diff --git a/webroot/sites/all/modules/contrib/epsacrop/epsacrop.module b/webroot/sites/all/modules/contrib/epsacrop/epsacrop.module
index 0a65267..1738389 100644
--- a/webroot/sites/all/modules/contrib/epsacrop/epsacrop.module
+++ b/webroot/sites/all/modules/contrib/epsacrop/epsacrop.module
@@ -169,6 +169,9 @@ function epsacrop_dialog($entity_name, $field_name, $bundle, $fid) {
if (!is_string($data)) {
$data = drupal_json_encode((object) $data);
}
+ else {
+ $data = check_plain($data);
+ }
$out .='' . "\n";
$out .='
' . "\n";
$out .='' . "\n";
@@ -199,7 +202,7 @@ function epsacrop_ajax($op, $fid) {
}
break;
case 'put':
- if (isset($_POST) && (isset($_POST['coords']) && !empty($_POST['coords']))) {
+ if (isset($_POST) && (isset($_POST['coords']) && !empty($_POST['coords'])) && (isset($_POST['ectoken']) && drupal_valid_token($_POST['ectoken']))) {
$coords = $_POST['coords'];
_epsacrop_save_coords($fid, $coords);
}
@@ -839,10 +842,14 @@ function _epsacrop_get_style_name_from_url() {
*/
function _epsacrop_include_header_html() {
$module_path = drupal_get_path('module', 'epsacrop');
+ $settings = array(
+ 'ectoken' => drupal_get_token(),
+ );
drupal_add_js(array('epsacrop' => array('path' => $module_path)), 'setting');
drupal_add_library('system', 'ui.dialog');
drupal_add_js(EPSACROP_JCROP_PATH . '/js/jquery.Jcrop.js');
drupal_add_js(EPSACROP_JSON2_PATH . '/json2.js', array('preprocess' => FALSE));
+ drupal_add_js(array('EPSACrop' => $settings), 'setting');
drupal_add_js($module_path . '/js/epsacrop.js');
drupal_add_css(EPSACROP_JCROP_PATH . '/css/jquery.Jcrop.css');
diff --git a/webroot/sites/all/modules/contrib/epsacrop/js/epsacrop.js b/webroot/sites/all/modules/contrib/epsacrop/js/epsacrop.js
index 9a02c2e..8c8bbc7 100644
--- a/webroot/sites/all/modules/contrib/epsacrop/js/epsacrop.js
+++ b/webroot/sites/all/modules/contrib/epsacrop/js/epsacrop.js
@@ -21,7 +21,7 @@
}
buttons[saveLabel] = function() {
- $.post(Drupal.settings.basePath + pathPrefix + 'crop/ajax/put/' + delta, {'coords': JSON.stringify(Drupal.EPSACrop.presets)});
+ $.post(Drupal.settings.basePath + pathPrefix + 'crop/ajax/put/' + delta, {'coords': JSON.stringify(Drupal.EPSACrop.presets), 'ectoken': Drupal.settings.EPSACrop.ectoken});
var field = field_name.replace(/_/g, '-');
var welem = $('div[id*="' + field + '"]').eq(0);
if (welem.find('.warning').size() == 0) {