diff options
Diffstat (limited to 'modules/system')
| -rw-r--r-- | modules/system/system.module | 7 | ||||
| -rw-r--r-- | modules/system/system.test | 65 |
2 files changed, 71 insertions, 1 deletions
diff --git a/modules/system/system.module b/modules/system/system.module index 2ccdbc01a..448dcec1f 100644 --- a/modules/system/system.module +++ b/modules/system/system.module @@ -1296,6 +1296,11 @@ function system_node_type($op, $info) { * confirmed the action. You should never directly inspect $_POST to see if an * action was confirmed. * + * Note - if the parameters $question, $description, $yes, or $no could contain + * any user input (such as node titles or taxonomy terms), it is the + * responsibility of the code calling confirm_form() to sanitize them first with + * a function like check_plain() or filter_xss(). + * * @ingroup forms * @param $form * Additional elements to inject into the form, for example hidden elements. @@ -1329,7 +1334,7 @@ function confirm_form($form, $question, $path, $description = NULL, $yes = NULL, } $cancel = l($no ? $no : t('Cancel'), $path, array('query' => $query, 'fragment' => $fragment)); - drupal_set_title($question); + drupal_set_title($question, PASS_THROUGH); // Confirm form fails duplication check, as the form values rarely change -- so skip it. $form['#skip_duplicate_check'] = TRUE; diff --git a/modules/system/system.test b/modules/system/system.test index 78d74d70e..8934316ac 100644 --- a/modules/system/system.test +++ b/modules/system/system.test @@ -467,3 +467,68 @@ class PageNotFoundTestCase extends DrupalWebTestCase { $this->assertNoText(t('User login'), t('Blocks are not shown on the default 404 page')); } } + +class PageTitleFiltering extends DrupalWebTestCase { + protected $content_user; + protected $saved_title; + + /** + * Implementation of getInfo(). + */ + function getInfo() { + return array( + 'name' => t('HTML in page titles'), + 'description' => t('Tests correct handling or conversion by drupal_set_title() and drupal_get_title().'), + 'group' => t('System') + ); + } + + /** + * Implementation of setUp(). + */ + function setUp() { + parent::setUp(); + + $this->content_user = $this->drupalCreateUser(array('create page content', 'access content')); + $this->drupalLogin($this->content_user); + $this->saved_title = drupal_get_title(); + } + + /** + * Reset page title. + */ + function tearDown() { + // Restore the page title. + drupal_set_title($this->saved_title, PASS_THROUGH); + + parent::tearDown(); + } + + /** + * Tests the handling of HTML by drupal_set_title() and drupal_get_title() + */ + function testTitleTags() { + $title = "string with <em>HTML</em>"; + // drupal_set_title's $filter is CHECK_PLAIN by default, so the title should be + // returned with check_plain(). + drupal_set_title($title, CHECK_PLAIN); + $this->assertTrue(strpos(drupal_get_title(), '<em>') === FALSE, t('Tags in title converted to entities when $output is CHECK_PLAIN.')); + // drupal_set_title's $filter is passed as PASS_THROUGH, so the title should be + // returned with HTML. + drupal_set_title($title, PASS_THROUGH); + $this->assertTrue(strpos(drupal_get_title(), '<em>') !== FALSE, t('Tags in title are not converted to entities when $output is PASS_THROUGH.')); + // Generate node content. + $edit = array( + 'title' => '!SimpleTest! ' . $title . $this->randomName(20), + 'body' => '!SimpleTest! test body' . $this->randomName(200), + ); + // Create the node with HTML in the title. + $this->drupalPost('node/add/page', $edit, t('Save')); + + $node = node_load(array('title' => $edit['title'])); + $this->assertNotNull($node, 'Node created and found in database'); + $this->drupalGet("node/" . $node->nid); + $this->assertText(check_plain($edit['title']), 'Check to make sure tags in the node title are converted.'); + } +} + |