diff --git modules/block/block.module modules/block/block.module index ae4889e..d19a27f 100644 --- modules/block/block.module +++ modules/block/block.module @@ -241,9 +241,28 @@ function block_block_save($delta = 0, $edit = array()) { * Generates the administrator-defined blocks for display. */ function block_block_view($delta = '') { - $block = db_query('SELECT body, format FROM {block_custom} WHERE bid = :bid', array(':bid' => $delta))->fetchObject(); - $data['subject'] = NULL; - $data['content'] = check_markup($block->body, $block->format, '', TRUE); + // Retrieve the default title and the content of the custom block. + $query = db_select('block_custom', 'bc'); + $query->join('block', 'b', 'bc.bid = b.delta'); + $block = $query + ->addTag('translatable') + ->addTag('block_load') + ->fields('b', array('title')) + ->fields('bc', array('body', 'format')) + ->condition('bc.bid', $delta) + ->range(0, 1) + ->execute() + ->fetchObject(); + + $data = array( + // Only module-generated block titles are allowed to output any HTML markup. + // Custom block titles are always user input and therefore always escaped. + // @see _block_render_blocks() + 'subject' => $block->title == '' ? '' : check_plain($block->title), + 'content' => array( + '#markup' => check_markup($block->body, $block->format, '', TRUE), + ), + ); return $data; } diff --git modules/block/block.test modules/block/block.test index 5a184d0..2bbc83d 100644 --- modules/block/block.test +++ modules/block/block.test @@ -81,8 +81,8 @@ class BlockTestCase extends DrupalWebTestCase { // Check that block_block_view() returns the correct title and content. $data = block_block_view($bid); $format = db_query("SELECT format FROM {block_custom} WHERE bid = :bid", array(':bid' => $bid))->fetchField(); - $this->assertTrue(array_key_exists('subject', $data) && empty($data['subject']), t('block_block_view() provides an empty block subject, since custom blocks do not have default titles.')); - $this->assertEqual(check_markup($custom_block['body[value]'], $format), $data['content'], t('block_block_view() provides correct block content.')); + $this->assertEqual($custom_block['title'], $data['subject'], t('block_block_view() provides correct block title.')); + $this->assertEqual(check_markup($custom_block['body[value]'], $format), $data['content']['#markup'], t('block_block_view() provides correct block content.')); // Check if the block can be moved to all availble regions. $custom_block['module'] = 'block';