From b95f496bbcac6a063cfb8f455ebb9301f056ff3f Mon Sep 17 00:00:00 2001
From: Dries Buytaert <dries@buytaert.net>
Date: Thu, 1 Mar 2007 19:53:04 +0000
Subject: - Backporting comment module validation fixes.  Already went into
 DRUPAL-5.

---
 modules/node/node.module | 4 ++++
 1 file changed, 4 insertions(+)

(limited to 'modules/node')

diff --git a/modules/node/node.module b/modules/node/node.module
index 192509e27..244fa8f56 100644
--- a/modules/node/node.module
+++ b/modules/node/node.module
@@ -2027,6 +2027,10 @@ function node_form_add_preview($form) {
 
   $op = isset($form_values['op']) ? $form_values['op'] : '';
   if ($op == t('Preview')) {
+    // Invoke full validation for the form, to protect against cross site
+    // request forgeries (CSRF) and setting arbitrary values for fields such as
+    // the input format. Preview the node only when form validation does not
+    // set any errors.
     drupal_validate_form($form['form_id']['#value'], $form);
     if (!form_get_errors()) {
       // Because the node preview may display a form, we must render it
-- 
cgit v1.2.3