Index: includes/common.inc
===================================================================
RCS file: /cvs/drupal/drupal/includes/common.inc,v
retrieving revision 1.1164
diff -u -p -r1.1164 common.inc
--- includes/common.inc 16 May 2010 19:21:45 -0000 1.1164
+++ includes/common.inc 26 May 2010 08:54:34 -0000
@@ -1897,12 +1897,10 @@ function _format_date_callback(array $ma
* The account object for the user whose name is to be formatted.
*
* @return
- * An unsanitized string with the username to display. The code receiving
- * this result must ensure that check_plain() is called on it before it is
- * printed to the page.
+ * A sanitized string containing the username to display.
*/
function format_username($account) {
- $name = !empty($account->name) ? $account->name : variable_get('anonymous', t('Anonymous'));
+ $name = !empty($account->name) ? check_plain($account->name) : check_plain(variable_get('anonymous', t('Anonymous')));
drupal_alter('username', $name, $account);
return $name;
}
Index: includes/menu.inc
===================================================================
RCS file: /cvs/drupal/drupal/includes/menu.inc,v
retrieving revision 1.392
diff -u -p -r1.392 menu.inc
--- includes/menu.inc 17 May 2010 18:47:25 -0000 1.392
+++ includes/menu.inc 26 May 2010 08:54:35 -0000
@@ -650,11 +650,10 @@ function _menu_item_localize(&$item, $ma
else {
$item['title'] = call_user_func_array($callback, menu_unserialize($item['title_arguments'], $map));
}
- // Avoid calling check_plain again on l() function.
- if ($callback == 'check_plain') {
- $item['localized_options']['html'] = TRUE;
- }
}
+ // Avoid calling check_plain again on l() function. All title callbacks
+ // must return sanitized strings.
+ $item['localized_options']['html'] = TRUE;
}
elseif ($link_translate) {
$item['title'] = $item['link_title'];
@@ -2193,7 +2192,9 @@ function menu_get_active_title() {
foreach (array_reverse($active_trail) as $item) {
if (!(bool) ($item['type'] & MENU_IS_LOCAL_TASK)) {
- return $item['title'];
+ // Text that is user-entered or not passed through a title callback
+ // will not have html set to TRUE.
+ return empty($item['localized_options']['html']) ? check_plain($item['title']) : $item['title'];
}
}
}
Index: includes/path.inc
===================================================================
RCS file: /cvs/drupal/drupal/includes/path.inc,v
retrieving revision 1.62
diff -u -p -r1.62 path.inc
--- includes/path.inc 24 Apr 2010 15:11:27 -0000 1.62
+++ includes/path.inc 26 May 2010 08:54:36 -0000
@@ -293,7 +293,7 @@ function drupal_get_title() {
// During a bootstrap, menu.inc is not included and thus we cannot provide a title.
if (!isset($title) && function_exists('menu_get_active_title')) {
- $title = check_plain(menu_get_active_title());
+ $title = menu_get_active_title();
}
return $title;
Index: modules/aggregator/aggregator.module
===================================================================
RCS file: /cvs/drupal/drupal/modules/aggregator/aggregator.module,v
retrieving revision 1.439
diff -u -p -r1.439 aggregator.module
--- modules/aggregator/aggregator.module 1 May 2010 08:12:22 -0000 1.439
+++ modules/aggregator/aggregator.module 26 May 2010 08:54:37 -0000
@@ -279,7 +279,7 @@ function aggregator_menu() {
* An aggregator category title.
*/
function _aggregator_category_title($category) {
- return $category['title'];
+ return check_plain($category['title']);
}
/**
Index: modules/dblog/dblog.test
===================================================================
RCS file: /cvs/drupal/drupal/modules/dblog/dblog.test,v
retrieving revision 1.36
diff -u -p -r1.36 dblog.test
--- modules/dblog/dblog.test 27 Mar 2010 14:24:14 -0000 1.36
+++ modules/dblog/dblog.test 26 May 2010 08:54:37 -0000
@@ -119,7 +119,7 @@ class DBLogTestCase extends DrupalWebTes
* @param integer $response HTTP response code.
*/
private function verifyReports($response = 200) {
- $quote = ''';
+ $quote = "'";
// View dblog help node.
$this->drupalGet('admin/help/dblog');
Index: modules/filter/filter.module
===================================================================
RCS file: /cvs/drupal/drupal/modules/filter/filter.module,v
retrieving revision 1.331
diff -u -p -r1.331 filter.module
--- modules/filter/filter.module 13 May 2010 07:53:02 -0000 1.331
+++ modules/filter/filter.module 26 May 2010 08:54:37 -0000
@@ -281,7 +281,7 @@ function filter_format_delete($format) {
* Display a text format form title.
*/
function filter_admin_format_title($format) {
- return $format->name;
+ return check_plain($format->name);
}
/**
Index: modules/menu/menu.module
===================================================================
RCS file: /cvs/drupal/drupal/modules/menu/menu.module,v
retrieving revision 1.229
diff -u -p -r1.229 menu.module
--- modules/menu/menu.module 7 Mar 2010 07:55:14 -0000 1.229
+++ modules/menu/menu.module 26 May 2010 08:54:38 -0000
@@ -205,7 +205,7 @@ function menu_enable() {
* Title callback for the menu overview page and links.
*/
function menu_overview_title($menu) {
- return $menu['title'];
+ return check_plain($menu['title']);
}
/**
Index: modules/node/node.module
===================================================================
RCS file: /cvs/drupal/drupal/modules/node/node.module,v
retrieving revision 1.1273
diff -u -p -r1.1273 node.module
--- modules/node/node.module 17 May 2010 07:43:36 -0000 1.1273
+++ modules/node/node.module 26 May 2010 08:54:40 -0000
@@ -1957,7 +1957,7 @@ function node_menu_local_tasks_alter(&$d
* Title callback for a node type.
*/
function node_type_page_title($type) {
- return $type->name;
+ return check_plain($type->name);
}
/**
Index: modules/simpletest/tests/menu.test
===================================================================
RCS file: /cvs/drupal/drupal/modules/simpletest/tests/menu.test,v
retrieving revision 1.29
diff -u -p -r1.29 menu.test
--- modules/simpletest/tests/menu.test 26 Apr 2010 14:06:23 -0000 1.29
+++ modules/simpletest/tests/menu.test 26 May 2010 08:54:41 -0000
@@ -412,6 +412,13 @@ class MenuRebuildTestCase extends Drupal
}
/**
+ * Enable menu_test.module.
+ */
+ public function setUp() {
+ parent::setUp('menu_test');
+ }
+
+ /**
* Test if the 'menu_rebuild_needed' variable triggers a menu_rebuild() call.
*/
function testMenuRebuildByVariable() {
@@ -435,6 +442,16 @@ class MenuRebuildTestCase extends Drupal
$this->assertEqual($admin_exists, 'admin', t("The menu has been rebuilt, the path 'admin' now exists again."));
}
+ /**
+ * Test title pass through.
+ */
+ function testMenuTitlePassThrough() {
+ $this->drupalGet('menu-test/passthrough');
+ $title = 'test';
+ $this->assertRaw($title);
+ $this->assertNoRaw(check_plain($title));
+ }
+
}
/**
Index: modules/simpletest/tests/menu_test.module
===================================================================
RCS file: /cvs/drupal/drupal/modules/simpletest/tests/menu_test.module,v
retrieving revision 1.14
diff -u -p -r1.14 menu_test.module
--- modules/simpletest/tests/menu_test.module 26 Apr 2010 14:06:23 -0000 1.14
+++ modules/simpletest/tests/menu_test.module 26 May 2010 08:54:41 -0000
@@ -188,7 +188,12 @@ function menu_test_menu() {
'access arguments' => array('access content'),
'type' => MENU_LOCAL_TASK,
);
-
+ $items['menu-test/passthrough'] = array(
+ 'title' => 'test',
+ 'page callback' => 'menu_test_passthrough',
+ 'access callback' => TRUE,
+ 'type' => MENU_CALLBACK,
+ );
return $items;
}
@@ -329,3 +334,10 @@ function menu_test_static_variable($valu
}
return $variable;
}
+
+/**
+ * Empty menu callback.
+ */
+function menu_test_passthrough() {
+ return ' ';
+}