? 853974-2_xss.patch ? libraries/simplepie.inc Index: feeds.pages.inc =================================================================== RCS file: /cvs/drupal-contrib/contributions/modules/feeds/feeds.pages.inc,v retrieving revision 1.21 diff -u -p -r1.21 feeds.pages.inc --- feeds.pages.inc 15 Sep 2010 19:27:42 -0000 1.21 +++ feeds.pages.inc 16 Sep 2010 18:52:20 -0000 @@ -29,7 +29,7 @@ function feeds_page() { } $rows[] = array( l($title, $link), - $importer->config['description'], + check_plain($importer->config['description']), ); } } Index: feeds_ui/feeds_ui.admin.inc =================================================================== RCS file: /cvs/drupal-contrib/contributions/modules/feeds/feeds_ui/feeds_ui.admin.inc,v retrieving revision 1.38 diff -u -p -r1.38 feeds_ui.admin.inc --- feeds_ui/feeds_ui.admin.inc 15 Sep 2010 19:27:42 -0000 1.38 +++ feeds_ui/feeds_ui.admin.inc 16 Sep 2010 18:52:20 -0000 @@ -63,8 +63,8 @@ function feeds_ui_overview_form(&$form_s ); foreach (feeds_importer_load_all(TRUE) as $importer) { $importer_form = array(); - $importer_form['name']['#value'] = $importer->config['name']; - $importer_form['description']['#value'] = $importer->config['description']; + $importer_form['name']['#value'] = check_plain($importer->config['name']); + $importer_form['description']['#value'] = check_plain($importer->config['description']); if (empty($importer->config['content_type'])) { $importer_form['attached']['#value'] = '[none]'; } @@ -774,8 +774,8 @@ function theme_feeds_ui_mapping_form($fo // Some parsers do not define source options. $source = isset($form['source']['#options'][$mapping['source']]) ? $form['source']['#options'][$mapping['source']] : $mapping['source']; $rows[] = array( - $source, - $form['target']['#options'][$mapping['target']], + check_plain($source), + check_plain($form['target']['#options'][$mapping['target']]), drupal_render($form['unique_flags'][$i]), drupal_render($form['remove_flags'][$i]), ); @@ -803,8 +803,8 @@ function theme_feeds_ui_mapping_form($fo $rows = array(); foreach (element_children($form['legendset']['legend']['sources']) as $k) { $rows[] = array( - drupal_render($form['legendset']['legend']['sources'][$k]['name']), - drupal_render($form['legendset']['legend']['sources'][$k]['description']), + check_plain(drupal_render($form['legendset']['legend']['sources'][$k]['name'])), + check_plain(drupal_render($form['legendset']['legend']['sources'][$k]['description'])), ); } if (count($rows)) { @@ -816,8 +816,8 @@ function theme_feeds_ui_mapping_form($fo $rows = array(); foreach (element_children($form['legendset']['legend']['targets']) as $k) { $rows[] = array( - drupal_render($form['legendset']['legend']['targets'][$k]['name']), - drupal_render($form['legendset']['legend']['targets'][$k]['description']), + check_plain(drupal_render($form['legendset']['legend']['targets'][$k]['name'])), + check_plain(drupal_render($form['legendset']['legend']['targets'][$k]['description'])), ); } $legend .= '

'. t('Targets') .'

'; Index: plugins/FeedsCSVParser.inc =================================================================== RCS file: /cvs/drupal-contrib/contributions/modules/feeds/plugins/FeedsCSVParser.inc,v retrieving revision 1.14 diff -u -p -r1.14 FeedsCSVParser.inc --- plugins/FeedsCSVParser.inc 7 Sep 2010 17:29:36 -0000 1.14 +++ plugins/FeedsCSVParser.inc 16 Sep 2010 18:52:20 -0000 @@ -75,9 +75,9 @@ class FeedsCSVParser extends FeedsParser $mappings = feeds_importer($this->id)->processor->config['mappings']; $sources = $uniques = array(); foreach ($mappings as $mapping) { - $sources[] = $mapping['source']; + $sources[] = check_plain($mapping['source']); if ($mapping['unique']) { - $uniques[] = $mapping['source']; + $uniques[] = check_plain($mapping['source']); } }