributes" => theme_onload_attribute(), |