From be14203534c5f09d0c70c2bf59b81b80f2a90b32 Mon Sep 17 00:00:00 2001 From: Steven Wittens Date: Thu, 31 Mar 2005 09:25:33 +0000 Subject: - #18817: Clean up plain-text checking (see drupal-devel!) --- includes/bootstrap.inc | 12 ++++----- includes/common.inc | 72 ++++++++++++++++++++++---------------------------- includes/file.inc | 8 +++--- includes/locale.inc | 52 ++++++++++++++++++------------------ includes/pager.inc | 6 ++--- includes/tablesort.inc | 4 +-- includes/theme.inc | 22 ++++++++++++--- 7 files changed, 92 insertions(+), 84 deletions(-) (limited to 'includes') diff --git a/includes/bootstrap.inc b/includes/bootstrap.inc index 509779049..3ec573846 100644 --- a/includes/bootstrap.inc +++ b/includes/bootstrap.inc @@ -393,7 +393,7 @@ function drupal_get_title() { if (!isset($title)) { // during a bootstrap, menu.inc is not included and thus we cannot provide a title if (function_exists('menu_get_active_title')) { - $title = menu_get_active_title(); + $title = check_plain(menu_get_active_title()); } } @@ -509,7 +509,7 @@ function drupal_unpack($obj, $field = 'data') { */ function referer_uri() { if (isset($_SERVER['HTTP_REFERER'])) { - return check_url($_SERVER['HTTP_REFERER']); + return $_SERVER['HTTP_REFERER']; } } @@ -537,14 +537,14 @@ function arg($index) { } /** - * Prepare user input for use in a URI. + * Prepare a URL for use in an HTML attribute. * - * We replace ( and ) with their entity equivalents to prevent XSS attacks. + * We replace ( and ) with their url-encoded equivalents to prevent XSS attacks. */ function check_url($uri) { $uri = htmlspecialchars($uri, ENT_QUOTES); - $uri = strtr($uri, array('(' => '&040;', ')' => '&041;')); + $uri = strtr($uri, array('(' => '%28', ')' => '%29')); return $uri; } @@ -567,7 +567,7 @@ function request_uri() { } } - return check_url($uri); + return $uri; } /** diff --git a/includes/common.inc b/includes/common.inc index f3abbac85..b6a8807c8 100644 --- a/includes/common.inc +++ b/includes/common.inc @@ -173,8 +173,7 @@ function drupal_goto($path = '', $query = NULL, $fragment = NULL) { extract(parse_url($_REQUEST['edit']['destination'])); } - // Translate & to simply & in the absolute URL. - $url = str_replace('&', '&', url($path, $query, $fragment, TRUE)); + $url = url($path, $query, $fragment, TRUE); if (ini_get('session.use_trans_sid') && session_id() && !strstr($url, session_id())) { $sid = session_name() . '=' . session_id(); @@ -203,7 +202,7 @@ function drupal_goto($path = '', $query = NULL, $fragment = NULL) { */ function drupal_not_found() { header('HTTP/1.0 404 Not Found'); - watchdog('page not found', t('%page not found.', array('%page' => ''. db_escape_string($_GET['q']) .'')), WATCHDOG_WARNING); + watchdog('page not found', t('%page not found.', array('%page' => theme('placeholder', $_GET['q']))), WATCHDOG_WARNING); $path = drupal_get_normal_path(variable_get('site_404', '')); $status = MENU_NOT_FOUND; @@ -223,7 +222,7 @@ function drupal_not_found() { */ function drupal_access_denied() { header('HTTP/1.0 403 Forbidden'); - watchdog('access denied', t('%page denied access.', array('%page' => ''. db_escape_string($_GET['q']) .'')), WATCHDOG_WARNING, l(t('view'), $_GET['q'])); + watchdog('access denied', t('%page denied access.', array('%page' => theme('placeholder', $_GET['q']))), WATCHDOG_WARNING, l(t('view'), $_GET['q'])); $path = drupal_get_normal_path(variable_get('site_403', '')); $status = MENU_NOT_FOUND; @@ -549,15 +548,10 @@ function t($string, $args = 0) { } /** - * Encode special characters in a string for display as HTML. - * - * Note that we'd like to use htmlspecialchars($input, $quotes, 'utf-8') - * as outlined in the PHP manual, but we can't because there's a bug in - * PHP < 4.3 that makes it mess up multibyte charsets if we specify the - * charset. This will be changed later once we make PHP 4.3 a requirement. + * Encode special characters in a plain-text string for display as HTML. */ -function drupal_specialchars($input, $quotes = ENT_NOQUOTES) { - return htmlspecialchars($input, $quotes); +function check_plain($text) { + return htmlspecialchars($text, ENT_QUOTES); } /** @@ -642,7 +636,7 @@ function valid_input_data($data) { $match += preg_match("/<\s*(applet|script|object|style|embed|form|blink|meta|html|frame|iframe|layer|ilayer|head|frameset|xml)/i", $data); if ($match) { - watchdog('security', t('Terminated request because of suspicious input data: %data.', array('%data' => ''. drupal_specialchars($data) .''))); + watchdog('security', t('Terminated request because of suspicious input data: %data.', array('%data' => theme('placeholder', $data)))); return FALSE; } } @@ -680,10 +674,6 @@ function flood_is_allowed($name, $threshold) { return ($number < $threshold ? TRUE : FALSE); } -function check_form($text) { - return drupal_specialchars($text, ENT_QUOTES); -} - function check_file($filename) { return is_uploaded_file($filename); } @@ -703,12 +693,12 @@ function format_rss_channel($title, $link, $description, $items, $language = 'en // arbitrary elements may be added using the $args associative array $output = "\n"; - $output .= ' '. drupal_specialchars(strip_tags($title)) ."\n"; - $output .= ' '. drupal_specialchars(strip_tags($link)) ."\n"; - $output .= ' '. drupal_specialchars(strip_tags($description)) ."\n"; - $output .= ' '. drupal_specialchars(strip_tags($language)) ."\n"; + $output .= ' '. check_plain($title) ."\n"; + $output .= ' '. check_url($link) ."\n"; + $output .= ' '. check_plain($description) ."\n"; + $output .= ' '. check_plain($language) ."\n"; foreach ($args as $key => $value) { - $output .= ' <'. $key .'>'. drupal_specialchars(strip_tags($value)) ."\n"; + $output .= ' <'. $key .'>'. check_plain($value) ."\n"; } $output .= $items; $output .= "\n"; @@ -723,9 +713,9 @@ function format_rss_channel($title, $link, $description, $items, $language = 'en */ function format_rss_item($title, $link, $description, $args = array()) { $output = "\n"; - $output .= ' '. drupal_specialchars(strip_tags($title)) ."\n"; - $output .= ' '. drupal_specialchars(strip_tags($link)) ."\n"; - $output .= ' '. drupal_specialchars($description) ."\n"; + $output .= ' '. check_plain($title) ."\n"; + $output .= ' '. check_url($link) ."\n"; + $output .= ' '. check_plain($description) ."\n"; foreach ($args as $key => $value) { if (is_array($value)) { if ($value['key']) { @@ -743,7 +733,7 @@ function format_rss_item($title, $link, $description, $args = array()) { } } else { - $output .= ' <'. $key .'>'. drupal_specialchars(strip_tags($value)) ."\n"; + $output .= ' <'. $key .'>'. check_plain($value) ."\n"; } } $output .= "\n"; @@ -1212,7 +1202,7 @@ function form_checkboxes($title, $name, $values, $options, $description = NULL, */ function form_textfield($title, $name, $value, $size, $maxlength, $description = NULL, $attributes = NULL, $required = FALSE) { $size = $size ? ' size="'. $size .'"' : ''; - return theme('form_element', $title, '', $description, 'edit-'. $name, $required, _form_get_error($name)); + return theme('form_element', $title, '', $description, 'edit-'. $name, $required, _form_get_error($name)); } /** @@ -1239,7 +1229,7 @@ function form_textfield($title, $name, $value, $size, $maxlength, $description = */ function form_password($title, $name, $value, $size, $maxlength, $description = NULL, $attributes = NULL, $required = FALSE) { $size = $size ? ' size="'. $size .'"' : ''; - return theme('form_element', $title, '', $description, 'edit-'. $name, $required, _form_get_error($name)); + return theme('form_element', $title, '', $description, 'edit-'. $name, $required, _form_get_error($name)); } /** @@ -1275,7 +1265,7 @@ function form_textarea($title, $name, $value, $cols, $rows, $description = NULL, } } - $output .= theme('form_element', $title, '', $description, 'edit-'. $name, $required, _form_get_error($name)); + $output .= theme('form_element', $title, '', $description, 'edit-'. $name, $required, _form_get_error($name)); // e.g. optionally plug in a WYSIWYG editor foreach (module_list() as $module_name) { @@ -1321,12 +1311,12 @@ function form_select($title, $name, $value, $options, $description = NULL, $extr if (is_array($choice)) { $select .= ''; foreach ($choice as $key => $choice) { - $select .= ''; + $select .= ''; } $select .= ''; } else { - $select .= ''; + $select .= ''; } } return theme('form_element', $title, '', $description, 'edit-'. $name, $required, _form_get_error($name)); @@ -1370,7 +1360,7 @@ function form_file($title, $name, $size, $description = NULL, $required = FALSE) * an attacker to change the value before it is submitted. */ function form_hidden($name, $value) { - return '\n"; + return '\n"; } /** @@ -1389,7 +1379,7 @@ function form_hidden($name, $value) { * A themed HTML string representing the button. */ function form_button($value, $name = 'op', $type = 'submit', $attributes = NULL) { - return '\n"; + return '\n"; } /** @@ -1476,12 +1466,12 @@ function url($path = NULL, $query = NULL, $fragment = NULL, $absolute = FALSE) { $fragment = '#'. $fragment; } - $base = ($absolute ? $base_url . '/' : ''); + $base = ($absolute ? $base_url .'/' : ''); if (variable_get('clean_url', '0') == '0') { if (isset($path)) { if (isset($query)) { - return $base . $script .'?q='. $path .'&'. $query . $fragment; + return $base . $script .'?q='. $path .'&'. $query . $fragment; } else { return $base . $script .'?q='. $path . $fragment; @@ -1528,7 +1518,7 @@ function drupal_attributes($attributes = array()) { if ($attributes) { $t = array(); foreach ($attributes as $key => $value) { - $t[] = $key .'="'. $value .'"'; + $t[] = $key .'="'. check_plain($value) .'"'; } return ' '. implode($t, ' '); @@ -1555,10 +1545,12 @@ function drupal_attributes($attributes = array()) { * @param $absolute * Whether to force the output to be an absolute link (beginning with http:). * Useful for links that will be displayed outside the site, such as in an RSS feed. + * @param $html + * Whether the title is HTML, or just plain-text. * @return * an HTML string containing a link to the given path. */ -function l($text, $path, $attributes = array(), $query = NULL, $fragment = NULL, $absolute = FALSE) { +function l($text, $path, $attributes = array(), $query = NULL, $fragment = NULL, $absolute = FALSE, $html = FALSE) { if (drupal_get_normal_path($path) == $_GET['q']) { if (isset($attributes['class'])) { $attributes['class'] .= ' active'; @@ -1567,7 +1559,7 @@ function l($text, $path, $attributes = array(), $query = NULL, $fragment = NULL, $attributes['class'] = 'active'; } } - return ''. $text .''; + return ''. ($html ? $text : check_plain($text)) .''; } /** @@ -1679,7 +1671,7 @@ function drupal_convert_to_utf8($data, $encoding) { $out = @mb_convert_encoding($data, 'utf-8', $encoding); } else if (function_exists('recode_string')) { - $out = @recode_string($encoding . '..utf-8', $data); + $out = @recode_string($encoding .'..utf-8', $data); } else { watchdog('php', t("Unsupported encoding '%s'. Please install iconv, GNU recode or mbstring for PHP.", $encoding), WATCHDOG_ERROR); @@ -1705,7 +1697,7 @@ function drupal_convert_to_utf8($data, $encoding) { * @param $len * An upper limit on the returned string length. * @param $wordsafe - * Flag to truncate at nearest word boundary. Defaults to FALSE. + * Flag to truncate at nearest space. Defaults to FALSE. * @return * The truncated string. */ diff --git a/includes/file.inc b/includes/file.inc index b8bf30b11..18ce0f9d9 100644 --- a/includes/file.inc +++ b/includes/file.inc @@ -76,11 +76,11 @@ function file_check_directory(&$directory, $mode = 0, $form_item = NULL) { // Check if directory exists. if (!is_dir($directory)) { if (($mode & FILE_CREATE_DIRECTORY) && @mkdir($directory, 0760)) { - drupal_set_message(t('Created directory %directory.', array('%directory' => "$directory"))); + drupal_set_message(t('Created directory %directory.', array('%directory' => theme('placeholder', $directory)))); } else { if ($form_item) { - form_set_error($form_item, t('The directory %directory does not exist.', array('%directory' => "$directory"))); + form_set_error($form_item, t('The directory %directory does not exist.', array('%directory' => theme('placeholder', $directory)))); } return false; } @@ -89,10 +89,10 @@ function file_check_directory(&$directory, $mode = 0, $form_item = NULL) { // Check to see if the directory is writable. if (!is_writable($directory)) { if (($mode & FILE_MODIFY_PERMISSIONS) && @chmod($directory, 0760)) { - drupal_set_message(t('Modified permissions on directory %directory.', array('%directory' => "$directory"))); + drupal_set_message(t('Modified permissions on directory %directory.', array('%directory' => theme('placeholder', $directory)))); } else { - form_set_error($form_item, t('The directory %directory is not writable.', array('%directory' => "$directory"))); + form_set_error($form_item, t('The directory %directory is not writable.', array('%directory' => theme('placeholder', $directory)))); return false; } } diff --git a/includes/locale.inc b/includes/locale.inc index 03e6dd098..77bae2b81 100644 --- a/includes/locale.inc +++ b/includes/locale.inc @@ -23,14 +23,14 @@ function _locale_add_language($code, $name, $onlylanguage = TRUE) { // the language addition, we need to inform the user on how to start // a translation if ($onlylanguage) { - $message = t('%locale language added. You can now import a translation. See the help screen for more information.', array('%locale' => ''. t($name) .'', '%locale-help' => url('admin/help/locale'))); + $message = t('%locale language added. You can now import a translation. See the help screen for more information.', array('%locale' => theme('placeholder', t($name)), '%locale-help' => url('admin/help/locale'))); } else { - $message = t('%locale language added.', array('%locale' => ''. t($name) .'')); + $message = t('%locale language added.', array('%locale' => theme('placeholder', t($name)))); } drupal_set_message($message); - watchdog('locale', t('%language language (%locale) added.', array('%language' => "$name", '%locale' => "$code"))); + watchdog('locale', t('%language language (%locale) added.', array('%language' => theme('placeholder', $name), '%locale' => theme('placeholder', $code)))); } /** @@ -47,7 +47,7 @@ function _locale_admin_manage_screen() { $status = db_fetch_object(db_query("SELECT isdefault, enabled FROM {locales_meta} WHERE locale = '%s'", $key)); if ($key == 'en') { - $rows[] = array('en', $lang, form_checkbox('', 'enabled][en', 1, $status->enabled), form_radio('', 'sitedefault', $key, $status->isdefault), message_na(), ''); + $rows[] = array('en', check_plain($lang), form_checkbox('', 'enabled][en', 1, $status->enabled), form_radio('', 'sitedefault', $key, $status->isdefault), message_na(), ''); } else { $original = db_fetch_object(db_query("SELECT COUNT(*) AS strings FROM {locales_source}")); @@ -55,7 +55,7 @@ function _locale_admin_manage_screen() { $ratio = ($original->strings > 0 && $translation->translation > 0) ? round(($translation->translation/$original->strings)*100., 2) : 0; - $rows[] = array($key, ($key != 'en' ? form_textfield('', 'name]['. $key, $lang, 15, 64) : $lang), form_checkbox('', 'enabled]['. $key, 1, $status->enabled), form_radio('', 'sitedefault', $key, $status->isdefault), "$translation->translation/$original->strings ($ratio%)", ($key != 'en' ? l(t('delete'), 'admin/locale/language/delete/'. urlencode($key)) : '')); + $rows[] = array(check_plain($key), ($key != 'en' ? form_textfield('', 'name]['. $key, $lang, 15, 64) : $lang), form_checkbox('', 'enabled]['. $key, 1, $status->enabled), form_radio('', 'sitedefault', $key, $status->isdefault), "$translation->translation/$original->strings ($ratio%)", ($key != 'en' ? l(t('delete'), 'admin/locale/language/delete/'. urlencode($key)) : '')); } } @@ -132,7 +132,7 @@ function _locale_import_po($file, $lang, $mode) { // Check if we can get the strings from the file if (!($strings = _locale_import_read_po($file))) { - drupal_set_message(t('Translation file %filename broken: Could not be read.', array('%filename' => "$file->filename")), 'error'); + drupal_set_message(t('Translation file %filename broken: Could not be read.', array('%filename' => theme('placeholder', $file->filename))), 'error'); return FALSE; } @@ -154,7 +154,7 @@ function _locale_import_po($file, $lang, $mode) { } } else { - drupal_set_message(t('Translation file %filename broken: No header.', array('%filename' => "$file->filename")), 'error'); + drupal_set_message(t('Translation file %filename broken: No header.', array('%filename' => theme('placeholder', $file->filename))), 'error'); return FALSE; } @@ -257,7 +257,7 @@ function _locale_import_po($file, $lang, $mode) { menu_rebuild(); drupal_set_message(t('Translation successfully imported. %number translated strings added to language, %update strings updated.', array('%number' => $additions, '%update' => $updates))); - watchdog('locale', t('Imported %file into %locale: %number new strings added and %update updated.', array('%file' => "$file->filename", '%locale' => "$lang", '%number' => $additions, '%update' => $updates))); + watchdog('locale', t('Imported %file into %locale: %number new strings added and %update updated.', array('%file' => theme('placeholder', $file->filename), '%locale' => theme('placeholder', $lang), '%number' => $additions, '%update' => $updates))); return TRUE; } @@ -269,9 +269,10 @@ function _locale_import_po($file, $lang, $mode) { */ function _locale_import_read_po($file) { + $message = theme('placeholder', $file->filename); $fd = fopen($file->filepath, "rb"); if (!$fd) { - drupal_set_message(t('Translation import failed: file %filename cannot be read.', array('%filename' => "$file->filename")), 'error'); + drupal_set_message(t('Translation import failed: file %filename cannot be read.', array('%filename' => $message)), 'error'); return FALSE; } $info = fstat($fd); @@ -303,19 +304,19 @@ function _locale_import_read_po($file) { $context = "COMMENT"; } else { // Parse error - drupal_set_message(t("Translation file %filename broken: expected 'msgstr' in line %line.", array('%filename' => "$file->filename", '%line' => $lineno)), 'error'); + drupal_set_message(t("Translation file %filename broken: expected 'msgstr' in line %line.", array('%filename' => $message, '%line' => $lineno)), 'error'); return FALSE; } } elseif (!strncmp("msgid_plural", $line, 12)) { if ($context != "MSGID") { // Must be plural form for current entry - drupal_set_message(t("Translation file %filename broken: unexpected 'msgid_plural' in line %line.", array('%filename' => "$file->filename", '%line' => $lineno)), 'error'); + drupal_set_message(t("Translation file %filename broken: unexpected 'msgid_plural' in line %line.", array('%filename' => $message, '%line' => $lineno)), 'error'); return FALSE; } $line = trim(substr($line, 12)); $quoted = _locale_import_parse_quoted($line); if ($quoted === false) { - drupal_set_message(t('Translation file %filename broken: syntax error in line %line.', array('%filename' => "$file->filename", '%line' => $lineno)), 'error'); + drupal_set_message(t('Translation file %filename broken: syntax error in line %line.', array('%filename' => $message, '%line' => $lineno)), 'error'); return FALSE; } $current["msgid"] = $current["msgid"] ."\0". $quoted; @@ -327,13 +328,13 @@ function _locale_import_read_po($file) { $current = array(); } elseif ($context == "MSGID") { // Already in this context? Parse error - drupal_set_message(t("Translation file %filename broken: unexpected 'msgid' in line %line.", array('%filename' => "$file->filename", '%line' => $lineno)), 'error'); + drupal_set_message(t("Translation file %filename broken: unexpected 'msgid' in line %line.", array('%filename' => $message, '%line' => $lineno)), 'error'); return FALSE; } $line = trim(substr($line, 5)); $quoted = _locale_import_parse_quoted($line); if ($quoted === false) { - drupal_set_message(t('Translation file %filename broken: syntax error in line %line.', array('%filename' => "$file->filename", '%line' => $lineno)), 'error'); + drupal_set_message(t('Translation file %filename broken: syntax error in line %line.', array('%filename' => $message, '%line' => $lineno)), 'error'); return FALSE; } $current["msgid"] = $quoted; @@ -341,11 +342,11 @@ function _locale_import_read_po($file) { } elseif (!strncmp("msgstr[", $line, 7)) { if (($context != "MSGID") && ($context != "MSGID_PLURAL") && ($context != "MSGSTR_ARR")) { // Must come after msgid, msgid_plural, or msgstr[] - drupal_set_message(t("Translation file %filename broken: unexpected 'msgstr[]' in line %line.", array('%filename' => "$file->filename", '%line' => $lineno)), 'error'); + drupal_set_message(t("Translation file %filename broken: unexpected 'msgstr[]' in line %line.", array('%filename' => $message, '%line' => $lineno)), 'error'); return FALSE; } if (strpos($line, "]") === false) { - drupal_set_message(t('Translation file %filename broken: syntax error in line %line.', array('%filename' => "$file->filename", '%line' => $lineno)), 'error'); + drupal_set_message(t('Translation file %filename broken: syntax error in line %line.', array('%filename' => $message, '%line' => $lineno)), 'error'); return FALSE; } $frombracket = strstr($line, "["); @@ -353,7 +354,7 @@ function _locale_import_read_po($file) { $line = trim(strstr($line, " ")); $quoted = _locale_import_parse_quoted($line); if ($quoted === false) { - drupal_set_message(t('Translation file %filename broken: syntax error in line %line.', array('%filename' => "$file->filename", '%line' => $lineno)), 'error'); + drupal_set_message(t('Translation file %filename broken: syntax error in line %line.', array('%filename' => $message, '%line' => $lineno)), 'error'); return FALSE; } $current["msgstr"][$plural] = $quoted; @@ -361,13 +362,13 @@ function _locale_import_read_po($file) { } elseif (!strncmp("msgstr", $line, 6)) { if ($context != "MSGID") { // Should come just after a msgid block - drupal_set_message(t("Translation file %filename broken: unexpected 'msgstr' in line %line.", array('%filename' => "$file->filename", '%line' => $lineno)), 'error'); + drupal_set_message(t("Translation file %filename broken: unexpected 'msgstr' in line %line.", array('%filename' => $message, '%line' => $lineno)), 'error'); return FALSE; } $line = trim(substr($line, 6)); $quoted = _locale_import_parse_quoted($line); if ($quoted === false) { - drupal_set_message(t('Translation file %filename broken: syntax error in line %line.', array('%filename' => "$file->filename", '%line' => $lineno)), 'error'); + drupal_set_message(t('Translation file %filename broken: syntax error in line %line.', array('%filename' => $message, '%line' => $lineno)), 'error'); return FALSE; } $current["msgstr"] = $quoted; @@ -376,7 +377,7 @@ function _locale_import_read_po($file) { elseif ($line != "") { $quoted = _locale_import_parse_quoted($line); if ($quoted === false) { - drupal_set_message(t('Translation file %filename broken: syntax error in line %line.', array('%filename' => "$file->filename", '%line' => $lineno)), 'error'); + drupal_set_message(t('Translation file %filename broken: syntax error in line %line.', array('%filename' => $message, '%line' => $lineno)), 'error'); return FALSE; } if (($context == "MSGID") || ($context == "MSGID_PLURAL")) { @@ -389,7 +390,7 @@ function _locale_import_read_po($file) { $current["msgstr"][$plural] .= $quoted; } else { - drupal_set_message(t('Translation file %filename broken: unexpected string in line %line.', array('%filename' => "$file->filename", '%line' => $lineno)), 'error'); + drupal_set_message(t('Translation file %filename broken: unexpected string in line %line.', array('%filename' => $message, '%line' => $lineno)), 'error'); return FALSE; } } @@ -400,7 +401,7 @@ function _locale_import_read_po($file) { $strings[$current["msgid"]] = $current; } elseif ($context != "COMMENT") { - drupal_set_message(t('Translation file %filename broken: unexpected end file at line %line.', array('%filename' => "$file->filename", '%line' => $lineno)), 'error'); + drupal_set_message(t('Translation file %filename broken: unexpected end of file at line %line.', array('%filename' => $message, '%line' => $lineno)), 'error'); return FALSE; } @@ -465,7 +466,7 @@ function _locale_import_parse_plural_forms($pluralforms, $filename) { return array($nplurals, $plural); } else { - drupal_set_message(t("Translation file %filename broken: plural formula couldn't get parsed.", array('%filename' => "$filename")), 'error'); + drupal_set_message(t("Translation file %filename broken: plural formula couldn't get parsed.", array('%filename' => theme('placeholder', $filename))), 'error'); return FALSE; } } @@ -768,7 +769,7 @@ function _locale_export_po($language) { $header .= "\"Plural-Forms: nplurals=". $meta->plurals ."; plural=". strtr($meta->formula, '$', '') .";\\n\"\n"; } $header .= "\n"; - watchdog('locale', t('Exported %locale translation file: %filename.', array('%locale' => "$meta->name", '%filename' => "$filename"))); + watchdog('locale', t('Exported %locale translation file: %filename.', array('%locale' => theme('placeholder', $meta->name), '%filename' => theme('placeholder', $filename)))); } // Generating Portable Object Template @@ -789,7 +790,7 @@ function _locale_export_po($language) { $header .= "\"Content-Transfer-Encoding: 8bit\\n\"\n"; $header .= "\"Plural-Forms: nplurals=INTEGER; plural=EXPRESSION;\\n\"\n"; $header .= "\n"; - watchdog('locale', t('Exported translation file: %filename.', array('%filename' => "$filename"))); + watchdog('locale', t('Exported translation file: %filename.', array('%filename' => theme('placeholder', $filename)))); } // Start download process @@ -1080,6 +1081,7 @@ function _locale_string_seek_form() { // Get *all* languages set up $languages = locale_supported_languages(FALSE, TRUE); asort($languages['name']); unset($languages['name']['en']); + $languages['name'] = array_map('check_plain', $languages['name']); // Present edit form preserving previous user settings $query = _locale_string_seek_query(); diff --git a/includes/pager.inc b/includes/pager.inc index 43639c7a6..ddd6c399d 100644 --- a/includes/pager.inc +++ b/includes/pager.inc @@ -384,19 +384,19 @@ function pager_link($from_new, $element, $attributes = array()) { $q = $_GET['q']; $from = array_key_exists('from', $_GET) ? $_GET['from'] : ''; - foreach($attributes as $key => $value) { + foreach ($attributes as $key => $value) { $query[] = $key .'='. $value; } $from_new = pager_load_array($from_new[$element], $element, explode(',', $from)); if (count($attributes)) { - $url = url($q, 'from='. implode($from_new, ',') .'&'. implode('&', $query)); + $url = url($q, 'from='. implode($from_new, ',') .'&'. implode('&', $query)); } else { $url = url($q, 'from='. implode($from_new, ',')); } - return $url; + return check_url($url); } function pager_load_array($value, $element, $old_array) { diff --git a/includes/tablesort.inc b/includes/tablesort.inc index ad0268352..e4f044d89 100644 --- a/includes/tablesort.inc +++ b/includes/tablesort.inc @@ -87,7 +87,7 @@ function tablesort_header($cell, $header, $ts) { $ts['sort'] = 'asc'; $image = ''; } - $cell['data'] = l($cell['data'] . $image, $_GET['q'], array('title' => $title), 'sort='. $ts['sort'] .'&order='. urlencode($cell['data']). $ts['query_string']); + $cell['data'] = l($cell['data'] . $image, $_GET['q'], array('title' => $title), 'sort='. $ts['sort'] .'&order='. urlencode($cell['data']). $ts['query_string'], NULL, FALSE, TRUE); unset($cell['field'], $cell['sort']); } @@ -139,7 +139,7 @@ function tablesort_get_querystring() { $query_string = ''; foreach ($cgi as $key => $val) { if ($key != 'order' && $key != 'sort' && $key != 'q') { - $query_string .= '&'. $key .'='. $val; + $query_string .= '&'. $key .'='. $val; } } return $query_string; diff --git a/includes/theme.inc b/includes/theme.inc index 14b2181e3..789841152 100644 --- a/includes/theme.inc +++ b/includes/theme.inc @@ -225,8 +225,8 @@ function path_to_theme() { */ function theme_get_settings($key = NULL) { $defaults = array( - 'primary_links' => l('edit primary links', 'admin/themes/settings'), - 'secondary_links' => l('edit secondary links', 'admin/themes/settings'), + 'primary_links' => l(t('edit primary links'), 'admin/themes/settings'), + 'secondary_links' => l(t('edit secondary links'), 'admin/themes/settings'), 'mission' => '', 'default_logo' => 1, 'logo_path' => '', @@ -348,6 +348,20 @@ function theme_get_styles() { * * The theme system is described and defined in theme.inc. */ + +/** + * Format a dynamic text string for emphasised display in a placeholder. + * + * E.g. t('Added term %term', array('%term' => theme('placeholder', $term))) + * + * @param $text + * The text to format (plain-text). + * @return + * The formatted text (html). + */ +function theme_placeholder($text) { + return ''. check_plain($text) .''; +} /** * Return an entire Drupal page displaying the supplied content. @@ -361,7 +375,7 @@ function theme_page($content) { $output = "\n"; $output .= ''; $output .= ''; - $output .= ' '. (drupal_get_title() ? drupal_get_title() : variable_get('site_name', 'drupal')) .''; + $output .= ' '. (drupal_get_title() ? strip_tags(drupal_get_title()) : variable_get('site_name', 'drupal')) .''; $output .= drupal_get_html_head(); $output .= theme_get_styles(); @@ -500,7 +514,7 @@ function theme_node($node, $teaser = FALSE, $page = FALSE) { } if ($page == 0) { - $output = '

'. $node->title .'

by '. format_name($node); + $output = '

'. check_plain($node->title) .'

by '. format_name($node); } else { $output = 'by '. format_name($node); -- cgit v1.2.3