diff options
Diffstat (limited to 'modules/taxonomy')
| -rw-r--r-- | modules/taxonomy/taxonomy.module | 48 |
1 files changed, 45 insertions, 3 deletions
diff --git a/modules/taxonomy/taxonomy.module b/modules/taxonomy/taxonomy.module index 7995e855c..4c1ab559a 100644 --- a/modules/taxonomy/taxonomy.module +++ b/modules/taxonomy/taxonomy.module @@ -509,10 +509,25 @@ function taxonomy_terms_static_reset() { /** * Generate a form element for selecting terms from a vocabulary. + * + * @param $vid + * The vocabulary ID to generate a form element for + * @param $value + * The existing value of the term(s) in this vocabulary to use by default. + * @param $help + * Optional help text to use for the form element. If specified, this value + * MUST be properly sanitized and filtered (e.g. with filter_xss_admin() or + * check_plain() if it is user-supplied) to prevent XSS vulnerabilities. If + * omitted, the help text stored with the vocaulary (if any) will be used. + * @return + * An array describing a form element to select terms for a vocabulary. + * + * @see _taxonomy_term_select() + * @see filter_xss_admin() */ function taxonomy_form($vid, $value = 0, $help = NULL) { $vocabulary = taxonomy_vocabulary_load($vid); - $help = ($help) ? $help : $vocabulary->help; + $help = ($help) ? $help : filter_xss_admin($vocabulary->help); if (!$vocabulary->multiple) { $blank = ($vocabulary->required) ? t('- Please choose -') : t('- None selected -'); @@ -599,7 +614,7 @@ function taxonomy_form_alter(&$form, $form_state, $form_id) { $typed_string = taxonomy_implode_tags($terms, $vocabulary->vid) . (array_key_exists('tags', $terms) ? $terms['tags'][$vocabulary->vid] : NULL); } if ($vocabulary->help) { - $help = $vocabulary->help; + $help = filter_xss_admin($vocabulary->help); } else { $help = t('A comma-separated list of terms describing this content. Example: funny, bungee jumping, "Company, Inc."'); @@ -623,7 +638,7 @@ function taxonomy_form_alter(&$form, $form_state, $form_id) { $default_terms[$term->tid] = $term; } } - $form['taxonomy'][$vocabulary->vid] = taxonomy_form($vocabulary->vid, array_keys($default_terms), $vocabulary->help); + $form['taxonomy'][$vocabulary->vid] = taxonomy_form($vocabulary->vid, array_keys($default_terms), filter_xss_admin($vocabulary->help)); $form['taxonomy'][$vocabulary->vid]['#weight'] = $vocabulary->weight; $form['taxonomy'][$vocabulary->vid]['#required'] = $vocabulary->required; } @@ -1399,6 +1414,33 @@ function taxonomy_get_term_data($tid) { return $terms[$tid]; } +/** + * Create a select form element for a given taxonomy vocabulary. + * + * NOTE: This function expects input that has already been sanitized and is + * safe for display. Callers must properly sanitize the $title and + * $description arguments to prevent XSS vulnerabilities. + * + * @param $title + * The title of the vocabulary. This MUST be sanitized by the caller. + * @param $value + * The currently selected terms from this vocabulary, if any. + * @param $vocabulary_id + * The vocabulary ID to build the form element for. + * @param $description + * Help text for the form element. This MUST be sanitized by the caller. + * @param $multiple + * Boolean to control if the form should use a single or multiple select. + * @param $blank + * Optional form choice to use when no value has been selected. + * @param $exclude + * Optional array of term ids to exclude in the selector. + * @return + * A FAPI form array to select terms from the given vocabulary. + * + * @see taxonomy_form() + * @see taxonomy_form_term() + */ function _taxonomy_term_select($title, $value, $vocabulary_id, $description, $multiple, $blank, $exclude = array()) { $tree = taxonomy_get_tree($vocabulary_id); $options = array(); |