From 6ad8b01a0f23573913698e5bf2465006491afa26 Mon Sep 17 00:00:00 2001
From: Dries Buytaert <dries@buytaert.net>
Date: Fri, 29 Jan 2010 13:38:00 +0000
Subject: - Patch #688100 by mr.baileys, scor: sanitize user-supplied block
 titles.

---
 modules/dashboard/dashboard.module | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'modules/dashboard')

diff --git a/modules/dashboard/dashboard.module b/modules/dashboard/dashboard.module
index c61598cc1..2b9668b9e 100644
--- a/modules/dashboard/dashboard.module
+++ b/modules/dashboard/dashboard.module
@@ -463,7 +463,7 @@ function theme_dashboard_disabled_block($variables) {
     $output .= '<div id="block-' . $block['module'] . '-' . $block['delta']
     . '" class="disabled-block block block-' . $block['module'] . '-' . $block['delta']
     . ' module-' . $block['module'] . ' delta-' . $block['delta'] . '">'
-    . '<h2>' . (!empty($block['title']) && $block['title'] != '<none>' ? $block['title'] : $block['info']) . '</h2>'
+    . '<h2>' . (!empty($block['title']) && $block['title'] != '<none>' ? check_plain($block['title']) : check_plain($block['info'])) . '</h2>'
     . '<div class="content"></div>'
     . '</div>';
   }
-- 
cgit v1.2.3