From 630d473c8e395d30393696ca6d01435c54f7c382 Mon Sep 17 00:00:00 2001 From: Angie Byron Date: Fri, 23 Apr 2010 04:32:16 +0000 Subject: #611532 by mr.baileys, scor: Fixed XSS Vulnerability in profile.module. --- modules/profile/profile.admin.inc | 2 +- modules/profile/profile.module | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) (limited to 'modules/profile') diff --git a/modules/profile/profile.admin.inc b/modules/profile/profile.admin.inc index 1a2f792fc..d7d653b99 100644 --- a/modules/profile/profile.admin.inc +++ b/modules/profile/profile.admin.inc @@ -123,7 +123,7 @@ function theme_profile_admin_overview($variables) { // class names won't contain invalid characters. $categories[$category] = $category_number; $category_field['#attributes']['class'] = array('profile-category', 'profile-category-' . $category_number); - $rows[] = array(array('data' => $category, 'colspan' => 7, 'class' => array('category'))); + $rows[] = array(array('data' => check_plain($category), 'colspan' => 7, 'class' => array('category'))); $rows[] = array('data' => array(array('data' => '' . t('No fields in this category. If this category remains empty when saved, it will be removed.') . '', 'colspan' => 7)), 'class' => array('category-' . $category_number . '-message', 'category-message', 'category-populated')); // Make it draggable only if there is more than one field diff --git a/modules/profile/profile.module b/modules/profile/profile.module index 9e907f64f..5aabb3d7d 100644 --- a/modules/profile/profile.module +++ b/modules/profile/profile.module @@ -360,7 +360,7 @@ function profile_user_view($account) { } function _profile_form_explanation($field) { - $output = $field->explanation; + $output = filter_xss_admin($field->explanation); if ($field->type == 'list') { $output .= ' ' . t('Put each item on a separate line or separate them by commas. No HTML allowed.'); -- cgit v1.2.3