Commit 213744 by webchick
#462428 by Heine, pwolanin, and dww: SA-CORE-2009-006 - Drupal core - Cross site scripting forward-port.
--- modules/taxonomy/taxonomy.module 2009/05/03 10:44:04 1.472
+++ modules/taxonomy/taxonomy.module 2009/05/19 19:01:51 1.473
@@ -509,10 +509,25 @@
/**
* Generate a form element for selecting terms from a vocabulary.
+ *
+ * @param $vid
+ * The vocabulary ID to generate a form element for
+ * @param $value
+ * The existing value of the term(s) in this vocabulary to use by default.
+ * @param $help
+ * Optional help text to use for the form element. If specified, this value
+ * MUST be properly sanitized and filtered (e.g. with filter_xss_admin() or
+ * check_plain() if it is user-supplied) to prevent XSS vulnerabilities. If
+ * omitted, the help text stored with the vocaulary (if any) will be used.
+ * @return
+ * An array describing a form element to select terms for a vocabulary.
+ *
+ * @see _taxonomy_term_select()
+ * @see filter_xss_admin()
*/
function taxonomy_form($vid, $value = 0, $help = NULL) {
$vocabulary = taxonomy_vocabulary_load($vid);
- $help = ($help) ? $help : $vocabulary->help;
+ $help = ($help) ? $help : filter_xss_admin($vocabulary->help);
if (!$vocabulary->multiple) {
$blank = ($vocabulary->required) ? t('- Please choose -') : t('- None selected -');
@@ -599,7 +614,7 @@
$typed_string = taxonomy_implode_tags($terms, $vocabulary->vid) . (array_key_exists('tags', $terms) ? $terms['tags'][$vocabulary->vid] : NULL);
}
if ($vocabulary->help) {
- $help = $vocabulary->help;
+ $help = filter_xss_admin($vocabulary->help);
}
else {
$help = t('A comma-separated list of terms describing this content. Example: funny, bungee jumping, "Company, Inc."');
@@ -623,7 +638,7 @@
$default_terms[$term->tid] = $term;
}
}
- $form['taxonomy'][$vocabulary->vid] = taxonomy_form($vocabulary->vid, array_keys($default_terms), $vocabulary->help);
+ $form['taxonomy'][$vocabulary->vid] = taxonomy_form($vocabulary->vid, array_keys($default_terms), filter_xss_admin($vocabulary->help));
$form['taxonomy'][$vocabulary->vid]['#weight'] = $vocabulary->weight;
$form['taxonomy'][$vocabulary->vid]['#required'] = $vocabulary->required;
}
@@ -1399,6 +1414,33 @@
return $terms[$tid];
}
+/**
+ * Create a select form element for a given taxonomy vocabulary.
+ *
+ * NOTE: This function expects input that has already been sanitized and is
+ * safe for display. Callers must properly sanitize the $title and
+ * $description arguments to prevent XSS vulnerabilities.
+ *
+ * @param $title
+ * The title of the vocabulary. This MUST be sanitized by the caller.
+ * @param $value
+ * The currently selected terms from this vocabulary, if any.
+ * @param $vocabulary_id
+ * The vocabulary ID to build the form element for.
+ * @param $description
+ * Help text for the form element. This MUST be sanitized by the caller.
+ * @param $multiple
+ * Boolean to control if the form should use a single or multiple select.
+ * @param $blank
+ * Optional form choice to use when no value has been selected.
+ * @param $exclude
+ * Optional array of term ids to exclude in the selector.
+ * @return
+ * A FAPI form array to select terms from the given vocabulary.
+ *
+ * @see taxonomy_form()
+ * @see taxonomy_form_term()
+ */
function _taxonomy_term_select($title, $value, $vocabulary_id, $description, $multiple, $blank, $exclude = array()) {
$tree = taxonomy_get_tree($vocabulary_id);
$options = array();
+++ modules/taxonomy/taxonomy.module 2009/05/19 19:01:51 1.473
@@ -509,10 +509,25 @@
/**
* Generate a form element for selecting terms from a vocabulary.
+ *
+ * @param $vid
+ * The vocabulary ID to generate a form element for
+ * @param $value
+ * The existing value of the term(s) in this vocabulary to use by default.
+ * @param $help
+ * Optional help text to use for the form element. If specified, this value
+ * MUST be properly sanitized and filtered (e.g. with filter_xss_admin() or
+ * check_plain() if it is user-supplied) to prevent XSS vulnerabilities. If
+ * omitted, the help text stored with the vocaulary (if any) will be used.
+ * @return
+ * An array describing a form element to select terms for a vocabulary.
+ *
+ * @see _taxonomy_term_select()
+ * @see filter_xss_admin()
*/
function taxonomy_form($vid, $value = 0, $help = NULL) {
$vocabulary = taxonomy_vocabulary_load($vid);
- $help = ($help) ? $help : $vocabulary->help;
+ $help = ($help) ? $help : filter_xss_admin($vocabulary->help);
if (!$vocabulary->multiple) {
$blank = ($vocabulary->required) ? t('- Please choose -') : t('- None selected -');
@@ -599,7 +614,7 @@
$typed_string = taxonomy_implode_tags($terms, $vocabulary->vid) . (array_key_exists('tags', $terms) ? $terms['tags'][$vocabulary->vid] : NULL);
}
if ($vocabulary->help) {
- $help = $vocabulary->help;
+ $help = filter_xss_admin($vocabulary->help);
}
else {
$help = t('A comma-separated list of terms describing this content. Example: funny, bungee jumping, "Company, Inc."');
@@ -623,7 +638,7 @@
$default_terms[$term->tid] = $term;
}
}
- $form['taxonomy'][$vocabulary->vid] = taxonomy_form($vocabulary->vid, array_keys($default_terms), $vocabulary->help);
+ $form['taxonomy'][$vocabulary->vid] = taxonomy_form($vocabulary->vid, array_keys($default_terms), filter_xss_admin($vocabulary->help));
$form['taxonomy'][$vocabulary->vid]['#weight'] = $vocabulary->weight;
$form['taxonomy'][$vocabulary->vid]['#required'] = $vocabulary->required;
}
@@ -1399,6 +1414,33 @@
return $terms[$tid];
}
+/**
+ * Create a select form element for a given taxonomy vocabulary.
+ *
+ * NOTE: This function expects input that has already been sanitized and is
+ * safe for display. Callers must properly sanitize the $title and
+ * $description arguments to prevent XSS vulnerabilities.
+ *
+ * @param $title
+ * The title of the vocabulary. This MUST be sanitized by the caller.
+ * @param $value
+ * The currently selected terms from this vocabulary, if any.
+ * @param $vocabulary_id
+ * The vocabulary ID to build the form element for.
+ * @param $description
+ * Help text for the form element. This MUST be sanitized by the caller.
+ * @param $multiple
+ * Boolean to control if the form should use a single or multiple select.
+ * @param $blank
+ * Optional form choice to use when no value has been selected.
+ * @param $exclude
+ * Optional array of term ids to exclude in the selector.
+ * @return
+ * A FAPI form array to select terms from the given vocabulary.
+ *
+ * @see taxonomy_form()
+ * @see taxonomy_form_term()
+ */
function _taxonomy_term_select($title, $value, $vocabulary_id, $description, $multiple, $blank, $exclude = array()) {
$tree = taxonomy_get_tree($vocabulary_id);
$options = array();