Index: includes/bootstrap.inc =================================================================== RCS file: /cvs/drupal/drupal/includes/bootstrap.inc,v retrieving revision 1.302 diff -u -p -r1.302 bootstrap.inc --- includes/bootstrap.inc 24 Aug 2009 00:14:18 -0000 1.302 +++ includes/bootstrap.inc 24 Aug 2009 01:16:13 -0000 @@ -554,7 +554,7 @@ function drupal_settings_initialize() { list( , $session_name) = explode('://', $base_url, 2); // We escape the hostname because it can be modified by a visitor. if (!empty($_SERVER['HTTP_HOST'])) { - $cookie_domain = check_plain($_SERVER['HTTP_HOST']); + $cookie_domain = htmlspecialchars($_SERVER['HTTP_HOST'], ENT_QUOTES); } } // To prevent session cookies from being hijacked, a user can configure the @@ -1357,7 +1357,7 @@ function drupal_block_denied($ip) { // Deny access to blocked IP addresses - t() is not yet available. if (drupal_is_denied($ip)) { header($_SERVER['SERVER_PROTOCOL'] . ' 403 Forbidden'); - print 'Sorry, ' . check_plain(ip_address()) . ' has been banned.'; + print 'Sorry, ' . htmlspecialchars(ip_address(), ENT_QUOTES) . ' has been banned.'; exit(); } } Index: includes/common.inc =================================================================== RCS file: /cvs/drupal/drupal/includes/common.inc,v retrieving revision 1.971 diff -u -p -r1.971 common.inc --- includes/common.inc 24 Aug 2009 00:14:18 -0000 1.971 +++ includes/common.inc 24 Aug 2009 01:18:35 -0000 @@ -401,7 +401,7 @@ function drupal_site_offline() { function drupal_not_found() { drupal_set_header('404 Not Found'); - watchdog('page not found', check_plain($_GET['q']), NULL, WATCHDOG_WARNING); + watchdog('page not found', htmlspecialchars($_GET['q'], ENT_QUOTES), NULL, WATCHDOG_WARNING); // Keep old path for reference, and to allow forms to redirect to it. if (!isset($_REQUEST['destination'])) { @@ -435,7 +435,7 @@ function drupal_not_found() { */ function drupal_access_denied() { drupal_set_header('403 Forbidden'); - watchdog('access denied', check_plain($_GET['q']), NULL, WATCHDOG_WARNING); + watchdog('access denied', htmlspecialchars($_GET['q'], ENT_QUOTES), NULL, WATCHDOG_WARNING); // Keep old path for reference, and to allow forms to redirect to it. if (!isset($_REQUEST['destination'])) { @@ -1162,7 +1162,7 @@ function fix_gpc_magic() { * Incorrect: * @code * $item = item_load(); - * $output .= check_plain(t($item['title'])); + * $output .= htmlspecialchars(t($item['title'], ENT_QUOTES)); * @endcode * * Instead, translation of these data can be done through the locale system, @@ -1234,7 +1234,7 @@ function t($string, array $args = array( switch ($key[0]) { case '@': // Escaped only. - $args[$key] = check_plain($value); + $args[$key] = htmlspecialchars($value, ENT_QUOTES); break; case '%': @@ -1403,7 +1403,7 @@ function check_url($uri) { * * Use only for fields where it is impractical to use the * whole filter system, but where some (mainly inline) mark-up - * is desired (so check_plain() is not acceptable). + * is desired (so htmlspecialchars() is not acceptable). * * Allows all tags that can be used inside an HTML body, save * for scripts and styles. @@ -1676,7 +1676,7 @@ function filter_xss_bad_protocol($string } } while ($before != $string); - return check_plain($string); + return htmlspecialchars($string, ENT_QUOTES); } /** @@ -1699,14 +1699,14 @@ function format_rss_channel($title, $lin $langcode = $langcode ? $langcode : $language->language; $output = "\n"; - $output .= ' ' . check_plain($title) . "\n"; + $output .= ' ' . htmlspecialchars($title, ENT_QUOTES) . "\n"; $output .= ' ' . check_url($link) . "\n"; // The RSS 2.0 "spec" doesn't indicate HTML can be used in the description. // We strip all HTML tags, but need to prevent double encoding from properly // escaped source data (such as & becoming &amp;). - $output .= ' ' . check_plain(decode_entities(strip_tags($description))) . "\n"; - $output .= ' ' . check_plain($langcode) . "\n"; + $output .= ' ' . htmlspecialchars(decode_entities(strip_tags($description)), ENT_QUOTES) . "\n"; + $output .= ' ' . htmlspecialchars($langcode, ENT_QUOTES) . "\n"; $output .= format_xml_elements($args); $output .= $items; $output .= "\n"; @@ -1721,9 +1721,9 @@ function format_rss_channel($title, $lin */ function format_rss_item($title, $link, $description, $args = array()) { $output = "\n"; - $output .= ' ' . check_plain($title) . "\n"; + $output .= ' ' . htmlspecialchars($title, ENT_QUOTES) . "\n"; $output .= ' ' . check_url($link) . "\n"; - $output .= ' ' . check_plain($description) . "\n"; + $output .= ' ' . htmlspecialchars($description, ENT_QUOTES) . "\n"; $output .= format_xml_elements($args); $output .= "\n"; @@ -1755,7 +1755,7 @@ function format_xml_elements($array) { } if (isset($value['value']) && $value['value'] != '') { - $output .= '>' . (is_array($value['value']) ? format_xml_elements($value['value']) : check_plain($value['value'])) . '\n"; + $output .= '>' . (is_array($value['value']) ? format_xml_elements($value['value']) : htmlspecialchars($value['value'], ENT_QUOTES)) . '\n"; } else { $output .= " />\n"; @@ -1763,7 +1763,7 @@ function format_xml_elements($array) { } } else { - $output .= ' <' . $key . '>' . (is_array($value) ? format_xml_elements($value) : check_plain($value)) . "\n"; + $output .= ' <' . $key . '>' . (is_array($value) ? format_xml_elements($value) : htmlspecialchars($value, ENT_QUOTES)) . "\n"; } } return $output; @@ -2117,7 +2117,7 @@ function url($path = NULL, array $option // Only call the slow filter_xss_bad_protocol if $path contains a ':' before // any / ? or #. $colonpos = strpos($path, ':'); - $options['external'] = ($colonpos !== FALSE && !preg_match('![/?#]!', substr($path, 0, $colonpos)) && filter_xss_bad_protocol($path, FALSE) == check_plain($path)); + $options['external'] = ($colonpos !== FALSE && !preg_match('![/?#]!', substr($path, 0, $colonpos)) && filter_xss_bad_protocol($path, FALSE) == htmlspecialchars($path, ENT_QUOTES)); } // May need language dependent rewriting if language.inc is present. @@ -2226,7 +2226,7 @@ function drupal_attributes(array $attrib if (is_array($data)) { $data = implode(' ', $data); } - $data = $attribute . '="' . check_plain($data) . '"'; + $data = $attribute . '="' . htmlspecialchars($data, ENT_QUOTES) . '"'; } return $attributes ? ' ' . implode(' ', $attributes) : ''; } @@ -2295,7 +2295,7 @@ function l($text, $path, array $options $options['attributes']['title'] = strip_tags($options['attributes']['title']); } - return '' . ($options['html'] ? $text : check_plain($text)) . ''; + return '' . ($options['html'] ? $text : htmlspecialchars($text, ENT_QUOTES)) . ''; } /** Index: includes/file.inc =================================================================== RCS file: /cvs/drupal/drupal/includes/file.inc,v retrieving revision 1.186 diff -u -p -r1.186 file.inc --- includes/file.inc 24 Aug 2009 00:14:18 -0000 1.186 +++ includes/file.inc 24 Aug 2009 01:18:50 -0000 @@ -412,7 +412,7 @@ function file_create_htaccess($directory drupal_chmod($htaccess_path, 0444); } else { - $variables = array('%directory' => $directory, '!htaccess' => '
' . nl2br(check_plain($htaccess_lines))); + $variables = array('%directory' => $directory, '!htaccess' => '
' . nl2br(htmlspecialchars($htaccess_lines, ENT_QUOTES))); watchdog('security', "Security warning: Couldn't write .htaccess file. Please create a .htaccess file in your %directory directory which contains the following lines: !htaccess", $variables, WATCHDOG_ERROR); } } Index: includes/form.inc =================================================================== RCS file: /cvs/drupal/drupal/includes/form.inc,v retrieving revision 1.363 diff -u -p -r1.363 form.inc --- includes/form.inc 24 Aug 2009 00:14:18 -0000 1.363 +++ includes/form.inc 24 Aug 2009 01:19:31 -0000 @@ -1521,7 +1521,7 @@ function form_select_options($element, $ else { $selected = ''; } - $options .= ''; + $options .= ''; } } return $options; @@ -1625,7 +1625,7 @@ function theme_radio($element) { $output .= 'id="' . $element['#id'] . '" '; $output .= 'name="' . $element['#name'] . '" '; $output .= 'value="' . $element['#return_value'] . '" '; - $output .= (check_plain($element['#value']) == $element['#return_value']) ? ' checked="checked" ' : ' '; + $output .= (htmlspecialchars($element['#value'], ENT_QUOTES) == $element['#return_value']) ? ' checked="checked" ' : ' '; $output .= drupal_attributes($element['#attributes']) . ' />'; if (!is_null($element['#title'])) { $output = ''; @@ -1829,7 +1829,7 @@ function form_process_radios($element) { $element[$key] = array( '#type' => 'radio', '#title' => $choice, - '#return_value' => check_plain($key), + '#return_value' => htmlspecialchars($key, ENT_QUOTES), '#default_value' => isset($element['#default_value']) ? $element['#default_value'] : NULL, '#attributes' => $element['#attributes'], '#parents' => $element['#parents'], @@ -2332,7 +2332,7 @@ function theme_submit($element) { function theme_button($element) { $element['#attributes']['class'][] = 'form-' . $element['#button_type']; - return '\n"; + return '\n"; } /** @@ -2349,11 +2349,11 @@ function theme_image_button($element) { $element['#attributes']['class'][] = 'form-' . $element['#button_type']; return '\n"; } @@ -2369,7 +2369,7 @@ function theme_image_button($element) { * @ingroup themeable */ function theme_hidden($element) { - return '\n"; + return '\n"; } /** @@ -2402,7 +2402,7 @@ function theme_textfield($element) { $output .= '' . $element['#field_prefix'] . ' '; } - $output .= ''; + $output .= ''; if (isset($element['#field_suffix'])) { $output .= ' ' . $element['#field_suffix'] . ''; @@ -2449,7 +2449,7 @@ function theme_textarea($element) { } _form_set_class($element, $class); - return ''; + return ''; } /** @@ -2665,7 +2665,7 @@ function form_clean_id($id = NULL) { * Note - if the batch 'title', 'init_message', 'progress_message', * or 'error_message' could contain any user input, it is the responsibility of * the code calling batch_set() to sanitize them first with a function like - * check_plain() or filter_xss(). + * htmlspecialchars() or filter_xss(). * * Sample batch operations: * @code Index: includes/install.inc =================================================================== RCS file: /cvs/drupal/drupal/includes/install.inc,v retrieving revision 1.109 diff -u -p -r1.109 install.inc --- includes/install.inc 24 Aug 2009 00:14:18 -0000 1.109 +++ includes/install.inc 24 Aug 2009 01:19:48 -0000 @@ -948,12 +948,12 @@ function st($string, $args = array()) { switch ($key[0]) { // Escaped only case '@': - $args[$key] = check_plain($value); + $args[$key] = htmlspecialchars($value, ENT_QUOTES); break; // Escaped and placeholder case '%': default: - $args[$key] = '' . check_plain($value) . ''; + $args[$key] = '' . htmlspecialchars($value, ENT_QUOTES) . ''; break; // Pass-through case '!': Index: includes/locale.inc =================================================================== RCS file: /cvs/drupal/drupal/includes/locale.inc,v retrieving revision 1.226 diff -u -p -r1.226 locale.inc --- includes/locale.inc 22 Aug 2009 14:34:17 -0000 1.226 +++ includes/locale.inc 24 Aug 2009 01:20:26 -0000 @@ -48,8 +48,8 @@ function locale_languages_overview_form( '#default_value' => $language->weight, '#attributes' => array('class' => array('language-order-weight')), ); - $form['name'][$langcode] = array('#markup' => check_plain($language->name)); - $form['native'][$langcode] = array('#markup' => check_plain($language->native)); + $form['name'][$langcode] = array('#markup' => htmlspecialchars($language->name, ENT_QUOTES)); + $form['native'][$langcode] = array('#markup' => htmlspecialchars($language->native, ENT_QUOTES)); $form['direction'][$langcode] = array('#markup' => ($language->direction == LANGUAGE_RTL ? t('Right to left') : t('Left to right'))); } $form['enabled'] = array('#type' => 'checkboxes', @@ -84,7 +84,7 @@ function theme_locale_languages_overview 'data' => array( '' . drupal_render($form['name'][$key]) . '', drupal_render($form['native'][$key]), - check_plain($key), + htmlspecialchars($key, ENT_QUOTES), drupal_render($form['direction'][$key]), array('data' => drupal_render($form['enabled'][$key]), 'align' => 'center'), drupal_render($form['site_default'][$key]), @@ -893,13 +893,13 @@ function locale_translate_edit_form(&$fo $form['original'] = array( '#type' => 'item', '#title' => t('Original text'), - '#markup' => check_plain(wordwrap($source->source, 0)), + '#markup' => htmlspecialchars(wordwrap($source->source, 0), ENT_QUOTES), ); if (!empty($source->context)) { $form['context'] = array( '#type' => 'item', '#title' => t('Context'), - '#markup' => check_plain($source->context), + '#markup' => htmlspecialchars($source->context, ENT_QUOTES), ); } $form['lid'] = array( @@ -2300,7 +2300,7 @@ function _locale_translate_seek() { foreach ($strings as $lid => $string) { $rows[] = array( $groups[$string['group']], - array('data' => check_plain(truncate_utf8($string['source'], 150, FALSE, TRUE)) . '
' . $string['location'] . ''), + array('data' => htmlspecialchars(truncate_utf8($string['source'], 150, FALSE, TRUE), ENT_QUOTES) . '
' . $string['location'] . ''), $string['context'], array('data' => _locale_translate_language_list($string['languages'], $limit_language), 'align' => 'center'), array('data' => l(t('edit'), "admin/config/regional/translate/edit/$lid", array('query' => drupal_get_destination())), 'class' => array('nowrap')), Index: includes/menu.inc =================================================================== RCS file: /cvs/drupal/drupal/includes/menu.inc,v retrieving revision 1.340 diff -u -p -r1.340 menu.inc --- includes/menu.inc 24 Aug 2009 00:14:18 -0000 1.340 +++ includes/menu.inc 24 Aug 2009 01:21:34 -0000 @@ -542,7 +542,7 @@ function _menu_check_access(&$item, $map * @return * No return value. * $item['title'] is localized according to $item['title_callback']. - * If an item's callback is check_plain(), $item['options']['html'] becomes + * If an item's callback is htmlspecialchars(), $item['options']['html'] becomes * TRUE. * $item['description'] is translated using t(). * When doing link translation and the $item['options']['attributes']['title'] @@ -575,8 +575,8 @@ function _menu_item_localize(&$item, $ma else { $item['title'] = call_user_func_array($callback, menu_unserialize($item['title_arguments'], $map)); } - // Avoid calling check_plain again on l() function. - if ($callback == 'check_plain') { + // Avoid calling htmlspecialchars() again on l() function. + if ($callback == 'htmlspecialchars') { $item['localized_options']['html'] = TRUE; } } @@ -2821,7 +2821,7 @@ function _menu_router_save($menu, $masks */ function menu_path_is_external($path) { $colonpos = strpos($path, ':'); - return $colonpos !== FALSE && !preg_match('![/?#]!', substr($path, 0, $colonpos)) && filter_xss_bad_protocol($path, FALSE) == check_plain($path); + return $colonpos !== FALSE && !preg_match('![/?#]!', substr($path, 0, $colonpos)) && filter_xss_bad_protocol($path, FALSE) == htmlspecialchars($path, ENT_QUOTES); } /** Index: includes/path.inc =================================================================== RCS file: /cvs/drupal/drupal/includes/path.inc,v retrieving revision 1.44 diff -u -p -r1.44 path.inc --- includes/path.inc 2 Aug 2009 06:48:24 -0000 1.44 +++ includes/path.inc 24 Aug 2009 01:22:06 -0000 @@ -265,7 +265,7 @@ function drupal_get_title() { // During a bootstrap, menu.inc is not included and thus we cannot provide a title. if (!isset($title) && function_exists('menu_get_active_title')) { - $title = check_plain(menu_get_active_title()); + $title = htmlspecialchars(menu_get_active_title(), ENT_QUOTES); } return $title; @@ -280,7 +280,7 @@ function drupal_get_title() { * @param $output * Optional flag - normally should be left as CHECK_PLAIN. Only set to * PASS_THROUGH if you have already removed any possibly dangerous code - * from $title using a function like check_plain() or filter_xss(). With this + * from $title using a function like htmlspecialchars() or filter_xss(). With this * flag the string will be passed through unchanged. * * @return @@ -290,7 +290,7 @@ function drupal_set_title($title = NULL, $stored_title = &drupal_static(__FUNCTION__); if (isset($title)) { - $stored_title = ($output == PASS_THROUGH) ? $title : check_plain($title); + $stored_title = ($output == PASS_THROUGH) ? $title : htmlspecialchars($title, ENT_QUOTES); } return $stored_title; Index: includes/theme.inc =================================================================== RCS file: /cvs/drupal/drupal/includes/theme.inc,v retrieving revision 1.514 diff -u -p -r1.514 theme.inc --- includes/theme.inc 24 Aug 2009 00:34:11 -0000 1.514 +++ includes/theme.inc 24 Aug 2009 01:22:38 -0000 @@ -1330,7 +1330,7 @@ function theme_render_template($template * The formatted text (html). */ function theme_placeholder($text) { - return '' . check_plain($text) . ''; + return '' . htmlspecialchars($text, ENT_QUOTES) . ''; } /** @@ -1409,7 +1409,7 @@ function theme_links($links, $heading = if (!empty($heading['text']) && !empty($heading['level'])) { $output .= '<' . $heading['level'] . (!empty($heading['class']) ? drupal_attributes(array('class' => $heading['class'])) : '') . '>'; - $output .= check_plain($heading['text']); + $output .= htmlspecialchars($heading['text'], ENT_QUOTES); $output .= ''; } @@ -1441,7 +1441,7 @@ function theme_links($links, $heading = elseif (!empty($link['title'])) { // Some links are actually not links, but we wrap these in for adding title and class attributes. if (empty($link['html'])) { - $link['title'] = check_plain($link['title']); + $link['title'] = htmlspecialchars($link['title'], ENT_QUOTES); } $span_attributes = ''; if (isset($link['attributes'])) { @@ -1480,7 +1480,7 @@ function theme_image($path, $alt = '', $ if (!$getsize || (is_file($path) && (list($width, $height, $type, $image_attributes) = @getimagesize($path)))) { $attributes = drupal_attributes($attributes); $url = file_create_url($path); - return '' . check_plain($alt) . ''; + return '' . htmlspecialchars($alt, ENT_QUOTES) . ''; } } @@ -1862,7 +1862,7 @@ function theme_username($object) { $output = l($name, 'user/' . $object->uid, array('attributes' => array('title' => t('View user profile.')))); } else { - $output = check_plain($name); + $output = htmlspecialchars($name, ENT_QUOTES); } } elseif ($object->name) { @@ -1874,7 +1874,7 @@ function theme_username($object) { $output = l($object->name, $object->homepage, array('attributes' => array('rel' => 'nofollow'))); } else { - $output = check_plain($object->name); + $output = htmlspecialchars($object->name, ENT_QUOTES); } if (theme_get_setting('toggle_comment_user_verification')) { @@ -1882,7 +1882,7 @@ function theme_username($object) { } } else { - $output = check_plain(variable_get('anonymous', t('Anonymous'))); + $output = htmlspecialchars(variable_get('anonymous', t('Anonymous')), ENT_QUOTES); } return $output; @@ -2025,7 +2025,7 @@ function template_preprocess_page(&$vari if (theme_get_setting('toggle_favicon')) { $favicon = theme_get_setting('favicon'); $type = theme_get_setting('favicon_mimetype'); - drupal_add_html_head(''); + drupal_add_html_head(''); } // Set up layout variable. Index: includes/theme.maintenance.inc =================================================================== RCS file: /cvs/drupal/drupal/includes/theme.maintenance.inc,v retrieving revision 1.37 diff -u -p -r1.37 theme.maintenance.inc --- includes/theme.maintenance.inc 24 Aug 2009 00:14:19 -0000 1.37 +++ includes/theme.maintenance.inc 24 Aug 2009 01:22:48 -0000 @@ -217,7 +217,7 @@ function template_preprocess_maintenance if (theme_get_setting('toggle_favicon')) { $favicon = theme_get_setting('favicon'); $type = theme_get_setting('favicon_mimetype'); - drupal_add_html_head(''); + drupal_add_html_head(''); } global $theme; Index: includes/token.inc =================================================================== RCS file: /cvs/drupal/drupal/includes/token.inc,v retrieving revision 1.4 diff -u -p -r1.4 token.inc --- includes/token.inc 24 Aug 2009 00:14:19 -0000 1.4 +++ includes/token.inc 24 Aug 2009 01:23:02 -0000 @@ -69,7 +69,7 @@ * final text if no replacement value can be generated. * - sanitize: A boolean flag indicating that tokens should be sanitized for * display to a web browser. Defaults to TRUE. Developers who set this option - * to FALSE assume responsibility for running filter_xss(), check_plain() or + * to FALSE assume responsibility for running filter_xss(), htmlspecialchars() or * other appropriate scrubbing functions before displaying data to users. * @return * Text with tokens replaced. @@ -143,7 +143,7 @@ function token_scan($text) { * truncation to a specific length. * - 'sanitize' A boolean flag indicating that tokens should be sanitized for * display to a web browser. Developers who set this option to FALSE assume - * responsibility for running filter_xss(), check_plain() or other + * responsibility for running filter_xss(), htmlspecialchars() or other * appropriate scrubbing functions before displaying data to users. * @return * An associative array of replacement values, keyed by the original 'raw' Index: includes/update.inc =================================================================== RCS file: /cvs/drupal/drupal/includes/update.inc,v retrieving revision 1.5 diff -u -p -r1.5 update.inc --- includes/update.inc 22 Aug 2009 18:24:14 -0000 1.5 +++ includes/update.inc 24 Aug 2009 01:23:10 -0000 @@ -412,7 +412,7 @@ function update_do_one($module, $number, drupal_set_installed_schema_version($module, $number); } - $context['message'] = 'Updating ' . check_plain($module) . ' module'; + $context['message'] = 'Updating ' . htmlspecialchars($module, ENT_QUOTES) . ' module'; } /** Index: includes/xmlrpc.inc =================================================================== RCS file: /cvs/drupal/drupal/includes/xmlrpc.inc,v retrieving revision 1.61 diff -u -p -r1.61 xmlrpc.inc --- includes/xmlrpc.inc 24 Aug 2009 00:14:19 -0000 1.61 +++ includes/xmlrpc.inc 24 Aug 2009 01:23:16 -0000 @@ -114,7 +114,7 @@ function xmlrpc_value_get_xml($xmlrpc_va case 'struct': $return = '' . "\n"; foreach ($xmlrpc_value->data as $name => $value) { - $return .= " " . check_plain($name) . ""; + $return .= " " . htmlspecialchars($name, ENT_QUOTES) . ""; $return .= xmlrpc_value_get_xml($value) . "\n"; } $return .= ''; Index: includes/database/database.inc =================================================================== RCS file: /cvs/drupal/drupal/includes/database/database.inc,v retrieving revision 1.73 diff -u -p -r1.73 database.inc --- includes/database/database.inc 22 Aug 2009 19:10:33 -0000 1.73 +++ includes/database/database.inc 24 Aug 2009 01:23:25 -0000 @@ -2081,11 +2081,11 @@ function db_escape_table($table) { * @return * An array containing the keys: * success: a boolean indicating whether the query succeeded - * query: the SQL query executed, passed through check_plain() + * query: the SQL query executed, passed through htmlspecialchars() */ function update_sql($sql) { $result = Database::getConnection()->query($sql); - return array('success' => $result !== FALSE, 'query' => check_plain($sql)); + return array('success' => $result !== FALSE, 'query' => htmlspecialchars($sql, ENT_QUOTES)); } /** Index: includes/database/mysql/schema.inc =================================================================== RCS file: /cvs/drupal/drupal/includes/database/mysql/schema.inc,v retrieving revision 1.25 diff -u -p -r1.25 schema.inc --- includes/database/mysql/schema.inc 22 Aug 2009 19:43:11 -0000 1.25 +++ includes/database/mysql/schema.inc 24 Aug 2009 01:23:42 -0000 @@ -292,7 +292,7 @@ class DatabaseSchema_mysql extends Datab // All this because update_sql does not support %-placeholders. $sql = 'UPDATE {' . $table . '} SET ' . $field . ' = :value'; $result = db_query($sql, array(':value' => $spec['initial'])); - $ret[] = array('success' => $result !== FALSE, 'query' => check_plain($sql . ' (' . $spec['initial'] . ')')); + $ret[] = array('success' => $result !== FALSE, 'query' => htmlspecialchars($sql . ' (' . $spec['initial'] . ')', ENT_QUOTES)); } if ($fixnull) { $spec['not null'] = TRUE; Index: includes/database/pgsql/schema.inc =================================================================== RCS file: /cvs/drupal/drupal/includes/database/pgsql/schema.inc,v retrieving revision 1.20 diff -u -p -r1.20 schema.inc --- includes/database/pgsql/schema.inc 22 Aug 2009 19:43:11 -0000 1.20 +++ includes/database/pgsql/schema.inc 24 Aug 2009 01:23:56 -0000 @@ -334,7 +334,7 @@ class DatabaseSchema_pgsql extends Datab // All this because update_sql does not support %-placeholders. $sql = 'UPDATE {' . $table . '} SET ' . $field . ' = :value'; $result = db_query($sql, array(':value' => $spec['initial'])); - $ret[] = array('success' => $result !== FALSE, 'query' => check_plain($sql . ' (' . $spec['initial'] . ')')); + $ret[] = array('success' => $result !== FALSE, 'query' => htmlspecialchars($sql . ' (' . $spec['initial'] . ')', ENT_QUOTES)); } if ($fixnull) { $ret[] = update_sql("ALTER TABLE {" . $table . "} ALTER $field SET NOT NULL"); Index: modules/aggregator/aggregator.admin.inc =================================================================== RCS file: /cvs/drupal/drupal/modules/aggregator/aggregator.admin.inc,v retrieving revision 1.41 diff -u -p -r1.41 aggregator.admin.inc --- modules/aggregator/aggregator.admin.inc 24 Aug 2009 00:14:19 -0000 1.41 +++ modules/aggregator/aggregator.admin.inc 24 Aug 2009 01:24:40 -0000 @@ -94,7 +94,7 @@ function aggregator_form_feed(&$form_sta $values = array(); $categories = db_query('SELECT c.cid, c.title, f.fid FROM {aggregator_category} c LEFT JOIN {aggregator_category_feed} f ON c.cid = f.cid AND f.fid = :fid ORDER BY title', array(':fid' => isset($feed->fid) ? $feed->fid : NULL)); foreach ($categories as $category) { - $options[$category->cid] = check_plain($category->title); + $options[$category->cid] = htmlspecialchars($category->title, ENT_QUOTES); if ($category->fid) $values[] = $category->cid; } @@ -259,7 +259,8 @@ function aggregator_form_opml(&$form_sta ); // Handling of categories. - $options = array_map('check_plain', db_query("SELECT cid, title FROM {aggregator_category} ORDER BY title")->fetchAllKeyed()); + // @todo array_map() no longer works for htmlspecialchars() here. + $options = array_map('htmlspecialchars', db_query("SELECT cid, title FROM {aggregator_category} ORDER BY title")->fetchAllKeyed()); if ($options) { $form['category'] = array( '#type' => 'checkboxes', Index: modules/aggregator/aggregator.module =================================================================== RCS file: /cvs/drupal/drupal/modules/aggregator/aggregator.module,v retrieving revision 1.420 diff -u -p -r1.420 aggregator.module --- modules/aggregator/aggregator.module 24 Aug 2009 00:14:19 -0000 1.420 +++ modules/aggregator/aggregator.module 24 Aug 2009 01:24:53 -0000 @@ -378,7 +378,7 @@ function aggregator_block_view($delta = switch ($type) { case 'feed': if ($feed = db_query('SELECT fid, title, block FROM {aggregator_feed} WHERE block <> 0 AND fid = :fid', array(':fid' => $id))->fetchObject()) { - $block['subject'] = check_plain($feed->title); + $block['subject'] = htmlspecialchars($feed->title, ENT_QUOTES); $result = db_query_range("SELECT * FROM {aggregator_item} WHERE fid = :fid ORDER BY timestamp DESC, iid DESC", array(':fid' => $id), 0, $feed->block); $read_more = theme('more_link', url('aggregator/sources/' . $feed->fid), t("View this feed's recent news.")); } @@ -386,7 +386,7 @@ function aggregator_block_view($delta = case 'category': if ($category = db_query('SELECT cid, title, block FROM {aggregator_category} WHERE cid = :cid', array(':cid' => $id))->fetchObject()) { - $block['subject'] = check_plain($category->title); + $block['subject'] = htmlspecialchars($category->title, ENT_QUOTES); $result = db_query_range('SELECT i.* FROM {aggregator_category_item} ci LEFT JOIN {aggregator_item} i ON ci.iid = i.iid WHERE ci.cid = :cid ORDER BY i.timestamp DESC, i.iid DESC', array(':cid' => $category->cid), 0, $category->block); $read_more = theme('more_link', url('aggregator/categories/' . $category->cid), t("View this category's recent news.")); } @@ -643,7 +643,7 @@ function aggregator_category_load($cid) function theme_aggregator_block_item($item, $feed = 0) { // Display the external link to the item. - return '' . check_plain($item->title) . "\n"; + return '' . htmlspecialchars($item->title, ENT_QUOTES) . "\n"; } Index: modules/aggregator/aggregator.pages.inc =================================================================== RCS file: /cvs/drupal/drupal/modules/aggregator/aggregator.pages.inc,v retrieving revision 1.31 diff -u -p -r1.31 aggregator.pages.inc --- modules/aggregator/aggregator.pages.inc 22 Aug 2009 14:34:18 -0000 1.31 +++ modules/aggregator/aggregator.pages.inc 24 Aug 2009 01:25:14 -0000 @@ -169,7 +169,7 @@ function aggregator_categorize_items($it $selected = array(); foreach ($categories_result as $category) { if (!$done) { - $categories[$category->cid] = check_plain($category->title); + $categories[$category->cid] = htmlspecialchars($category->title, ENT_QUOTES); } if ($category->iid) { $selected[] = $category->cid; @@ -271,14 +271,14 @@ function template_preprocess_aggregator_ $item = $variables['item']; $variables['feed_url'] = check_url($item->link); - $variables['feed_title'] = check_plain($item->title); + $variables['feed_title'] = htmlspecialchars($item->title, ENT_QUOTES); $variables['content'] = aggregator_filter_xss($item->description); $variables['source_url'] = ''; $variables['source_title'] = ''; if (isset($item->ftitle) && isset($item->fid)) { $variables['source_url'] = url("aggregator/sources/$item->fid"); - $variables['source_title'] = check_plain($item->ftitle); + $variables['source_title'] = htmlspecialchars($item->ftitle, ENT_QUOTES); } if (date('Ymd', $item->timestamp) == date('Ymd')) { $variables['source_date'] = t('%ago ago', array('%ago' => format_interval(REQUEST_TIME - $item->timestamp))); @@ -434,12 +434,12 @@ function theme_aggregator_page_opml($fee $output = "\n"; $output .= "\n"; $output .= "\n"; - $output .= '' . check_plain(variable_get('site_name', 'Drupal')) . "\n"; + $output .= '' . htmlspecialchars(variable_get('site_name', 'Drupal'), ENT_QUOTES) . "\n"; $output .= '' . gmdate('r') . "\n"; $output .= "\n"; $output .= "\n"; foreach ($feeds as $feed) { - $output .= '\n"; + $output .= '\n"; } $output .= "\n"; $output .= "\n"; @@ -453,7 +453,7 @@ function theme_aggregator_page_opml($fee * @see aggregator-summary-item.tpl.php */ function template_preprocess_aggregator_summary_items(&$variables) { - $variables['title'] = check_plain($variables['source']->title); + $variables['title'] = htmlspecialchars($variables['source']->title, ENT_QUOTES); $variables['summary_list'] = theme('item_list', $variables['summary_items']); $variables['source_url'] = $variables['source']->url; } @@ -467,14 +467,14 @@ function template_preprocess_aggregator_ $item = $variables['item']; $variables['feed_url'] = check_url($item->link); - $variables['feed_title'] = check_plain($item->title); + $variables['feed_title'] = htmlspecialchars($item->title, ENT_QUOTES); $variables['feed_age'] = t('%age old', array('%age' => format_interval(REQUEST_TIME - $item->timestamp))); $variables['source_url'] = ''; $variables['source_title'] = ''; if (!empty($item->feed_link)) { $variables['source_url'] = check_url($item->feed_link); - $variables['source_title'] = check_plain($item->feed_title); + $variables['source_title'] = htmlspecialchars($item->feed_title, ENT_QUOTES); } } Index: modules/block/block.admin.inc =================================================================== RCS file: /cvs/drupal/drupal/modules/block/block.admin.inc,v retrieving revision 1.49 diff -u -p -r1.49 block.admin.inc --- modules/block/block.admin.inc 22 Aug 2009 14:34:18 -0000 1.49 +++ modules/block/block.admin.inc 24 Aug 2009 01:25:21 -0000 @@ -82,7 +82,7 @@ function block_admin_display_form(&$form '#value' => $block['delta'], ); $form[$key]['info'] = array( - '#markup' => check_plain($block['info']), + '#markup' => htmlspecialchars($block['info'], ENT_QUOTES), ); $form[$key]['theme'] = array( '#type' => 'hidden', Index: modules/block/block.module =================================================================== RCS file: /cvs/drupal/drupal/modules/block/block.module,v retrieving revision 1.366 diff -u -p -r1.366 block.module --- modules/block/block.module 24 Aug 2009 00:14:19 -0000 1.366 +++ modules/block/block.module 24 Aug 2009 01:25:28 -0000 @@ -166,7 +166,7 @@ function block_menu() { $default = variable_get('theme_default', 'garland'); foreach (list_themes() as $key => $theme) { $items['admin/structure/block/list/' . $key] = array( - 'title' => check_plain($theme->info['name']), + 'title' => htmlspecialchars($theme->info['name'], ENT_QUOTES), 'page arguments' => array($key), 'type' => $key == $default ? MENU_DEFAULT_LOCAL_TASK : MENU_LOCAL_TASK, 'weight' => $key == $default ? -10 : 0, @@ -445,7 +445,7 @@ function block_user_form(&$edit, $accoun $return = TRUE; $form['block'][$block->module][$block->delta] = array( '#type' => 'checkbox', - '#title' => check_plain($data[$block->delta]['info']), + '#title' => htmlspecialchars($data[$block->delta]['info'], ENT_QUOTES), '#default_value' => isset($account->block[$block->module][$block->delta]) ? $account->block[$block->module][$block->delta] : ($block->custom == 1), ); } @@ -747,7 +747,7 @@ function _block_render_blocks($region_bl if ($block->title) { // Check plain here to allow module generated titles to keep any // markup. - $block->subject = $block->title == '' ? '' : check_plain($block->title); + $block->subject = $block->title == '' ? '' : htmlspecialchars($block->title, ENT_QUOTES); } if (!isset($block->subject)) { $block->subject = ''; Index: modules/blogapi/blogapi.module =================================================================== RCS file: /cvs/drupal/drupal/modules/blogapi/blogapi.module,v retrieving revision 1.160 diff -u -p -r1.160 blogapi.module --- modules/blogapi/blogapi.module 22 Aug 2009 00:58:52 -0000 1.160 +++ modules/blogapi/blogapi.module 24 Aug 2009 01:25:49 -0000 @@ -722,7 +722,8 @@ function blogapi_blogger_title(&$content * Add some settings to the admin_settings form. */ function blogapi_admin_settings() { - $node_types = array_map('check_plain', node_type_get_names()); + // @todo array_map() no longer works for htmlspecialchars() here. + $node_types = array_map('htmlspecialchars', node_type_get_names()); $defaults = isset($node_types['blog']) ? array('blog' => 1) : array(); $form['blogapi_node_types'] = array( '#type' => 'checkboxes', Index: modules/book/book.module =================================================================== RCS file: /cvs/drupal/drupal/modules/book/book.module,v retrieving revision 1.508 diff -u -p -r1.508 book.module --- modules/book/book.module 24 Aug 2009 00:14:19 -0000 1.508 +++ modules/book/book.module 24 Aug 2009 01:26:08 -0000 @@ -901,7 +901,7 @@ function template_preprocess_book_naviga // Provide extra variables for themers. Not needed by default. $variables['book_id'] = $book_link['bid']; - $variables['book_title'] = check_plain($book_link['link_title']); + $variables['book_title'] = htmlspecialchars($book_link['link_title'], ENT_QUOTES); $variables['book_url'] = 'node/' . $book_link['bid']; $variables['current_depth'] = $book_link['depth']; $variables['tree'] = ''; @@ -913,21 +913,21 @@ function template_preprocess_book_naviga $prev_href = url($prev['href']); drupal_add_link(array('rel' => 'prev', 'href' => $prev_href)); $variables['prev_url'] = $prev_href; - $variables['prev_title'] = check_plain($prev['title']); + $variables['prev_title'] = htmlspecialchars($prev['title'], ENT_QUOTES); } if ($book_link['plid'] && $parent = book_link_load($book_link['plid'])) { $parent_href = url($parent['href']); drupal_add_link(array('rel' => 'up', 'href' => $parent_href)); $variables['parent_url'] = $parent_href; - $variables['parent_title'] = check_plain($parent['title']); + $variables['parent_title'] = htmlspecialchars($parent['title'], ENT_QUOTES); } if ($next = book_next($book_link)) { $next_href = url($next['href']); drupal_add_link(array('rel' => 'next', 'href' => $next_href)); $variables['next_url'] = $next_href; - $variables['next_title'] = check_plain($next['title']); + $variables['next_title'] = htmlspecialchars($next['title'], ENT_QUOTES); } } @@ -999,7 +999,7 @@ function book_toc($bid, $depth_limit, $e function template_preprocess_book_export_html(&$variables) { global $base_url, $language; - $variables['title'] = check_plain($variables['title']); + $variables['title'] = htmlspecialchars($variables['title'], ENT_QUOTES); $variables['base_url'] = $base_url; $variables['language'] = $language; $variables['language_rtl'] = ($language->direction == LANGUAGE_RTL); @@ -1075,7 +1075,7 @@ function book_node_export($node, $childr */ function template_preprocess_book_node_export_html(&$variables) { $variables['depth'] = $variables['node']->book['depth']; - $variables['title'] = check_plain($variables['node']->title); + $variables['title'] = htmlspecialchars($variables['node']->title, ENT_QUOTES); $variables['content'] = $variables['node']->rendered; } Index: modules/comment/comment.admin.inc =================================================================== RCS file: /cvs/drupal/drupal/modules/comment/comment.admin.inc,v retrieving revision 1.30 diff -u -p -r1.30 comment.admin.inc --- modules/comment/comment.admin.inc 31 Jul 2009 19:44:09 -0000 1.30 +++ modules/comment/comment.admin.inc 24 Aug 2009 01:26:16 -0000 @@ -173,7 +173,7 @@ function comment_multiple_delete_confirm $comment = comment_load($cid); if (is_object($comment) && is_numeric($comment->cid)) { $subject = db_query('SELECT subject FROM {comment} WHERE cid = :cid', array(':cid' => $cid))->fetchField(); - $form['comments'][$cid] = array('#type' => 'hidden', '#value' => $cid, '#prefix' => '
  • ', '#suffix' => check_plain($subject) . '
    • '); + $form['comments'][$cid] = array('#type' => 'hidden', '#value' => $cid, '#prefix' => '
  • ', '#suffix' => htmlspecialchars($subject, ENT_QUOTES) . '
    • '); $comment_counter++; } } Index: modules/comment/comment.module =================================================================== RCS file: /cvs/drupal/drupal/modules/comment/comment.module,v retrieving revision 1.759 diff -u -p -r1.759 comment.module --- modules/comment/comment.module 24 Aug 2009 00:14:19 -0000 1.759 +++ modules/comment/comment.module 24 Aug 2009 01:26:23 -0000 @@ -1132,7 +1132,7 @@ function comment_node_update_index($node ':status' => COMMENT_PUBLISHED )); foreach ($comments as $comment) { - $text .= '

    ' . check_plain($comment->subject) . '

    ' . check_markup($comment->comment, $comment->format); + $text .= '

    ' . htmlspecialchars($comment->subject, ENT_QUOTES) . '

    ' . check_markup($comment->comment, $comment->format); } } return $text; @@ -1900,7 +1900,7 @@ function comment_preview($comment) { if (!empty($account)) { $comment->uid = $account->uid; - $comment->name = check_plain($account->name); + $comment->name = htmlspecialchars($account->name, ENT_QUOTES); } elseif (empty($comment->name)) { $comment->name = variable_get('anonymous', t('Anonymous')); Index: modules/comment/comment.tokens.inc =================================================================== RCS file: /cvs/drupal/drupal/modules/comment/comment.tokens.inc,v retrieving revision 1.1 diff -u -p -r1.1 comment.tokens.inc --- modules/comment/comment.tokens.inc 19 Aug 2009 20:19:36 -0000 1.1 +++ modules/comment/comment.tokens.inc 24 Aug 2009 01:26:30 -0000 @@ -147,7 +147,7 @@ function comment_tokens($type, $tokens, // Poster identity information for comments case 'hostname': - $replacements[$original] = $sanitize ? check_plain($comment->hostname) : $comment->hostname; + $replacements[$original] = $sanitize ? htmlspecialchars($comment->hostname, ENT_QUOTES) : $comment->hostname; break; case 'name': @@ -163,7 +163,7 @@ function comment_tokens($type, $tokens, else { $mail = $comment->mail; } - $replacements[$original] = $sanitize ? check_plain($mail) : $mail; + $replacements[$original] = $sanitize ? htmlspecialchars($mail, ENT_QUOTES) : $mail; break; case 'homepage': Index: modules/contact/contact.pages.inc =================================================================== RCS file: /cvs/drupal/drupal/modules/contact/contact.pages.inc,v retrieving revision 1.23 diff -u -p -r1.23 contact.pages.inc --- modules/contact/contact.pages.inc 20 Jul 2009 18:51:33 -0000 1.23 +++ modules/contact/contact.pages.inc 24 Aug 2009 01:26:37 -0000 @@ -177,7 +177,7 @@ function contact_personal_form(&$form_st $form['recipient'] = array('#type' => 'value', '#value' => $recipient); $form['from'] = array('#type' => 'item', '#title' => t('From'), - '#markup' => theme('username', $user) . ' <' . check_plain($user->mail) . '>', + '#markup' => theme('username', $user) . ' <' . htmlspecialchars($user->mail, ENT_QUOTES) . '>', ); $form['to'] = array('#type' => 'item', '#title' => t('To'), Index: modules/dblog/dblog.admin.inc =================================================================== RCS file: /cvs/drupal/drupal/modules/dblog/dblog.admin.inc,v retrieving revision 1.28 diff -u -p -r1.28 dblog.admin.inc --- modules/dblog/dblog.admin.inc 24 Aug 2009 00:14:19 -0000 1.28 +++ modules/dblog/dblog.admin.inc 24 Aug 2009 01:26:43 -0000 @@ -172,7 +172,7 @@ function dblog_event($id) { ), array( array('data' => t('Hostname'), 'header' => TRUE), - check_plain($dblog->hostname), + htmlspecialchars($dblog->hostname, ENT_QUOTES), ), array( array('data' => t('Operations'), 'header' => TRUE), Index: modules/field/field.api.php =================================================================== RCS file: /cvs/drupal/drupal/modules/field/field.api.php,v retrieving revision 1.29 diff -u -p -r1.29 field.api.php --- modules/field/field.api.php 22 Aug 2009 00:58:52 -0000 1.29 +++ modules/field/field.api.php 24 Aug 2009 01:26:51 -0000 @@ -376,9 +376,9 @@ function hook_field_load($obj_type, $obj } } else { - $items[$id][$delta]['safe'] = check_plain($item['value']); + $items[$id][$delta]['safe'] = htmlspecialchars($item['value'], ENT_QUOTES); if ($field['type'] == 'text_with_summary') { - $items[$id][$delta]['safe_summary'] = check_plain($item['summary']); + $items[$id][$delta]['safe_summary'] = htmlspecialchars($item['summary'], ENT_QUOTES); } } } @@ -419,9 +419,9 @@ function hook_field_sanitize($obj_type, } } else { - $items[$delta]['safe'] = check_plain($item['value']); + $items[$delta]['safe'] = htmlspecialchars($item['value'], ENT_QUOTES); if ($field['type'] == 'text_with_summary') { - $items[$delta]['safe_summary'] = check_plain($item['summary']); + $items[$delta]['safe_summary'] = htmlspecialchars($item['summary'], ENT_QUOTES); } } } Index: modules/field/field.default.inc =================================================================== RCS file: /cvs/drupal/drupal/modules/field/field.default.inc,v retrieving revision 1.16 diff -u -p -r1.16 field.default.inc --- modules/field/field.default.inc 22 Aug 2009 00:58:52 -0000 1.16 +++ modules/field/field.default.inc 24 Aug 2009 01:26:59 -0000 @@ -83,7 +83,7 @@ function field_default_view($obj_type, $ $element = $info + array( '#theme' => 'field', '#weight' => $display['weight'], - '#title' => check_plain(t($instance['label'])), + '#title' => htmlspecialchars(t($instance['label'], ENT_QUOTES)), '#access' => field_access('view', $field), '#label_display' => $label_display, '#build_mode' => $build_mode, Index: modules/field/field.form.inc =================================================================== RCS file: /cvs/drupal/drupal/modules/field/field.form.inc,v retrieving revision 1.20 diff -u -p -r1.20 field.form.inc --- modules/field/field.form.inc 24 Aug 2009 00:14:20 -0000 1.20 +++ modules/field/field.form.inc 24 Aug 2009 01:27:25 -0000 @@ -61,7 +61,7 @@ function field_default_form($obj_type, $ $defaults = array( '#required' => $get_delta > 0 ? FALSE : $instance['required'], '#columns' => array_keys($field['columns']), - '#title' => check_plain(t($instance['label'])), + '#title' => htmlspecialchars(t($instance['label']), ENT_QUOTES), '#description' => field_filter_xss($instance['description']), '#delta' => $delta, '#field_name' => $field['field_name'], @@ -138,7 +138,7 @@ function field_multiple_value_form($fiel break; } - $title = check_plain(t($instance['label'])); + $title = htmlspecialchars(t($instance['label']), ENT_QUOTES); $description = field_filter_xss(t($instance['description'])); $bundle_name_url_css = str_replace('_', '-', $instance['bundle']); Index: modules/field/field.module =================================================================== RCS file: /cvs/drupal/drupal/modules/field/field.module,v retrieving revision 1.28 diff -u -p -r1.28 field.module --- modules/field/field.module 24 Aug 2009 00:14:20 -0000 1.28 +++ modules/field/field.module 24 Aug 2009 01:27:44 -0000 @@ -460,7 +460,7 @@ function field_cache_clear($rebuild_sche * * Used for items entered by administrators, like field descriptions, * allowed values, where some (mainly inline) mark-up may be desired - * (so check_plain() is not acceptable). + * (so htmlspecialchars() is not acceptable). */ function field_filter_xss($string) { return filter_xss($string, _field_filter_xss_allowed_tags()); @@ -506,7 +506,7 @@ function _field_filter_xss_display_allow * * @return * A string containing the contents of the field item(s) sanitized for display. - * It will have been passed through the necessary check_plain() or check_markup() + * It will have been passed through the necessary htmlspecialchars() or check_markup() * functions as necessary. */ function field_format($obj_type, $object, $field, $item, $formatter_type = NULL, $formatter_settings = array()) { @@ -709,7 +709,7 @@ function template_preprocess_field(&$var 'field_name' => $field['field_name'], 'field_type_css' => strtr($field['type'], '_', '-'), 'field_name_css' => strtr($field['field_name'], '_', '-'), - 'label' => check_plain(t($instance['label'])), + 'label' => htmlspecialchars(t($instance['label']), ENT_QUOTES), 'label_display' => $element['#label_display'], 'field_empty' => $field_empty, 'field_language' => $element['#language'], Index: modules/field/modules/text/text.module =================================================================== RCS file: /cvs/drupal/drupal/modules/field/modules/text/text.module,v retrieving revision 1.23 diff -u -p -r1.23 text.module --- modules/field/modules/text/text.module 24 Aug 2009 00:37:25 -0000 1.23 +++ modules/field/modules/text/text.module 24 Aug 2009 01:27:53 -0000 @@ -223,9 +223,9 @@ function text_field_load($obj_type, $obj } } else { - $items[$id][$delta]['safe'] = check_plain($item['value']); + $items[$id][$delta]['safe'] = htmlspecialchars($item['value'], ENT_QUOTES); if ($field['type'] == 'text_with_summary') { - $items[$id][$delta]['safe_summary'] = check_plain($item['summary']); + $items[$id][$delta]['safe_summary'] = htmlspecialchars($item['summary'], ENT_QUOTES); } } } @@ -251,9 +251,9 @@ function text_field_sanitize($obj_type, } } else { - $items[$delta]['safe'] = check_plain($item['value']); + $items[$delta]['safe'] = htmlspecialchars($item['value'], ENT_QUOTES); if ($field['type'] == 'text_with_summary') { - $items[$delta]['safe_summary'] = check_plain($item['summary']); + $items[$delta]['safe_summary'] = htmlspecialchars($item['summary'], ENT_QUOTES); } } } Index: modules/field_ui/field_ui.admin.inc =================================================================== RCS file: /cvs/drupal/drupal/modules/field_ui/field_ui.admin.inc,v retrieving revision 1.7 diff -u -p -r1.7 field_ui.admin.inc --- modules/field_ui/field_ui.admin.inc 24 Aug 2009 00:14:20 -0000 1.7 +++ modules/field_ui/field_ui.admin.inc 24 Aug 2009 01:28:01 -0000 @@ -101,7 +101,7 @@ function field_ui_field_overview_form(&$ $weight = $instance['widget']['weight']; $form[$name] = array( 'label' => array( - '#markup' => check_plain($instance['label']), + '#markup' => htmlspecialchars($instance['label'], ENT_QUOTES), ), 'field_name' => array( '#markup' => $instance['field_name'], @@ -587,7 +587,7 @@ function field_ui_display_overview_form( $weight = $instance['widget']['weight']; $form[$name] = array( - 'human_name' => array('#markup' => check_plain($instance['label'])), + 'human_name' => array('#markup' => htmlspecialchars($instance['label'], ENT_QUOTES)), 'weight' => array('#type' => 'value', '#value' => $weight), ); $defaults = $instance['display']; @@ -1021,7 +1021,7 @@ function field_ui_field_edit_form(&$form $bundles = field_info_bundles(); $title = isset($instance['label']) ? $instance['label'] : $instance['field_name']; - drupal_set_title(check_plain($title)); + drupal_set_title(htmlspecialchars($title, ENT_QUOTES)); // Create a form structure for the instance values. $form['instance'] = array( Index: modules/filter/filter.admin.inc =================================================================== RCS file: /cvs/drupal/drupal/modules/filter/filter.admin.inc,v retrieving revision 1.37 diff -u -p -r1.37 filter.admin.inc --- modules/filter/filter.admin.inc 24 Aug 2009 00:14:20 -0000 1.37 +++ modules/filter/filter.admin.inc 24 Aug 2009 01:28:08 -0000 @@ -72,7 +72,7 @@ function theme_filter_admin_overview($fo $element['weight']['#attributes']['class'] = array('text-format-order-weight'); $rows[] = array( 'data' => array( - check_plain($element['name']['#markup']), + htmlspecialchars($element['name']['#markup'], ENT_QUOTES), drupal_render($element['roles']), drupal_render($form['default'][$id]), drupal_render($element['weight']), Index: modules/filter/filter.module =================================================================== RCS file: /cvs/drupal/drupal/modules/filter/filter.module,v retrieving revision 1.277 diff -u -p -r1.277 filter.module --- modules/filter/filter.module 24 Aug 2009 00:14:20 -0000 1.277 +++ modules/filter/filter.module 24 Aug 2009 01:28:31 -0000 @@ -232,7 +232,7 @@ function _filter_html_tips($format, $lon if ($tips[$tag]) { $rows[] = array( array('data' => $tips[$tag][0], 'class' => array('description')), - array('data' => '' . check_plain($tips[$tag][1]) . '', 'class' => array('type')), + array('data' => '' . htmlspecialchars($tips[$tag][1], ENT_QUOTES) . '', 'class' => array('type')), array('data' => $tips[$tag][1], 'class' => array('get')) ); } @@ -259,7 +259,7 @@ function _filter_html_tips($format, $lon foreach ($entities as $entity) { $rows[] = array( array('data' => $entity[0], 'class' => array('description')), - array('data' => '' . check_plain($entity[1]) . '', 'class' => array('type')), + array('data' => '' . htmlspecialchars($entity[1], ENT_QUOTES) . '', 'class' => array('type')), array('data' => $entity[1], 'class' => array('get')) ); } @@ -793,7 +793,7 @@ function _filter_htmlcorrector($text) { */ function _filter_url_parse_full_links($match) { $match[2] = decode_entities($match[2]); - $caption = check_plain(_filter_url_trim($match[2])); + $caption = htmlspecialchars(_filter_url_trim($match[2]), ENT_QUOTES); $match[2] = check_url($match[2]); return $match[1] . '' . $caption . '' . $match[5]; } @@ -803,8 +803,8 @@ function _filter_url_parse_full_links($m */ function _filter_url_parse_partial_links($match) { $match[2] = decode_entities($match[2]); - $caption = check_plain(_filter_url_trim($match[2])); - $match[2] = check_plain($match[2]); + $caption = htmlspecialchars(_filter_url_trim($match[2]), ENT_QUOTES); + $match[2] = htmlspecialchars($match[2], ENT_QUOTES); return $match[1] . '' . $caption . '' . $match[3]; } Index: modules/filter/filter.test =================================================================== RCS file: /cvs/drupal/drupal/modules/filter/filter.test,v retrieving revision 1.32 diff -u -p -r1.32 filter.test --- modules/filter/filter.test 22 Aug 2009 00:58:53 -0000 1.32 +++ modules/filter/filter.test 24 Aug 2009 01:28:51 -0000 @@ -501,20 +501,20 @@ class FilterUnitTest extends DrupalWebTe /** * Test the HTML escaping filter. * - * Here we test only whether check_plain() does what it should. + * Here we test only whether htmlspecialchars() does what it should. */ function testNoHtmlFilter() { // Test that characters that have special meaning in XML are changed into // entities. - $f = check_plain('<>&"'); + $f = htmlspecialchars('<>&"', ENT_QUOTES); $this->assertEqual($f, '<>&"', t('No HTML filter basic test.')); // A single quote can also be used for evil things in some contexts. - $f = check_plain('\''); + $f = htmlspecialchars('\'', ENT_QUOTES); $this->assertEqual($f, ''', t('No HTML filter -- single quote.')); // Test that the filter is not fooled by different evasion techniques. - $f = check_plain("\xc2\""); + $f = htmlspecialchars("\xc2\"", ENT_QUOTES); $this->assertEqual($f, '', t('No HTML filter -- invalid UTF-8.')); } Index: modules/forum/forum.module =================================================================== RCS file: /cvs/drupal/drupal/modules/forum/forum.module,v retrieving revision 1.514 diff -u -p -r1.514 forum.module --- modules/forum/forum.module 24 Aug 2009 00:14:20 -0000 1.514 +++ modules/forum/forum.module 24 Aug 2009 01:29:13 -0000 @@ -548,7 +548,7 @@ function forum_block_view($delta = '') { */ function forum_form($node, $form_state) { $type = node_type_get_type($node); - $form['title'] = array('#type' => 'textfield', '#title' => check_plain($type->title_label), '#default_value' => !empty($node->title) ? $node->title : '', '#required' => TRUE, '#weight' => -5); + $form['title'] = array('#type' => 'textfield', '#title' => htmlspecialchars($type->title_label, ENT_QUOTES), '#default_value' => !empty($node->title) ? $node->title : '', '#required' => TRUE, '#weight' => -5); if (!empty($node->nid)) { $vid = variable_get('forum_nav_vocabulary', 0); @@ -870,7 +870,7 @@ function template_preprocess_forum_list( foreach ($variables['forums'] as $id => $forum) { $variables['forums'][$id]->description = !empty($forum->description) ? filter_xss_admin($forum->description) : ''; $variables['forums'][$id]->link = url("forum/$forum->tid"); - $variables['forums'][$id]->name = check_plain($forum->name); + $variables['forums'][$id]->name = htmlspecialchars($forum->name, ENT_QUOTES); $variables['forums'][$id]->is_container = !empty($forum->container); $variables['forums'][$id]->zebra = $row % 2 == 0 ? 'odd' : 'even'; $row++; @@ -930,7 +930,7 @@ function template_preprocess_forum_topic // them is a shadow copy. if ($topic->forum_tid != $variables['tid']) { $variables['topics'][$id]->moved = TRUE; - $variables['topics'][$id]->title = check_plain($topic->title); + $variables['topics'][$id]->title = htmlspecialchars($topic->title, ENT_QUOTES); $variables['topics'][$id]->message = l(t('This topic has been moved'), "forum/$topic->forum_tid"); } else { Index: modules/image/image.admin.inc =================================================================== RCS file: /cvs/drupal/drupal/modules/image/image.admin.inc,v retrieving revision 1.9 diff -u -p -r1.9 image.admin.inc --- modules/image/image.admin.inc 24 Aug 2009 00:14:20 -0000 1.9 +++ modules/image/image.admin.inc 24 Aug 2009 01:29:22 -0000 @@ -81,7 +81,7 @@ function image_style_form(&$form_state, // Build the new image effect addition form and add it to the effect list. $new_effect_options = array('' => t('Select a new effect')); foreach (image_effect_definitions() as $effect => $definition) { - $new_effect_options[$effect] = check_plain($definition['label']); + $new_effect_options[$effect] = htmlspecialchars($definition['label'], ENT_QUOTES); } $form['effects']['new'] = array( '#tree' => FALSE, @@ -704,7 +704,7 @@ function theme_image_style_preview($styl // Build the preview of the image style. $output .= '
    '; - $output .= check_plain($style['name']) . ' (' . l(t('view actual size'), file_create_url($preview_file) . '?' . time()) . ')'; + $output .= htmlspecialchars($style['name'], ENT_QUOTES) . ' (' . l(t('view actual size'), file_create_url($preview_file) . '?' . time()) . ')'; $output .= '
    '; $output .= '' . theme('image', file_create_url($preview_file) . '?' . time(), t('Sample modified image'), '', $preview_attributes, FALSE) . ''; $output .= '
    ' . $preview_image['height'] . 'px
    '; @@ -749,7 +749,7 @@ function theme_image_anchor($element) { */ function theme_image_resize_summary($data) { if ($data['width'] && $data['height']) { - return check_plain($data['width']) . 'x' . check_plain($data['height']); + return htmlspecialchars($data['width'], ENT_QUOTES) . 'x' . htmlspecialchars($data['height'], ENT_QUOTES); } else { return ($data['width']) ? t('width @width', array('@width' => $data['width'])) : t('height @height', array('@height' => $data['height'])); Index: modules/menu/menu.admin.inc =================================================================== RCS file: /cvs/drupal/drupal/modules/menu/menu.admin.inc,v retrieving revision 1.55 diff -u -p -r1.55 menu.admin.inc --- modules/menu/menu.admin.inc 22 Aug 2009 23:18:28 -0000 1.55 +++ modules/menu/menu.admin.inc 24 Aug 2009 01:29:29 -0000 @@ -28,7 +28,7 @@ function menu_overview_page() { * Theme the menu title and description for admin page */ function theme_menu_admin_overview($title, $name, $description) { - $output = check_plain($title); + $output = htmlspecialchars($title, ENT_QUOTES); $output .= '
    ' . filter_xss_admin($description) . '
    '; return $output; Index: modules/menu/menu.module =================================================================== RCS file: /cvs/drupal/drupal/modules/menu/menu.module,v retrieving revision 1.200 diff -u -p -r1.200 menu.module --- modules/menu/menu.module 24 Aug 2009 00:14:21 -0000 1.200 +++ modules/menu/menu.module 24 Aug 2009 01:29:36 -0000 @@ -282,7 +282,7 @@ function menu_block_list() { $blocks = array(); foreach ($menus as $name => $title) { // Default "Navigation" block is handled by user.module. - $blocks[$name]['info'] = check_plain($title); + $blocks[$name]['info'] = htmlspecialchars($title, ENT_QUOTES); // Menu blocks can't be cached because each menu item can have // a custom access callback. menu.inc manages its own caching. $blocks[$name]['cache'] = BLOCK_NO_CACHE; @@ -295,7 +295,7 @@ function menu_block_list() { */ function menu_block_view($delta = '') { $menus = menu_get_menus(FALSE); - $data['subject'] = check_plain($menus[$delta]); + $data['subject'] = htmlspecialchars($menus[$delta], ENT_QUOTES); $data['content'] = menu_tree($delta); return $data; } Index: modules/node/content_types.inc =================================================================== RCS file: /cvs/drupal/drupal/modules/node/content_types.inc,v retrieving revision 1.90 diff -u -p -r1.90 content_types.inc --- modules/node/content_types.inc 22 Aug 2009 23:18:28 -0000 1.90 +++ modules/node/content_types.inc 24 Aug 2009 01:29:42 -0000 @@ -48,8 +48,8 @@ function node_overview_types() { } function theme_node_admin_overview($name, $type) { - $output = check_plain($name); - $output .= ' (Machine name: ' . check_plain($type->type) . ')'; + $output = htmlspecialchars($name, ENT_QUOTES); + $output .= ' (Machine name: ' . htmlspecialchars($type->type, ENT_QUOTES) . ')'; $output .= '
    ' . filter_xss_admin($type->description) . '
    '; return $output; } Index: modules/node/node.admin.inc =================================================================== RCS file: /cvs/drupal/drupal/modules/node/node.admin.inc,v retrieving revision 1.63 diff -u -p -r1.63 node.admin.inc --- modules/node/node.admin.inc 23 Aug 2009 04:37:52 -0000 1.63 +++ modules/node/node.admin.inc 24 Aug 2009 01:30:02 -0000 @@ -448,7 +448,7 @@ function node_admin_nodes() { $nodes[$node->nid] = ''; $options = empty($node->language) ? array() : array('language' => $languages[$node->language]); $form['title'][$node->nid] = array('#markup' => l($node->title, 'node/' . $node->nid, $options) . ' ' . theme('mark', node_mark($node->nid, $node->changed))); - $form['name'][$node->nid] = array('#markup' => check_plain(node_type_get_name($node))); + $form['name'][$node->nid] = array('#markup' => htmlspecialchars(node_type_get_name($node), ENT_QUOTES)); $form['username'][$node->nid] = array('#markup' => theme('username', $node)); $form['status'][$node->nid] = array('#markup' => ($node->status ? t('published') : t('not published'))); $form['changed'][$node->nid] = array('#markup' => format_date($node->changed, 'small')); @@ -564,7 +564,7 @@ function node_multiple_delete_confirm(&$ '#type' => 'hidden', '#value' => $nid, '#prefix' => '
  • ', - '#suffix' => check_plain($title) . "
    • \n", + '#suffix' => htmlspecialchars($title, ENT_QUOTES) . "\n", ); } $form['operation'] = array('#type' => 'hidden', '#value' => 'delete'); Index: modules/node/node.api.php =================================================================== RCS file: /cvs/drupal/drupal/modules/node/node.api.php,v retrieving revision 1.36 diff -u -p -r1.36 node.api.php --- modules/node/node.api.php 20 Aug 2009 10:56:33 -0000 1.36 +++ modules/node/node.api.php 24 Aug 2009 01:30:09 -0000 @@ -486,7 +486,7 @@ function hook_node_update_index($node) { $text = ''; $comments = db_query('SELECT subject, comment, format FROM {comment} WHERE nid = :nid AND status = :status', array(':nid' => $node->nid, ':status' => COMMENT_PUBLISHED)); foreach ($comments as $comment) { - $text .= '

    ' . check_plain($comment->subject) . '

    ' . check_markup($comment->comment, $comment->format); + $text .= '

    ' . htmlspecialchars($comment->subject, ENT_QUOTES) . '

    ' . check_markup($comment->comment, $comment->format); } return $text; } @@ -800,12 +800,12 @@ function hook_form($node, $form_state) { $form['title'] = array( '#type' => 'textfield', - '#title' => check_plain($type->title_label), + '#title' => htmlspecialchars($type->title_label, ENT_QUOTES), '#required' => TRUE, ); $form['body'] = array( '#type' => 'textarea', - '#title' => check_plain($type->body_label), + '#title' => htmlspecialchars($type->body_label, ENT_QUOTES), '#rows' => 20, '#required' => TRUE, ); Index: modules/node/node.module =================================================================== RCS file: /cvs/drupal/drupal/modules/node/node.module,v retrieving revision 1.1110 diff -u -p -r1.1110 node.module --- modules/node/node.module 24 Aug 2009 00:14:21 -0000 1.1110 +++ modules/node/node.module 24 Aug 2009 01:30:27 -0000 @@ -1261,7 +1261,7 @@ function template_preprocess_node(&$vari $variables['date'] = format_date($node->created); $variables['name'] = theme('username', $node); $variables['node_url'] = url('node/' . $node->nid); - $variables['title'] = check_plain($node->title); + $variables['title'] = htmlspecialchars($node->title, ENT_QUOTES); $variables['page'] = (bool)menu_get_object(); if (!empty($node->in_preview)) { @@ -1515,7 +1515,7 @@ function node_search($op = 'search', $ke $results[] = array( 'link' => url('node/' . $item->sid, array('absolute' => TRUE)), - 'type' => check_plain(node_type_get_name($node)), + 'type' => htmlspecialchars(node_type_get_name($node), ENT_QUOTES), 'title' => $node->title, 'user' => theme('username', $node), 'date' => $node->changed, @@ -2110,7 +2110,7 @@ function _node_index_node($node) { $node = node_build_content($node, 'search_index'); $node->rendered = drupal_render($node->content); - $text = '

    ' . check_plain($node->title) . '

    ' . $node->rendered; + $text = '

    ' . htmlspecialchars($node->title, ENT_QUOTES) . '

    ' . $node->rendered; // Fetch extra data normally not visible $extra = module_invoke_all('node_update_index', $node); @@ -2419,7 +2419,7 @@ function node_node_access($node, $op, $a */ function node_list_permissions($type) { $info = node_type_get_type($type); - $type = check_plain($info->type); + $type = htmlspecialchars($info->type, ENT_QUOTES); // Build standard list of node permissions for this type. $perms = array( @@ -2912,7 +2912,7 @@ function node_content_form($node, $form_ if ($type->has_title) { $form['title'] = array( '#type' => 'textfield', - '#title' => check_plain($type->title_label), + '#title' => htmlspecialchars($type->title_label, ENT_QUOTES), '#required' => TRUE, '#default_value' => $node->title, '#maxlength' => 255, Index: modules/node/node.tokens.inc =================================================================== RCS file: /cvs/drupal/drupal/modules/node/node.tokens.inc,v retrieving revision 1.2 diff -u -p -r1.2 node.tokens.inc --- modules/node/node.tokens.inc 23 Aug 2009 13:02:38 -0000 1.2 +++ modules/node/node.tokens.inc 24 Aug 2009 01:30:36 -0000 @@ -130,11 +130,11 @@ function node_tokens($type, $tokens, arr break; case 'name': - $replacements[$original] = $sanitize ? check_plain($node->name) : $node->name; + $replacements[$original] = $sanitize ? htmlspecialchars($node->name, ENT_QUOTES) : $node->name; break; case 'title': - $replacements[$original] = $sanitize ? check_plain($node->title) : $node->title; + $replacements[$original] = $sanitize ? htmlspecialchars($node->title, ENT_QUOTES) : $node->title; break; case 'body': @@ -150,16 +150,16 @@ function node_tokens($type, $tokens, arr break; case 'type': - $replacements[$original] = $sanitize ? check_plain($node->type) : $node->type; + $replacements[$original] = $sanitize ? htmlspecialchars($node->type, ENT_QUOTES) : $node->type; break; case 'type-name': $type_name = node_get_types('name', $node->type); - $replacements[$original] = $sanitize ? check_plain($type_name) : $type_name; + $replacements[$original] = $sanitize ? htmlspecialchars($type_name, ENT_QUOTES) : $type_name; break; case 'language': - $replacements[$original] = $sanitize ? check_plain($node->language) : $node->language; + $replacements[$original] = $sanitize ? htmlspecialchars($node->language, ENT_QUOTES) : $node->language; break; case 'url': Index: modules/openid/openid.pages.inc =================================================================== RCS file: /cvs/drupal/drupal/modules/openid/openid.pages.inc,v retrieving revision 1.19 diff -u -p -r1.19 openid.pages.inc --- modules/openid/openid.pages.inc 29 Jul 2009 06:39:34 -0000 1.19 +++ modules/openid/openid.pages.inc 24 Aug 2009 01:30:42 -0000 @@ -50,7 +50,7 @@ function openid_user_identities($account $result = db_query("SELECT * FROM {authmap} WHERE module='openid' AND uid=:uid", array(':uid' => $account->uid)); foreach ($result as $identity) { - $rows[] = array(check_plain($identity->authname), l(t('Delete'), 'user/' . $account->uid . '/openid/delete/' . $identity->aid)); + $rows[] = array(htmlspecialchars($identity->authname, ENT_QUOTES), l(t('Delete'), 'user/' . $account->uid . '/openid/delete/' . $identity->aid)); } $build['openid_table'] = array( Index: modules/poll/poll.module =================================================================== RCS file: /cvs/drupal/drupal/modules/poll/poll.module,v retrieving revision 1.310 diff -u -p -r1.310 poll.module --- modules/poll/poll.module 24 Aug 2009 00:14:21 -0000 1.310 +++ modules/poll/poll.module 24 Aug 2009 01:30:53 -0000 @@ -224,7 +224,7 @@ function poll_form($node, $form_state) { $form['title'] = array( '#type' => 'textfield', - '#title' => check_plain($type->title_label), + '#title' => htmlspecialchars($type->title_label, ENT_QUOTES), '#required' => TRUE, '#default_value' => $node->title, '#weight' => -5, @@ -614,7 +614,7 @@ function poll_teaser($node) { if (is_array($node->choice)) { foreach ($node->choice as $k => $choice) { if ($choice['chtext'] != '') { - $teaser .= '* ' . check_plain($choice['chtext']) . "\n"; + $teaser .= '* ' . htmlspecialchars($choice['chtext'], ENT_QUOTES) . "\n"; } } } @@ -632,7 +632,7 @@ function poll_view_voting(&$form_state, if ($node->choice) { $list = array(); foreach ($node->choice as $i => $choice) { - $list[$i] = check_plain($choice['chtext']); + $list[$i] = htmlspecialchars($choice['chtext'], ENT_QUOTES); } $form['choice'] = array( '#type' => 'radios', @@ -706,7 +706,7 @@ function poll_vote($form, &$form_state) function template_preprocess_poll_vote(&$variables) { $form = $variables['form']; $variables['choice'] = drupal_render($form['choice']); - $variables['title'] = check_plain($form['#node']->title); + $variables['title'] = htmlspecialchars($form['#node']->title, ENT_QUOTES); $variables['vote'] = drupal_render($form['vote']); $variables['rest'] = drupal_render_children($form); $variables['block'] = $form['#block']; @@ -806,7 +806,7 @@ function template_preprocess_poll_result if (isset($variables['vote']) && $variables['vote'] > -1 && user_access('cancel own vote')) { $variables['cancel_form'] = drupal_render(drupal_get_form('poll_cancel_form', $variables['nid'])); } - $variables['title'] = check_plain($variables['raw_title']); + $variables['title'] = htmlspecialchars($variables['raw_title'], ENT_QUOTES); // If this is a block, allow a different tpl.php to be used. if ($variables['block']) { @@ -827,7 +827,7 @@ function template_preprocess_poll_bar(&$ if ($variables['block']) { $variables['template_files'][] = 'poll-bar-block'; } - $variables['title'] = check_plain($variables['title']); + $variables['title'] = htmlspecialchars($variables['title'], ENT_QUOTES); $variables['percentage'] = round($variables['votes'] * 100 / max($variables['total_votes'], 1)); } Index: modules/poll/poll.pages.inc =================================================================== RCS file: /cvs/drupal/drupal/modules/poll/poll.pages.inc,v retrieving revision 1.20 diff -u -p -r1.20 poll.pages.inc --- modules/poll/poll.pages.inc 29 Jul 2009 06:39:34 -0000 1.20 +++ modules/poll/poll.pages.inc 24 Aug 2009 01:31:02 -0000 @@ -72,8 +72,8 @@ function poll_votes($node) { $rows = array(); foreach ($queried_votes as $vote) { $rows[] = array( - $vote->name ? theme('username', $vote) : check_plain($vote->hostname), - check_plain($vote->chtext), + $vote->name ? theme('username', $vote) : htmlspecialchars($vote->hostname, ENT_QUOTES), + htmlspecialchars($vote->chtext, ENT_QUOTES), format_date($vote->timestamp), ); } Index: modules/profile/profile.admin.inc =================================================================== RCS file: /cvs/drupal/drupal/modules/profile/profile.admin.inc,v retrieving revision 1.29 diff -u -p -r1.29 profile.admin.inc --- modules/profile/profile.admin.inc 22 Aug 2009 14:34:21 -0000 1.29 +++ modules/profile/profile.admin.inc 24 Aug 2009 01:31:09 -0000 @@ -22,8 +22,8 @@ function profile_admin_overview() { $categories[] = $field->category; // Save all field information - $form[$field->fid]['name'] = array('#markup' => check_plain($field->name)); - $form[$field->fid]['title'] = array('#markup' => check_plain($field->title)); + $form[$field->fid]['name'] = array('#markup' => htmlspecialchars($field->name, ENT_QUOTES)); + $form[$field->fid]['title'] = array('#markup' => htmlspecialchars($field->title, ENT_QUOTES)); $form[$field->fid]['type'] = array('#markup' => $field->type); $form[$field->fid]['category'] = array('#type' => 'select', '#default_value' => $field->category, '#options' => array()); $form[$field->fid]['weight'] = array('#type' => 'weight', '#default_value' => $field->weight); @@ -422,7 +422,7 @@ function profile_admin_settings_autocomp $matches = array(); $result = db_query_range("SELECT category FROM {profile_field} WHERE LOWER(category) LIKE LOWER(:category)", array(':category' => $string . '%'), 0, 10); foreach ($result as $data) { - $matches[$data->category] = check_plain($data->category); + $matches[$data->category] = htmlspecialchars($data->category, ENT_QUOTES); } drupal_json($matches); } Index: modules/profile/profile.module =================================================================== RCS file: /cvs/drupal/drupal/modules/profile/profile.module,v retrieving revision 1.271 diff -u -p -r1.271 profile.module --- modules/profile/profile.module 24 Aug 2009 00:14:21 -0000 1.271 +++ modules/profile/profile.module 24 Aug 2009 01:31:24 -0000 @@ -149,7 +149,7 @@ function profile_block_configure($delta $fields = array(); $result = db_query('SELECT name, title, weight, visibility FROM {profile_field} WHERE visibility IN (:visibility) ORDER BY weight', array(':visibility' => array(PROFILE_PUBLIC, PROFILE_PUBLIC_LISTINGS))); foreach ($result as $record) { - $fields[$record->name] = check_plain($record->title); + $fields[$record->name] = htmlspecialchars($record->title, ENT_QUOTES); } $fields['user_profile'] = t('Link to full user profile'); $form['profile_block_author_fields'] = array( @@ -295,11 +295,11 @@ function profile_view_field($account, $f return check_markup($value); case 'textfield': case 'selection': - return $browse ? l($value, 'profile/' . $field->name . '/' . $value) : check_plain($value); + return $browse ? l($value, 'profile/' . $field->name . '/' . $value) : htmlspecialchars($value, ENT_QUOTES); case 'checkbox': - return $browse ? l($field->title, 'profile/' . $field->name) : check_plain($field->title); + return $browse ? l($field->title, 'profile/' . $field->name) : htmlspecialchars($field->title, ENT_QUOTES); case 'url': - return '' . check_plain($value) . ''; + return '' . htmlspecialchars($value, ENT_QUOTES) . ''; case 'date': $format = substr(variable_get('date_format_short', 'm/d/Y - H:i'), 0, 5); // Note: Avoid PHP's date() because it does not handle dates before @@ -320,7 +320,7 @@ function profile_view_field($account, $f $fields = array(); foreach ($values as $value) { if ($value = trim($value)) { - $fields[] = $browse ? l($value, 'profile/' . $field->name . '/' . $value) : check_plain($value); + $fields[] = $browse ? l($value, 'profile/' . $field->name . '/' . $value) : htmlspecialchars($value, ENT_QUOTES); } } return implode(', ', $fields); @@ -343,7 +343,7 @@ function profile_user_view($account) { $fields = array(); foreach ($result as $field) { if ($value = profile_view_field($account, $field)) { - $title = ($field->type != 'checkbox') ? check_plain($field->title) : NULL; + $title = ($field->type != 'checkbox') ? htmlspecialchars($field->title, ENT_QUOTES) : NULL; // Create a single fieldset for each category. if (!isset($account->content[$field->category])) { @@ -385,13 +385,13 @@ function profile_form_profile($edit, $ac foreach ($result as $field) { $category = $field->category; if (!isset($fields[$category])) { - $fields[$category] = array('#type' => 'fieldset', '#title' => check_plain($category), '#weight' => $weight++); + $fields[$category] = array('#type' => 'fieldset', '#title' => htmlspecialchars($category, ENT_QUOTES), '#weight' => $weight++); } switch ($field->type) { case 'textfield': case 'url': $fields[$category][$field->name] = array('#type' => 'textfield', - '#title' => check_plain($field->title), + '#title' => htmlspecialchars($field->title, ENT_QUOTES), '#default_value' => isset($edit[$field->name]) ? $edit[$field->name] : '', '#maxlength' => 255, '#description' => _profile_form_explanation($field), @@ -403,7 +403,7 @@ function profile_form_profile($edit, $ac break; case 'textarea': $fields[$category][$field->name] = array('#type' => 'textarea', - '#title' => check_plain($field->title), + '#title' => htmlspecialchars($field->title, ENT_QUOTES), '#default_value' => isset($edit[$field->name]) ? $edit[$field->name] : '', '#description' => _profile_form_explanation($field), '#required' => $field->required, @@ -411,7 +411,7 @@ function profile_form_profile($edit, $ac break; case 'list': $fields[$category][$field->name] = array('#type' => 'textarea', - '#title' => check_plain($field->title), + '#title' => htmlspecialchars($field->title, ENT_QUOTES), '#default_value' => isset($edit[$field->name]) ? $edit[$field->name] : '', '#description' => _profile_form_explanation($field), '#required' => $field->required, @@ -419,7 +419,7 @@ function profile_form_profile($edit, $ac break; case 'checkbox': $fields[$category][$field->name] = array('#type' => 'checkbox', - '#title' => check_plain($field->title), + '#title' => htmlspecialchars($field->title, ENT_QUOTES), '#default_value' => isset($edit[$field->name]) ? $edit[$field->name] : '', '#description' => _profile_form_explanation($field), '#required' => $field->required, @@ -434,7 +434,7 @@ function profile_form_profile($edit, $ac } } $fields[$category][$field->name] = array('#type' => 'select', - '#title' => check_plain($field->title), + '#title' => htmlspecialchars($field->title, ENT_QUOTES), '#default_value' => isset($edit[$field->name]) ? $edit[$field->name] : '', '#options' => $options, '#description' => _profile_form_explanation($field), @@ -443,7 +443,7 @@ function profile_form_profile($edit, $ac break; case 'date': $fields[$category][$field->name] = array('#type' => 'date', - '#title' => check_plain($field->title), + '#title' => htmlspecialchars($field->title, ENT_QUOTES), '#default_value' => isset($edit[$field->name]) ? $edit[$field->name] : '', '#description' => _profile_form_explanation($field), '#required' => $field->required, @@ -534,7 +534,7 @@ function template_preprocess_profile_blo // Supply filtered version of $fields that have values. foreach ($variables['fields'] as $field) { if ($field->value) { - $variables['profile'][$field->name]->title = check_plain($field->title); + $variables['profile'][$field->name]->title = htmlspecialchars($field->title, ENT_QUOTES); $variables['profile'][$field->name]->value = $field->value; $variables['profile'][$field->name]->type = $field->type; } Index: modules/profile/profile.pages.inc =================================================================== RCS file: /cvs/drupal/drupal/modules/profile/profile.pages.inc,v retrieving revision 1.18 diff -u -p -r1.18 profile.pages.inc --- modules/profile/profile.pages.inc 26 May 2009 10:41:06 -0000 1.18 +++ modules/profile/profile.pages.inc 24 Aug 2009 01:31:46 -0000 @@ -77,10 +77,10 @@ function profile_browse() { $output .= theme('pager', NULL); if ($field->type == 'selection' || $field->type == 'list' || $field->type == 'textfield') { - $title = strtr(check_plain($field->page), array('%value' => theme('placeholder', $value))); + $title = strtr(htmlspecialchars($field->page, ENT_QUOTES), array('%value' => theme('placeholder', $value))); } else { - $title = check_plain($field->page); + $title = htmlspecialchars($field->page, ENT_QUOTES); } drupal_set_title($title, PASS_THROUGH); @@ -130,7 +130,7 @@ function profile_autocomplete($field, $s ':value' => $string . '%', ), 0, 10)->fetchCol(); foreach ($values as $value) { - $matches[$value] = check_plain($value); + $matches[$value] = htmlspecialchars($value, ENT_QUOTES); } } Index: modules/search/search-block-form.tpl.php =================================================================== RCS file: /cvs/drupal/drupal/modules/search/search-block-form.tpl.php,v retrieving revision 1.3 diff -u -p -r1.3 search-block-form.tpl.php --- modules/search/search-block-form.tpl.php 30 Dec 2008 16:43:18 -0000 1.3 +++ modules/search/search-block-form.tpl.php 24 Aug 2009 01:31:56 -0000 @@ -28,7 +28,7 @@ * * To check for all available data within $search, use the code below. * - * '. check_plain(print_r($search, 1)) .''; ?> + * '. htmlspecialchars(print_r($search, 1), ENT_QUOTES) .''; ?> * * @see template_preprocess_search_block_form() */ Index: modules/search/search-result.tpl.php =================================================================== RCS file: /cvs/drupal/drupal/modules/search/search-result.tpl.php,v retrieving revision 1.4 diff -u -p -r1.4 search-result.tpl.php --- modules/search/search-result.tpl.php 30 Dec 2008 16:43:18 -0000 1.4 +++ modules/search/search-result.tpl.php 24 Aug 2009 01:32:04 -0000 @@ -41,7 +41,7 @@ * * To check for all available data within $info_split, use the code below. * - * '. check_plain(print_r($info_split, 1)) .''; ?> + * '. htmlspecialchars(print_r($info_split, 1), ENT_QUOTES) .''; ?> * * @see template_preprocess_search_result() */ Index: modules/search/search-theme-form.tpl.php =================================================================== RCS file: /cvs/drupal/drupal/modules/search/search-theme-form.tpl.php,v retrieving revision 1.3 diff -u -p -r1.3 search-theme-form.tpl.php --- modules/search/search-theme-form.tpl.php 30 Dec 2008 16:43:18 -0000 1.3 +++ modules/search/search-theme-form.tpl.php 24 Aug 2009 01:32:09 -0000 @@ -28,7 +28,7 @@ * * To check for all available data within $search, use the code below. * - * '. check_plain(print_r($search, 1)) .''; ?> + * '. htmlspecialchars(print_r($search, 1), ENT_QUOTES) .''; ?> * * @see template_preprocess_search_theme_form() */ Index: modules/search/search.api.php =================================================================== RCS file: /cvs/drupal/drupal/modules/search/search.api.php,v retrieving revision 1.11 diff -u -p -r1.11 search.api.php --- modules/search/search.api.php 22 Jun 2009 09:10:06 -0000 1.11 +++ modules/search/search.api.php 24 Aug 2009 01:32:23 -0000 @@ -183,7 +183,7 @@ function hook_search($op = 'search', $ke $results[] = array( 'link' => url('node/' . $item->sid, array('absolute' => TRUE)), - 'type' => check_plain(node_type_get_name($node)), + 'type' => htmlspecialchars(node_type_get_name($node), ENT_QUOTES), 'title' => $node->title, 'user' => theme('username', $node), 'date' => $node->changed, @@ -259,7 +259,7 @@ function hook_update_index() { $node = node_build_content($node, 'search_index'); $node->rendered = drupal_render($node->content); - $text = '

    ' . check_plain($node->title) . '

    ' . $node->rendered; + $text = '

    ' . htmlspecialchars($node->title, ENT_QUOTES) . '

    ' . $node->rendered; // Fetch extra data normally not visible $extra = module_invoke_all('node_update_index', $node); Index: modules/search/search.pages.inc =================================================================== RCS file: /cvs/drupal/drupal/modules/search/search.pages.inc,v retrieving revision 1.10 diff -u -p -r1.10 search.pages.inc --- modules/search/search.pages.inc 29 Jul 2009 06:39:34 -0000 1.10 +++ modules/search/search.pages.inc 24 Aug 2009 01:32:29 -0000 @@ -92,11 +92,11 @@ function template_preprocess_search_resu function template_preprocess_search_result(&$variables) { $result = $variables['result']; $variables['url'] = check_url($result['link']); - $variables['title'] = check_plain($result['title']); + $variables['title'] = htmlspecialchars($result['title'], ENT_QUOTES); $info = array(); if (!empty($result['type'])) { - $info['type'] = check_plain($result['type']); + $info['type'] = htmlspecialchars($result['type'], ENT_QUOTES); } if (!empty($result['user'])) { $info['user'] = $result['user']; Index: modules/search/search.test =================================================================== RCS file: /cvs/drupal/drupal/modules/search/search.test,v retrieving revision 1.30 diff -u -p -r1.30 search.test --- modules/search/search.test 22 Aug 2009 00:58:54 -0000 1.30 +++ modules/search/search.test 24 Aug 2009 01:32:42 -0000 @@ -459,7 +459,7 @@ class SearchCommentTestCase extends Drup $comment_body = $this->randomName(5); variable_set('comment_preview_article', COMMENT_PREVIEW_OPTIONAL); - // Enable check_plain() for 'Filtered HTML' text format. + // Enable htmlspecialchars() for 'Filtered HTML' text format. $edit = array( 'filters[filter/filter_html_escape]' => 1, ); @@ -502,7 +502,7 @@ class SearchCommentTestCase extends Drup $this->assertText($edit_comment['subject'], t('Comment subject found in search results.')); $this->assertText($comment_body, t('Comment body text found in search results.')); $this->assertNoRaw(t('n/a'), t('HTML in comment body is not hidden.')); - $this->assertNoRaw(check_plain($edit_comment['comment']), t('HTML in comment body is not escaped.')); + $this->assertNoRaw(htmlspecialchars($edit_comment['comment'], ENT_QUOTES), t('HTML in comment body is not escaped.')); // Hide comments. $this->drupalLogin($this->admin_user); Index: modules/simpletest/drupal_web_test_case.php =================================================================== RCS file: /cvs/drupal/drupal/modules/simpletest/drupal_web_test_case.php,v retrieving revision 1.144 diff -u -p -r1.144 drupal_web_test_case.php --- modules/simpletest/drupal_web_test_case.php 24 Aug 2009 00:14:21 -0000 1.144 +++ modules/simpletest/drupal_web_test_case.php 24 Aug 2009 01:32:52 -0000 @@ -1971,7 +1971,7 @@ class DrupalWebTestCase extends DrupalTe */ protected function assertRaw($raw, $message = '', $group = 'Other') { if (!$message) { - $message = t('Raw "@raw" found', array('@raw' => check_plain($raw))); + $message = t('Raw "@raw" found', array('@raw' => htmlspecialchars($raw, ENT_QUOTES))); } return $this->assert(strpos($this->content, $raw) !== FALSE, $message, $group); } @@ -1991,7 +1991,7 @@ class DrupalWebTestCase extends DrupalTe */ protected function assertNoRaw($raw, $message = '', $group = 'Other') { if (!$message) { - $message = t('Raw "@raw" not found', array('@raw' => check_plain($raw))); + $message = t('Raw "@raw" not found', array('@raw' => htmlspecialchars($raw, ENT_QUOTES))); } return $this->assert(strpos($this->content, $raw) === FALSE, $message, $group); } Index: modules/simpletest/tests/field_test.module =================================================================== RCS file: /cvs/drupal/drupal/modules/simpletest/tests/field_test.module,v retrieving revision 1.16 diff -u -p -r1.16 field_test.module --- modules/simpletest/tests/field_test.module 22 Aug 2009 00:58:54 -0000 1.16 +++ modules/simpletest/tests/field_test.module 24 Aug 2009 01:32:56 -0000 @@ -418,7 +418,7 @@ function field_test_field_validate($obj_ */ function field_test_field_sanitize($obj_type, $object, $field, $instance, $langcode, &$items) { foreach ($items as $delta => $item) { - $value = check_plain($item['value']); + $value = htmlspecialchars($item['value'], ENT_QUOTES); $items[$delta]['safe'] = $value; } } Index: modules/simpletest/tests/form_test.module =================================================================== RCS file: /cvs/drupal/drupal/modules/simpletest/tests/form_test.module,v retrieving revision 1.8 diff -u -p -r1.8 form_test.module --- modules/simpletest/tests/form_test.module 17 Aug 2009 07:12:16 -0000 1.8 +++ modules/simpletest/tests/form_test.module 24 Aug 2009 01:33:02 -0000 @@ -360,7 +360,7 @@ function form_storage_test_form_submit($ $form_state['storage']['thing']['value'] = $form_state['values']['value']; } else { - drupal_set_message("Title: ". check_plain($form_state['storage']['thing']['title'])); + drupal_set_message("Title: ". htmlspecialchars($form_state['storage']['thing']['title'], ENT_QUOTES)); } $form_state['storage']['step']++; drupal_set_message("Form constructions: ". $_SESSION['constructions']); Index: modules/statistics/statistics.admin.inc =================================================================== RCS file: /cvs/drupal/drupal/modules/statistics/statistics.admin.inc,v retrieving revision 1.29 diff -u -p -r1.29 statistics.admin.inc --- modules/statistics/statistics.admin.inc 22 Aug 2009 14:34:21 -0000 1.29 +++ modules/statistics/statistics.admin.inc 24 Aug 2009 01:33:24 -0000 @@ -209,7 +209,7 @@ function statistics_access_log($aid) { array('data' => t('URL'), 'header' => TRUE), l(url($access->path, array('absolute' => TRUE)), $access->path) ); - // It is safe to avoid filtering $access->title through check_plain because + // It is safe to avoid filtering $access->title through htmlspecialchars() because // it comes from drupal_get_title(). $rows[] = array( array('data' => t('Title'), 'header' => TRUE), @@ -229,7 +229,7 @@ function statistics_access_log($aid) { ); $rows[] = array( array('data' => t('Hostname'), 'header' => TRUE), - check_plain($access->hostname) + htmlspecialchars($access->hostname, ENT_QUOTES), ); $build['statistics_table'] = array( Index: modules/system/system.install =================================================================== RCS file: /cvs/drupal/drupal/modules/system/system.install,v retrieving revision 1.379 diff -u -p -r1.379 system.install --- modules/system/system.install 24 Aug 2009 00:14:22 -0000 1.379 +++ modules/system/system.install 24 Aug 2009 01:33:31 -0000 @@ -1570,7 +1570,7 @@ function system_update_7003() { $ret[] = update_sql("INSERT INTO {blocked_ips} (ip) VALUES ('$blocked->mask')"); } else { - $invalid_host = check_plain($blocked->mask); + $invalid_host = htmlspecialchars($blocked->mask, ENT_QUOTES); $ret[] = array('success' => TRUE, 'query' => 'The host ' . $invalid_host . ' is no longer blocked because it is not a valid IP address.'); } } @@ -1917,7 +1917,7 @@ function system_update_7013() { $timezone = 'UTC'; } variable_set('date_default_timezone', $timezone); - drupal_set_message('The default time zone has been set to ' . check_plain($timezone) . '. Please check the ' . l('date and time configuration page', 'admin/config/regional/settings') . ' to configure it correctly.', 'warning'); + drupal_set_message('The default time zone has been set to ' . htmlspecialchars($timezone, ENT_QUOTES) . '. Please check the ' . l('date and time configuration page', 'admin/config/regional/settings') . ' to configure it correctly.', 'warning'); return $ret; } Index: modules/system/system.module =================================================================== RCS file: /cvs/drupal/drupal/modules/system/system.module,v retrieving revision 1.766 diff -u -p -r1.766 system.module --- modules/system/system.module 24 Aug 2009 00:14:22 -0000 1.766 +++ modules/system/system.module 24 Aug 2009 01:33:43 -0000 @@ -19,7 +19,7 @@ define('DRUPAL_CORE_COMPATIBILITY', '7.x /** * Minimum supported version of PHP. */ -define('DRUPAL_MINIMUM_PHP', '5.2.0'); +define('DRUPAL_MINIMUM_PHP', '5.2.5'); /** * Minimum recommended value of PHP memory_limit. @@ -2256,7 +2256,7 @@ function _system_sort_requirements($a, $ * Note - if the parameters $question, $description, $yes, or $no could contain * any user input (such as node titles or taxonomy terms), it is the * responsibility of the code calling confirm_form() to sanitize them first with - * a function like check_plain() or filter_xss(). + * a function like htmlspecialchars() or filter_xss(). * * @ingroup forms * @param $form @@ -2722,7 +2722,7 @@ function system_actions_delete_form_subm $aid = $form_state['values']['aid']; $action = actions_load($aid); actions_delete($aid); - $description = check_plain($action->description); + $description = htmlspecialchars($action->description, ENT_QUOTES); watchdog('user', 'Deleted action %aid (%action)', array('%aid' => $aid, '%action' => $description)); drupal_set_message(t('Action %action was deleted', array('%action' => $description))); $form_state['redirect'] = 'admin/settings/actions/manage'; Index: modules/system/system.test =================================================================== RCS file: /cvs/drupal/drupal/modules/system/system.test,v retrieving revision 1.71 diff -u -p -r1.71 system.test --- modules/system/system.test 23 Aug 2009 13:02:38 -0000 1.71 +++ modules/system/system.test 24 Aug 2009 01:34:17 -0000 @@ -838,7 +838,7 @@ class PageTitleFiltering extends DrupalW $node = $this->drupalGetNodeByTitle($edit['title']); $this->assertNotNull($node, 'Node created and found in database'); $this->drupalGet("node/" . $node->nid); - $this->assertText(check_plain($edit['title']), 'Check to make sure tags in the node title are converted.'); + $this->assertText(htmlspecialchars($edit['title'], ENT_QUOTES), 'Check to make sure tags in the node title are converted.'); } } @@ -1221,10 +1221,10 @@ class TokenReplaceTestCase extends Drupa $source .= '[date:small]'; // Small date format of REQUEST_TIME $source .= '[bogus:token]'; // Nonexistent token, should be untouched - $target = check_plain($node->title); - $target .= check_plain($account->name); + $target = htmlspecialchars($node->title, ENT_QUOTES); + $target .= htmlspecialchars($account->name, ENT_QUOTES); $target .= format_interval(REQUEST_TIME - $node->created, 2); - $target .= check_plain($user->name); + $target .= htmlspecialchars($user->name, ENT_QUOTES); $target .= '[user:name]'; $target .= format_date(REQUEST_TIME, 'small'); $target .= '[bogus:token]'; @@ -1239,7 +1239,7 @@ class TokenReplaceTestCase extends Drupa $raw_tokens = array('title' => '[node:title]'); $generated = token_generate('node', $raw_tokens, array('node' => $node)); - $this->assertFalse(strcmp($generated['[node:title]'], check_plain($node->title)), t('Token sanitized.')); + $this->assertFalse(strcmp($generated['[node:title]'], htmlspecialchars($node->title, ENT_QUOTES)), t('Token sanitized.')); $generated = token_generate('node', $raw_tokens, array('node' => $node), array('sanitize' => FALSE)); $this->assertFalse(strcmp($generated['[node:title]'], $node->title), t('Unsanitized token generated properly.')); Index: modules/system/system.tokens.inc =================================================================== RCS file: /cvs/drupal/drupal/modules/system/system.tokens.inc,v retrieving revision 1.1 diff -u -p -r1.1 system.tokens.inc --- modules/system/system.tokens.inc 19 Aug 2009 20:19:37 -0000 1.1 +++ modules/system/system.tokens.inc 24 Aug 2009 01:34:25 -0000 @@ -160,12 +160,12 @@ function system_tokens($type, $tokens, a switch ($name) { case 'name': $site_name = variable_get('site_name', 'Drupal'); - $replacements[$original] = $sanitize ? check_plain($site_name) : $site_name; + $replacements[$original] = $sanitize ? htmlspecialchars($site_name, ENT_QUOTES) : $site_name; break; case 'slogan': $slogan = variable_get('site_slogan', ''); - $replacements[$original] = $sanitize ? check_plain($slogan) : $slogan; + $replacements[$original] = $sanitize ? htmlspecialchars($slogan, ENT_QUOTES) : $slogan; break; case 'mission': @@ -248,7 +248,7 @@ function system_tokens($type, $tokens, a // Essential file data case 'name': - $replacements[$original] = $sanitize ? check_plain($file->filename) : $file->filename; + $replacements[$original] = $sanitize ? htmlspecialchars($file->filename, ENT_QUOTES) : $file->filename; break; case 'description': Index: modules/taxonomy/taxonomy.admin.inc =================================================================== RCS file: /cvs/drupal/drupal/modules/taxonomy/taxonomy.admin.inc,v retrieving revision 1.66 diff -u -p -r1.66 taxonomy.admin.inc --- modules/taxonomy/taxonomy.admin.inc 23 Aug 2009 01:05:12 -0000 1.66 +++ modules/taxonomy/taxonomy.admin.inc 24 Aug 2009 01:34:33 -0000 @@ -20,10 +20,10 @@ function taxonomy_overview_vocabularies( $types = array(); foreach ($vocabulary->nodes as $type) { $node_type = node_type_get_name($type); - $types[] = $node_type ? check_plain($node_type) : check_plain($type); + $types[] = $node_type ? htmlspecialchars($node_type, ENT_QUOTES) : htmlspecialchars($type, ENT_QUOTES); } $form[$vocabulary->vid]['#vocabulary'] = $vocabulary; - $form[$vocabulary->vid]['name'] = array('#markup' => check_plain($vocabulary->name)); + $form[$vocabulary->vid]['name'] = array('#markup' => htmlspecialchars($vocabulary->name, ENT_QUOTES)); $form[$vocabulary->vid]['types'] = array('#markup' => implode(', ', $types)); $form[$vocabulary->vid]['weight'] = array('#type' => 'weight', '#delta' => 10, '#default_value' => $vocabulary->weight); $form[$vocabulary->vid]['edit'] = array('#markup' => l(t('edit vocabulary'), "admin/structure/taxonomy/$vocabulary->vid")); Index: modules/taxonomy/taxonomy.module =================================================================== RCS file: /cvs/drupal/drupal/modules/taxonomy/taxonomy.module,v retrieving revision 1.503 diff -u -p -r1.503 taxonomy.module --- modules/taxonomy/taxonomy.module 24 Aug 2009 00:14:22 -0000 1.503 +++ modules/taxonomy/taxonomy.module 24 Aug 2009 01:34:47 -0000 @@ -307,7 +307,7 @@ function taxonomy_menu() { * Return the vocabulary name given the vocabulary object. */ function taxonomy_admin_vocabulary_title_callback($vocabulary) { - return check_plain($vocabulary->name); + return htmlspecialchars($vocabulary->name, ENT_QUOTES); } /** @@ -605,7 +605,7 @@ function taxonomy_terms_static_reset() { * @param $help * Optional help text to use for the form element. If specified, this value * MUST be properly sanitized and filtered (e.g. with filter_xss_admin() or - * check_plain() if it is user-supplied) to prevent XSS vulnerabilities. If + * htmlspecialchars() if it is user-supplied) to prevent XSS vulnerabilities. If * omitted, the help text stored with the vocaulary (if any) will be used. * @return * An array describing a form element to select terms for a vocabulary. @@ -624,7 +624,7 @@ function taxonomy_form($vid, $value = 0, $blank = ($vocabulary->required) ? 0 : t('- None -'); } - return _taxonomy_term_select(check_plain($vocabulary->name), $value, $vid, $help, intval($vocabulary->multiple), $blank); + return _taxonomy_term_select(htmlspecialchars($vocabulary->name, ENT_QUOTES), $value, $vid, $help, intval($vocabulary->multiple), $blank); } /** @@ -2130,7 +2130,7 @@ function _taxonomy_clean_field_cache($te * The term name to be used as the page title. */ function taxonomy_term_title($term) { - return check_plain($term->name); + return htmlspecialchars($term->name, ENT_QUOTES); } /** Index: modules/taxonomy/taxonomy.tokens.inc =================================================================== RCS file: /cvs/drupal/drupal/modules/taxonomy/taxonomy.tokens.inc,v retrieving revision 1.1 diff -u -p -r1.1 taxonomy.tokens.inc --- modules/taxonomy/taxonomy.tokens.inc 19 Aug 2009 20:19:37 -0000 1.1 +++ modules/taxonomy/taxonomy.tokens.inc 24 Aug 2009 01:35:05 -0000 @@ -111,7 +111,7 @@ function taxonomy_tokens($type, $tokens, break; case 'name': - $replacements[$original] = $sanitize ? check_plain($term->name) : $term->name; + $replacements[$original] = $sanitize ? htmlspecialchars($term->name, ENT_QUOTES) : $term->name; break; case 'description': @@ -130,13 +130,13 @@ function taxonomy_tokens($type, $tokens, case 'vocabulary': $vocabulary = taxonomy_vocabulary_load($term->vid); - $replacements[$original] = check_plain($vocabulary->name); + $replacements[$original] = htmlspecialchars($vocabulary->name, ENT_QUOTES); break; case 'parent': $parents = taxonomy_get_parents($term->tid); $parent = array_pop($parents); - $replacements[$original] = check_plain($parent->name); + $replacements[$original] = htmlspecialchars($parent->name, ENT_QUOTES); break; } } @@ -163,7 +163,7 @@ function taxonomy_tokens($type, $tokens, break; case 'name': - $replacements[$original] = $sanitize ? check_plain($vocabulary->name) : $vocabulary->name; + $replacements[$original] = $sanitize ? htmlspecialchars($vocabulary->name, ENT_QUOTES) : $vocabulary->name; break; case 'description': Index: modules/tracker/tracker.pages.inc =================================================================== RCS file: /cvs/drupal/drupal/modules/tracker/tracker.pages.inc,v retrieving revision 1.23 diff -u -p -r1.23 tracker.pages.inc --- modules/tracker/tracker.pages.inc 22 Aug 2009 14:34:23 -0000 1.23 +++ modules/tracker/tracker.pages.inc 24 Aug 2009 01:35:12 -0000 @@ -56,7 +56,7 @@ function tracker_page($account = NULL, $ } $rows[] = array( - check_plain(node_type_get_name($node->type)), + htmlspecialchars(node_type_get_name($node->type), ENT_QUOTES), l($node->title, "node/$node->nid") . ' ' . theme('mark', node_mark($node->nid, $node->changed)), theme('username', $node), array('class' => array('replies'), 'data' => $comments), Index: modules/trigger/trigger.admin.inc =================================================================== RCS file: /cvs/drupal/drupal/modules/trigger/trigger.admin.inc,v retrieving revision 1.15 diff -u -p -r1.15 trigger.admin.inc --- modules/trigger/trigger.admin.inc 22 Aug 2009 15:35:36 -0000 1.15 +++ modules/trigger/trigger.admin.inc 24 Aug 2009 01:35:20 -0000 @@ -87,7 +87,7 @@ function trigger_unassign_submit($form, ->condition('aid', $aid) ->execute(); $actions = actions_get_all_actions(); - watchdog('actions', 'Action %action has been unassigned.', array('%action' => check_plain($actions[$aid]['description']))); + watchdog('actions', 'Action %action has been unassigned.', array('%action' => htmlspecialchars($actions[$aid]['description'], ENT_QUOTES))); drupal_set_message(t('Action %action has been unassigned.', array('%action' => $actions[$aid]['description']))); $hook = $form_values['hook'] == 'node' ? 'node' : $form_values['hook']; $form_state['redirect'] = 'admin/structure/trigger/' . $hook; Index: modules/update/update.report.inc =================================================================== RCS file: /cvs/drupal/drupal/modules/update/update.report.inc,v retrieving revision 1.20 diff -u -p -r1.20 update.report.inc --- modules/update/update.report.inc 24 Aug 2009 00:42:34 -0000 1.20 +++ modules/update/update.report.inc 24 Aug 2009 01:35:29 -0000 @@ -84,7 +84,7 @@ function theme_update_report($data) { $row .= '' . t('Up to date') . ''; break; default: - $row .= check_plain($project['reason']); + $row .= htmlspecialchars($project['reason'], ENT_QUOTES); break; } $row .= '' . $icon . ''; @@ -96,13 +96,13 @@ function theme_update_report($data) { $row .= l($project['title'], $project['link']); } else { - $row .= check_plain($project['title']); + $row .= htmlspecialchars($project['title'], ENT_QUOTES); } } else { - $row .= check_plain($project['name']); + $row .= htmlspecialchars($project['name'], ENT_QUOTES); } - $row .= ' ' . check_plain($project['existing_version']); + $row .= ' ' . htmlspecialchars($project['existing_version'], ENT_QUOTES); if ($project['install_type'] == 'dev' && !empty($project['datestamp'])) { $row .= ' (' . format_date($project['datestamp'], 'custom', 'Y-M-d') . ')'; } @@ -171,7 +171,7 @@ function theme_update_report($data) { $row .= '
    ' . "\n"; foreach ($project['extra'] as $key => $value) { $row .= '
    '; - $row .= check_plain($value['label']) . ': '; + $row .= htmlspecialchars($value['label'], ENT_QUOTES) . ': '; $row .= theme('placeholder', $value['data']); $row .= "
    \n"; } Index: modules/user/user-picture.tpl.php =================================================================== RCS file: /cvs/drupal/drupal/modules/user/user-picture.tpl.php,v retrieving revision 1.5 diff -u -p -r1.5 user-picture.tpl.php --- modules/user/user-picture.tpl.php 6 Aug 2009 05:05:59 -0000 1.5 +++ modules/user/user-picture.tpl.php 24 Aug 2009 01:35:35 -0000 @@ -10,7 +10,7 @@ * - $user_picture: Image set by the user or the site's default. Will be linked * depending on the viewer's permission to view the users profile page. * - $account: Array of account information. Potentially unsafe. Be sure to - * check_plain() before use. + * htmlspecialchars() before use. * * @see template_preprocess_user_picture() */ Index: modules/user/user.module =================================================================== RCS file: /cvs/drupal/drupal/modules/user/user.module,v retrieving revision 1.1030 diff -u -p -r1.1030 user.module --- modules/user/user.module 24 Aug 2009 00:14:23 -0000 1.1030 +++ modules/user/user.module 24 Aug 2009 01:36:23 -0000 @@ -1483,7 +1483,7 @@ function user_menu() { // 'account' is already handled by the MENU_DEFAULT_LOCAL_TASK. if ($category['name'] != 'account') { $items['user/%user_category/edit/' . $category['name']] = array( - 'title callback' => 'check_plain', + 'title callback' => 'htmlspecialchars', 'title arguments' => array($category['title']), 'page callback' => 'user_edit', 'page arguments' => array(1, 3), @@ -2403,7 +2403,7 @@ function user_multiple_cancel_confirm(&$ // array_filter() returns only elements with TRUE values. foreach (array_filter($edit['accounts']) as $uid => $value) { $user = db_query('SELECT name FROM {users} WHERE uid = :uid', array(':uid' => $uid))->fetchField(); - $form['accounts'][$uid] = array('#type' => 'hidden', '#value' => $uid, '#prefix' => '
  • ', '#suffix' => check_plain($user) . "
    • \n"); + $form['accounts'][$uid] = array('#type' => 'hidden', '#value' => $uid, '#prefix' => '
  • ', '#suffix' => htmlspecialchars($user, ENT_QUOTES) . "
    • \n"); } $form['operation'] = array('#type' => 'hidden', '#value' => 'cancel'); Index: modules/user/user.pages.inc =================================================================== RCS file: /cvs/drupal/drupal/modules/user/user.pages.inc,v retrieving revision 1.49 diff -u -p -r1.49 user.pages.inc --- modules/user/user.pages.inc 23 Aug 2009 04:50:25 -0000 1.49 +++ modules/user/user.pages.inc 24 Aug 2009 01:36:32 -0000 @@ -14,7 +14,7 @@ function user_autocomplete($string = '') if ($string) { $result = db_query_range("SELECT name FROM {users} WHERE LOWER(name) LIKE LOWER(:name)", array(':name' => $string . '%'), 0, 10); foreach ($result as $user) { - $matches[$user->name] = check_plain($user->name); + $matches[$user->name] = htmlspecialchars($user->name, ENT_QUOTES); } } @@ -231,7 +231,7 @@ function template_preprocess_user_profil * @see user-profile-category.tpl.php */ function template_preprocess_user_profile_category(&$variables) { - $variables['title'] = check_plain($variables['element']['#title']); + $variables['title'] = htmlspecialchars($variables['element']['#title'], ENT_QUOTES); $variables['profile_items'] = $variables['element']['#children']; $variables['attributes'] = ''; if (isset($variables['element']['#attributes'])) { Index: modules/user/user.tokens.inc =================================================================== RCS file: /cvs/drupal/drupal/modules/user/user.tokens.inc,v retrieving revision 1.1 diff -u -p -r1.1 user.tokens.inc --- modules/user/user.tokens.inc 19 Aug 2009 20:19:37 -0000 1.1 +++ modules/user/user.tokens.inc 24 Aug 2009 01:36:38 -0000 @@ -90,7 +90,7 @@ function user_tokens($type, $tokens, arr break; case 'mail': - $replacements[$original] = $sanitize ? check_plain($account->mail) : $account->mail; + $replacements[$original] = $sanitize ? htmlspecialchars($account->mail, ENT_QUOTES) : $account->mail; break; case 'url': Index: themes/garland/maintenance-page.tpl.php =================================================================== RCS file: /cvs/drupal/drupal/themes/garland/maintenance-page.tpl.php,v retrieving revision 1.11 diff -u -p -r1.11 maintenance-page.tpl.php --- themes/garland/maintenance-page.tpl.php 3 Aug 2009 03:04:34 -0000 1.11 +++ themes/garland/maintenance-page.tpl.php 24 Aug 2009 01:36:49 -0000 @@ -38,10 +38,10 @@ // Prepare header $site_fields = array(); if ($site_name) { - $site_fields[] = check_plain($site_name); + $site_fields[] = htmlspecialchars($site_name, ENT_QUOTES); } if ($site_slogan) { - $site_fields[] = check_plain($site_slogan); + $site_fields[] = htmlspecialchars($site_slogan, ENT_QUOTES); } $site_title = implode(' ', $site_fields); if ($site_fields) { Index: themes/garland/template.php =================================================================== RCS file: /cvs/drupal/drupal/themes/garland/template.php,v retrieving revision 1.26 diff -u -p -r1.26 template.php --- themes/garland/template.php 22 Aug 2009 14:34:23 -0000 1.26 +++ themes/garland/template.php 24 Aug 2009 01:36:56 -0000 @@ -30,10 +30,10 @@ function garland_preprocess_page(&$vars) // Prepare header $site_fields = array(); if (!empty($vars['site_name'])) { - $site_fields[] = check_plain($vars['site_name']); + $site_fields[] = htmlspecialchars($vars['site_name'], ENT_QUOTES); } if (!empty($vars['site_slogan'])) { - $site_fields[] = check_plain($vars['site_slogan']); + $site_fields[] = htmlspecialchars($vars['site_slogan'], ENT_QUOTES); } $vars['site_title'] = implode(' ', $site_fields); if (!empty($site_fields)) {