? modules/blogapi/blogapi56.test
? modules/blogapi/blogapi56.txt
? modules/simpletest/variable-profile-279455-1.patch
Index: includes/batch.inc
===================================================================
RCS file: /cvs/drupal/drupal/includes/batch.inc,v
retrieving revision 1.22
diff -u -p -r1.22 batch.inc
--- includes/batch.inc 26 Sep 2008 23:30:20 -0000 1.22
+++ includes/batch.inc 11 Oct 2008 18:51:00 -0000
@@ -80,10 +80,10 @@ function _batch_start() {
function _batch_progress_page_js() {
$batch = batch_get();
- // The first batch set gets to set the page title
- // and the initialization and error messages.
+ // The first batch set gets to set the page title and the initialization and
+ // error messages. Only safe strings should be passed in to batch_set().
$current_set = _batch_current_set();
- drupal_set_title($current_set['title']);
+ drupal_set_title($current_set['title'], TITLE_PASS_THROUGH);
drupal_add_js('misc/progress.js', 'core', 'header', FALSE, FALSE);
$url = url($batch['url'], array('query' => array('id' => $batch['id'])));
@@ -126,7 +126,7 @@ function _batch_progress_page_nojs() {
$batch =& batch_get();
$current_set = _batch_current_set();
- drupal_set_title($current_set['title']);
+ drupal_set_title($current_set['title'], TITLE_PASS_THROUGH);
$new_op = 'do_nojs';
Index: includes/common.inc
===================================================================
RCS file: /cvs/drupal/drupal/includes/common.inc,v
retrieving revision 1.803
diff -u -p -r1.803 common.inc
--- includes/common.inc 11 Oct 2008 02:32:32 -0000 1.803
+++ includes/common.inc 11 Oct 2008 18:51:00 -0000
@@ -750,7 +750,7 @@ function fix_gpc_magic() {
* to escape HTML characters. Use this for any output that's displayed within
* a Drupal page.
* @code
- * drupal_set_title($title = t("@name's blog", array('@name' => $account->name)));
+ * drupal_set_title($title = t("@name's blog", array('@name' => $account->name)), TITLE_PASS_THROUGH);
* @endcode
*
* - %variable, which indicates that the string should be HTML escaped and
Index: includes/form.inc
===================================================================
RCS file: /cvs/drupal/drupal/includes/form.inc,v
retrieving revision 1.292
diff -u -p -r1.292 form.inc
--- includes/form.inc 11 Oct 2008 04:06:27 -0000 1.292
+++ includes/form.inc 11 Oct 2008 18:51:00 -0000
@@ -2379,6 +2379,11 @@ function form_clean_id($id = NULL, $flus
* batch_process();
* @endcode
*
+ * Note - if the batch 'title', 'init_message', 'progress_message',
+ * or 'error_message' could contain any user input, it is the responsibility of
+ * the code calling batch_set() to sanitize them first with a function like
+ * check_plain() or filter_xss().
+ *
* Sample batch operations:
* @code
* // Simple and artificial: load a node of a given type for a given user
Index: includes/path.inc
===================================================================
RCS file: /cvs/drupal/drupal/includes/path.inc,v
retrieving revision 1.24
diff -u -p -r1.24 path.inc
--- includes/path.inc 24 Jun 2008 22:12:15 -0000 1.24
+++ includes/path.inc 11 Oct 2008 18:51:00 -0000
@@ -10,6 +10,28 @@
* executing "drupal_bootstrap(DRUPAL_BOOTSTRAP_PATH);".
*/
+
+/**
+ * @name Title filtering flags
+ * @{
+ * Flags for use in drupal_set_title().
+ */
+
+/**
+ * Flag for drupal_set_title(); title is not sanitized, so run check_plain().
+ */
+define('TITLE_CHECK_PLAIN', 0);
+
+/**
+ * Flag for drupal_set_title(); title has already been sanitized.
+ */
+define('TITLE_PASS_THROUGH', 1);
+
+/**
+ * @} End of "Title filtering flags".
+ */
+
+
/**
* Initialize the $_GET['q'] variable to the proper normal path.
*/
@@ -196,15 +218,20 @@ function drupal_get_title() {
* @param $title
* Optional string value to assign to the page title; or if set to NULL
* (default), leaves the current title unchanged.
+ * @param $output
+ * Optional flag - normally should be left as TITLE_CHECK_PLAIN. Only set to
+ * TITLE_PASS_THROUGH if you have already removed any possibly dangerous code
+ * from $title using a function like check_plain() or filter_xss(). With this
+ * flag the string will be passed through unchanged.
*
* @return
* The updated title of the current page.
*/
-function drupal_set_title($title = NULL) {
+function drupal_set_title($title = NULL, $output = TITLE_CHECK_PLAIN) {
static $stored_title;
if (isset($title)) {
- $stored_title = $title;
+ $stored_title = ($output == TITLE_PASS_THROUGH) ? $title : check_plain($title);
}
return $stored_title;
}
Index: modules/aggregator/aggregator.pages.inc
===================================================================
RCS file: /cvs/drupal/drupal/modules/aggregator/aggregator.pages.inc,v
retrieving revision 1.18
diff -u -p -r1.18 aggregator.pages.inc
--- modules/aggregator/aggregator.pages.inc 17 Sep 2008 07:11:56 -0000 1.18
+++ modules/aggregator/aggregator.pages.inc 11 Oct 2008 18:51:01 -0000
@@ -37,7 +37,7 @@ function aggregator_page_source($arg1, $
// $arg1 is $form_state and $arg2 is $feed. Otherwise, $arg1 is $feed.
$feed = is_array($arg2) ? $arg2 : $arg1;
$feed = (object)$feed;
- drupal_set_title(check_plain($feed->title));
+ drupal_set_title($feed->title);
$feed_source = theme('aggregator_feed_source', $feed);
// It is safe to include the fid in the query because it's loaded from the
Index: modules/block/block.admin.inc
===================================================================
RCS file: /cvs/drupal/drupal/modules/block/block.admin.inc,v
retrieving revision 1.19
diff -u -p -r1.19 block.admin.inc
--- modules/block/block.admin.inc 16 Jul 2008 21:59:25 -0000 1.19
+++ modules/block/block.admin.inc 11 Oct 2008 18:51:01 -0000
@@ -174,7 +174,7 @@ function block_admin_configure(&$form_st
// Get the block subject for the page title.
$info = module_invoke($module, 'block', 'list');
if (isset($info[$delta])) {
- drupal_set_title(t("'%name' block", array('%name' => $info[$delta]['info'])));
+ drupal_set_title(t("'%name' block", array('%name' => $info[$delta]['info'])), TITLE_PASS_THROUGH);
}
// Standard block configurations.
Index: modules/blog/blog.pages.inc
===================================================================
RCS file: /cvs/drupal/drupal/modules/blog/blog.pages.inc,v
retrieving revision 1.10
diff -u -p -r1.10 blog.pages.inc
--- modules/blog/blog.pages.inc 22 May 2008 19:27:13 -0000 1.10
+++ modules/blog/blog.pages.inc 11 Oct 2008 18:51:01 -0000
@@ -12,7 +12,7 @@
function blog_page_user($account) {
global $user;
- drupal_set_title($title = t("@name's blog", array('@name' => $account->name)));
+ drupal_set_title($title = t("@name's blog", array('@name' => $account->name)), TITLE_PASS_THROUGH);
$items = array();
Index: modules/book/book.admin.inc
===================================================================
RCS file: /cvs/drupal/drupal/modules/book/book.admin.inc,v
retrieving revision 1.12
diff -u -p -r1.12 book.admin.inc
--- modules/book/book.admin.inc 5 Jul 2008 06:00:51 -0000 1.12
+++ modules/book/book.admin.inc 11 Oct 2008 18:51:01 -0000
@@ -70,7 +70,7 @@ function book_admin_settings_validate($f
* @ingroup forms.
*/
function book_admin_edit($form_state, $node) {
- drupal_set_title(check_plain($node->title));
+ drupal_set_title($node->title);
$form = array();
$form['#node'] = $node;
_book_admin_table($node, $form);
Index: modules/book/book.pages.inc
===================================================================
RCS file: /cvs/drupal/drupal/modules/book/book.pages.inc,v
retrieving revision 1.8
diff -u -p -r1.8 book.pages.inc
--- modules/book/book.pages.inc 11 Oct 2008 04:06:28 -0000 1.8
+++ modules/book/book.pages.inc 11 Oct 2008 18:51:01 -0000
@@ -90,7 +90,7 @@ function book_export_html($nid) {
* Menu callback; show the outline form for a single node.
*/
function book_outline($node) {
- drupal_set_title(check_plain($node->title));
+ drupal_set_title($node->title);
return drupal_get_form('book_outline_form', $node);
}
Index: modules/comment/comment.module
===================================================================
RCS file: /cvs/drupal/drupal/modules/comment/comment.module,v
retrieving revision 1.655
diff -u -p -r1.655 comment.module
--- modules/comment/comment.module 9 Oct 2008 15:15:50 -0000 1.655
+++ modules/comment/comment.module 11 Oct 2008 18:51:01 -0000
@@ -1442,7 +1442,7 @@ function comment_form_box($edit, $title
function comment_form_add_preview($form, &$form_state) {
global $user;
$edit = $form_state['values'];
- drupal_set_title(t('Preview comment'));
+ drupal_set_title(t('Preview comment'), TITLE_PASS_THROUGH);
$output = '';
$node = node_load($edit['nid']);
Index: modules/contact/contact.pages.inc
===================================================================
RCS file: /cvs/drupal/drupal/modules/contact/contact.pages.inc,v
retrieving revision 1.11
diff -u -p -r1.11 contact.pages.inc
--- modules/contact/contact.pages.inc 16 Jul 2008 21:59:26 -0000 1.11
+++ modules/contact/contact.pages.inc 11 Oct 2008 18:51:01 -0000
@@ -164,7 +164,7 @@ function contact_user_page($account) {
$output = t("You cannot send more than %number messages per hour. Please try again later.", array('%number' => variable_get('contact_hourly_threshold', 3)));
}
else {
- drupal_set_title(check_plain($account->name));
+ drupal_set_title($account->name);
$output = drupal_get_form('contact_mail_user', $account);
}
Index: modules/filter/filter.admin.inc
===================================================================
RCS file: /cvs/drupal/drupal/modules/filter/filter.admin.inc,v
retrieving revision 1.13
diff -u -p -r1.13 filter.admin.inc
--- modules/filter/filter.admin.inc 24 Jul 2008 16:27:51 -0000 1.13
+++ modules/filter/filter.admin.inc 11 Oct 2008 18:51:01 -0000
@@ -94,7 +94,7 @@ function theme_filter_admin_overview($fo
*/
function filter_admin_format_page($format = NULL) {
if (!isset($format->name)) {
- drupal_set_title(t("Add input format"));
+ drupal_set_title(t('Add input format'), TITLE_PASS_THROUGH);
$format = (object)array('name' => '', 'roles' => '', 'format' => '');
}
return drupal_get_form('filter_admin_format_form', $format);
@@ -302,7 +302,7 @@ function filter_admin_delete_submit($for
* Menu callback; display settings defined by a format's filters.
*/
function filter_admin_configure_page($format) {
- drupal_set_title(t("Configure %format", array('%format' => $format->name)));
+ drupal_set_title(t("Configure %format", array('%format' => $format->name)), TITLE_PASS_THROUGH);
return drupal_get_form('filter_admin_configure', $format);
}
@@ -343,7 +343,7 @@ function filter_admin_configure_submit($
* Menu callback; display form for ordering filters for a format.
*/
function filter_admin_order_page($format) {
- drupal_set_title(t("Rearrange %format", array('%format' => $format->name)));
+ drupal_set_title(t("Rearrange %format", array('%format' => $format->name)), TITLE_PASS_THROUGH);
return drupal_get_form('filter_admin_order', $format);
}
Index: modules/forum/forum.module
===================================================================
RCS file: /cvs/drupal/drupal/modules/forum/forum.module,v
retrieving revision 1.467
diff -u -p -r1.467 forum.module
--- modules/forum/forum.module 9 Oct 2008 15:15:51 -0000 1.467
+++ modules/forum/forum.module 11 Oct 2008 18:51:01 -0000
@@ -723,7 +723,7 @@ function template_preprocess_forums(&$va
}
}
drupal_set_breadcrumb($breadcrumb);
- drupal_set_title(check_plain($title));
+ drupal_set_title($title);
if ($variables['forums_defined'] = count($variables['forums']) || count($variables['parents'])) {
// Format the "post new content" links listing.
@@ -784,7 +784,7 @@ function template_preprocess_forums(&$va
}
else {
- drupal_set_title(t('No forums defined'));
+ drupal_set_title(t('No forums defined'), TITLE_PASS_THROUGH);
$variables['links'] = array();
$variables['forums'] = '';
$variables['topics'] = '';
Index: modules/node/node.module
===================================================================
RCS file: /cvs/drupal/drupal/modules/node/node.module,v
retrieving revision 1.982
diff -u -p -r1.982 node.module
--- modules/node/node.module 9 Oct 2008 15:15:51 -0000 1.982
+++ modules/node/node.module 11 Oct 2008 18:51:02 -0000
@@ -1142,7 +1142,7 @@ function node_build_content($node, $teas
*/
function node_show($node, $cid, $message = FALSE) {
if ($message) {
- drupal_set_title(t('Revision of %title from %date', array('%title' => $node->title, '%date' => format_date($node->revision_timestamp))));
+ drupal_set_title(t('Revision of %title from %date', array('%title' => $node->title, '%date' => format_date($node->revision_timestamp))), TITLE_PASS_THROUGH);
}
$output = node_view($node, FALSE, TRUE);
@@ -1853,7 +1853,7 @@ function node_page_default() {
* Menu callback; view a single node.
*/
function node_page_view($node, $cid = NULL) {
- drupal_set_title(check_plain($node->title));
+ drupal_set_title($node->title);
return node_show($node, $cid);
}
Index: modules/node/node.pages.inc
===================================================================
RCS file: /cvs/drupal/drupal/modules/node/node.pages.inc,v
retrieving revision 1.40
diff -u -p -r1.40 node.pages.inc
--- modules/node/node.pages.inc 6 Oct 2008 12:55:54 -0000 1.40
+++ modules/node/node.pages.inc 11 Oct 2008 18:51:02 -0000
@@ -11,7 +11,7 @@
* Menu callback; presents the node editing form, or redirects to delete confirmation.
*/
function node_page_edit($node) {
- drupal_set_title(check_plain($node->title));
+ drupal_set_title($node->title);
return drupal_get_form($node->type . '_node_form', $node);
}
@@ -59,7 +59,7 @@ function node_add($type) {
// Initialize settings:
$node = array('uid' => $user->uid, 'name' => (isset($user->name) ? $user->name : ''), 'type' => $type, 'language' => '');
- drupal_set_title(t('Create @name', array('@name' => $types[$type]->name)));
+ drupal_set_title(t('Create @name', array('@name' => $types[$type]->name)), TITLE_PASS_THROUGH);
$output = drupal_get_form($type . '_node_form', $node);
}
@@ -381,7 +381,7 @@ function node_preview($node) {
$cloned_node->build_mode = NODE_BUILD_PREVIEW;
$output = theme('node_preview', $cloned_node);
}
- drupal_set_title(t('Preview'));
+ drupal_set_title(t('Preview'), TITLE_PASS_THROUGH);
return $output;
}
@@ -504,7 +504,7 @@ function node_delete_confirm_submit($for
* Generate an overview table of older revisions of a node.
*/
function node_revision_overview($node) {
- drupal_set_title(t('Revisions for %title', array('%title' => $node->title)));
+ drupal_set_title(t('Revisions for %title', array('%title' => $node->title)), TITLE_PASS_THROUGH);
$header = array(t('Revision'), array('data' => t('Operations'), 'colspan' => 2));
Index: modules/openid/openid.pages.inc
===================================================================
RCS file: /cvs/drupal/drupal/modules/openid/openid.pages.inc,v
retrieving revision 1.7
diff -u -p -r1.7 openid.pages.inc
--- modules/openid/openid.pages.inc 6 Oct 2008 11:30:11 -0000 1.7
+++ modules/openid/openid.pages.inc 11 Oct 2008 18:51:02 -0000
@@ -28,7 +28,7 @@ function openid_authentication_page() {
* Menu callback; Manage OpenID identities for the specified user.
*/
function openid_user_identities($account) {
- drupal_set_title(check_plain($account->name));
+ drupal_set_title($account->name);
drupal_add_css(drupal_get_path('module', 'openid') . '/openid.css', 'module');
// Check to see if we got a response
Index: modules/path/path.admin.inc
===================================================================
RCS file: /cvs/drupal/drupal/modules/path/path.admin.inc,v
retrieving revision 1.11
diff -u -p -r1.11 path.admin.inc
--- modules/path/path.admin.inc 9 Oct 2008 20:20:49 -0000 1.11
+++ modules/path/path.admin.inc 11 Oct 2008 18:51:02 -0000
@@ -66,7 +66,7 @@ function path_admin_overview($keys = NUL
function path_admin_edit($pid = 0) {
if ($pid) {
$alias = path_load($pid);
- drupal_set_title(check_plain($alias['dst']));
+ drupal_set_title($alias['dst']);
$output = drupal_get_form('path_admin_form', $alias);
}
else {
Index: modules/poll/poll.pages.inc
===================================================================
RCS file: /cvs/drupal/drupal/modules/poll/poll.pages.inc,v
retrieving revision 1.6
diff -u -p -r1.6 poll.pages.inc
--- modules/poll/poll.pages.inc 15 May 2008 20:55:58 -0000 1.6
+++ modules/poll/poll.pages.inc 11 Oct 2008 18:51:02 -0000
@@ -28,7 +28,7 @@ function poll_page() {
* Callback for the 'votes' tab for polls you can see other votes on
*/
function poll_votes($node) {
- drupal_set_title(check_plain($node->title));
+ drupal_set_title($node->title);
$output = t('This table lists all the recorded votes for this poll. If anonymous users are allowed to vote, they will be identified by the IP address of the computer they used when they voted.');
$header[] = array('data' => t('Visitor'), 'field' => 'u.name');
@@ -51,7 +51,7 @@ function poll_votes($node) {
* Callback for the 'results' tab for polls you can vote on
*/
function poll_results($node) {
- drupal_set_title(check_plain($node->title));
+ drupal_set_title($node->title);
$node->show_results = TRUE;
return node_show($node, 0);
}
Index: modules/profile/profile.admin.inc
===================================================================
RCS file: /cvs/drupal/drupal/modules/profile/profile.admin.inc,v
retrieving revision 1.13
diff -u -p -r1.13 profile.admin.inc
--- modules/profile/profile.admin.inc 10 Oct 2008 07:49:49 -0000 1.13
+++ modules/profile/profile.admin.inc 11 Oct 2008 18:51:02 -0000
@@ -175,7 +175,7 @@ function profile_field_form(&$form_state
drupal_not_found();
return;
}
- drupal_set_title(t('edit %title', array('%title' => $edit['title'])));
+ drupal_set_title(t('edit %title', array('%title' => $edit['title'])), TITLE_PASS_THROUGH);
$form['fid'] = array('#type' => 'value',
'#value' => $fid,
);
@@ -193,7 +193,7 @@ function profile_field_form(&$form_state
return;
}
$type = $arg;
- drupal_set_title(t('add new %type', array('%type' => $types[$type])));
+ drupal_set_title(t('add new %type', array('%type' => $types[$type])), TITLE_PASS_THROUGH);
$edit = array('name' => 'profile_');
$form['type'] = array('#type' => 'value', '#value' => $type);
}
Index: modules/profile/profile.pages.inc
===================================================================
RCS file: /cvs/drupal/drupal/modules/profile/profile.pages.inc,v
retrieving revision 1.4
diff -u -p -r1.4 profile.pages.inc
--- modules/profile/profile.pages.inc 15 Sep 2008 20:48:09 -0000 1.4
+++ modules/profile/profile.pages.inc 11 Oct 2008 18:51:02 -0000
@@ -73,7 +73,7 @@ function profile_browse() {
$title = check_plain($field->page);
}
- drupal_set_title($title);
+ drupal_set_title($title, TITLE_PASS_THROUGH);
return $output;
}
else if ($name && !$field->fid) {
@@ -99,7 +99,7 @@ function profile_browse() {
$output = theme('profile_wrapper', $content);
$output .= theme('pager', NULL, 20);
- drupal_set_title(t('User list'));
+ drupal_set_title(t('User list'), TITLE_PASS_THROUGH);
return $output;
}
}
Index: modules/statistics/statistics.admin.inc
===================================================================
RCS file: /cvs/drupal/drupal/modules/statistics/statistics.admin.inc,v
retrieving revision 1.11
diff -u -p -r1.11 statistics.admin.inc
--- modules/statistics/statistics.admin.inc 17 Sep 2008 07:11:58 -0000 1.11
+++ modules/statistics/statistics.admin.inc 11 Oct 2008 18:51:02 -0000
@@ -64,7 +64,7 @@ function statistics_top_pages() {
$rows[] = array(array('data' => t('No statistics available.'), 'colspan' => 4));
}
- drupal_set_title(t('Top pages in the past %interval', array('%interval' => format_interval(variable_get('statistics_flush_accesslog_timer', 259200)))));
+ drupal_set_title(t('Top pages in the past %interval', array('%interval' => format_interval(variable_get('statistics_flush_accesslog_timer', 259200)))), TITLE_PASS_THROUGH);
$output = theme('table', $header, $rows);
$output .= theme('pager', NULL, 30, 0);
return $output;
@@ -97,7 +97,7 @@ function statistics_top_visitors() {
$rows[] = array(array('data' => t('No statistics available.'), 'colspan' => 4));
}
- drupal_set_title(t('Top visitors in the past %interval', array('%interval' => format_interval(variable_get('statistics_flush_accesslog_timer', 259200)))));
+ drupal_set_title(t('Top visitors in the past %interval', array('%interval' => format_interval(variable_get('statistics_flush_accesslog_timer', 259200)))), TITLE_PASS_THROUGH);
$output = theme('table', $header, $rows);
$output .= theme('pager', NULL, 30, 0);
return $output;
@@ -109,7 +109,7 @@ function statistics_top_visitors() {
function statistics_top_referrers() {
$query = "SELECT url, COUNT(url) AS hits, MAX(timestamp) AS last FROM {accesslog} WHERE url NOT LIKE :host AND url <> '' GROUP BY url";
$query_cnt = "SELECT COUNT(DISTINCT(url)) FROM {accesslog} WHERE url <> '' AND url NOT LIKE :host";
- drupal_set_title(t('Top referrers in the past %interval', array('%interval' => format_interval(variable_get('statistics_flush_accesslog_timer', 259200)))));
+ drupal_set_title(t('Top referrers in the past %interval', array('%interval' => format_interval(variable_get('statistics_flush_accesslog_timer', 259200)))), TITLE_PASS_THROUGH);
$header = array(
array('data' => t('Hits'), 'field' => 'hits', 'sort' => 'desc'),
Index: modules/statistics/statistics.pages.inc
===================================================================
RCS file: /cvs/drupal/drupal/modules/statistics/statistics.pages.inc,v
retrieving revision 1.3
diff -u -p -r1.3 statistics.pages.inc
--- modules/statistics/statistics.pages.inc 14 Apr 2008 17:48:41 -0000 1.3
+++ modules/statistics/statistics.pages.inc 11 Oct 2008 18:51:02 -0000
@@ -29,7 +29,7 @@ function statistics_node_tracker() {
$rows[] = array(array('data' => t('No statistics available.'), 'colspan' => 4));
}
- drupal_set_title(check_plain($node->title));
+ drupal_set_title($node->title);
$output = theme('table', $header, $rows);
$output .= theme('pager', NULL, 30, 0);
return $output;
@@ -60,7 +60,7 @@ function statistics_user_tracker() {
$rows[] = array(array('data' => t('No statistics available.'), 'colspan' => 3));
}
- drupal_set_title(check_plain($account->name));
+ drupal_set_title($account->name);
$output = theme('table', $header, $rows);
$output .= theme('pager', NULL, 30, 0);
return $output;
Index: modules/system/system.module
===================================================================
RCS file: /cvs/drupal/drupal/modules/system/system.module,v
retrieving revision 1.628
diff -u -p -r1.628 system.module
--- modules/system/system.module 9 Oct 2008 15:15:54 -0000 1.628
+++ modules/system/system.module 11 Oct 2008 18:51:03 -0000
@@ -1296,6 +1296,11 @@ function system_node_type($op, $info) {
* confirmed the action. You should never directly inspect $_POST to see if an
* action was confirmed.
*
+ * Note - if the parameters $question, $description, $yes, or $no could contain
+ * any user input (such as node titles or taxonomy terms), it is the
+ * responsibility of the code calling confirm_form() to sanitize them first with
+ * a function like check_plain() or filter_xss().
+ *
* @ingroup forms
* @param $form
* Additional elements to inject into the form, for example hidden elements.
@@ -1329,7 +1334,7 @@ function confirm_form($form, $question,
}
$cancel = l($no ? $no : t('Cancel'), $path, array('query' => $query, 'fragment' => $fragment));
- drupal_set_title($question);
+ drupal_set_title($question, TITLE_PASS_THROUGH);
// Confirm form fails duplication check, as the form values rarely change -- so skip it.
$form['#skip_duplicate_check'] = TRUE;
Index: modules/system/system.test
===================================================================
RCS file: /cvs/drupal/drupal/modules/system/system.test,v
retrieving revision 1.14
diff -u -p -r1.14 system.test
--- modules/system/system.test 11 Oct 2008 03:25:36 -0000 1.14
+++ modules/system/system.test 11 Oct 2008 18:51:03 -0000
@@ -393,3 +393,68 @@ class PageNotFoundTestCase extends Drupa
$this->assertNoText(t('User login'), t('Blocks are not shown on the default 404 page'));
}
}
+
+class PageTitleFiltering extends DrupalWebTestCase {
+ protected $content_user;
+ protected $saved_title;
+
+ /**
+ * Implementation of getInfo().
+ */
+ function getInfo() {
+ return array(
+ 'name' => t('HTML in page titles'),
+ 'description' => t('Tests correct handling or conversion by drupal_set_title() and drupal_get_title().'),
+ 'group' => t('System')
+ );
+ }
+
+ /**
+ * Implementation of setUp().
+ */
+ function setUp() {
+ parent::setUp();
+
+ $this->content_user = $this->drupalCreateUser(array('create page content', 'access content'));
+ $this->drupalLogin($this->content_user);
+ $this->saved_title = drupal_get_title();
+ }
+
+ /**
+ * Reset page title.
+ */
+ function tearDown() {
+ // Restore the page title.
+ drupal_set_title($this->saved_title, TITLE_PASS_THROUGH);
+
+ parent::tearDown();
+ }
+
+ /**
+ * Tests the handling of HTML by drupal_set_title() and drupal_get_title()
+ */
+ function testTitleTags() {
+ $title = "string with HTML";
+ // drupal_set_title's $filter is TITLE_CHECK_PLAIN by default, so the title should be
+ // returned with check_plain().
+ drupal_set_title($title, TITLE_CHECK_PLAIN);
+ $this->assertTrue(strpos(drupal_get_title(), '') === FALSE, t('Tags in title converted to entities when $output is TITLE_CHECK_PLAIN.'));
+ // drupal_set_title's $filter is passed as TITLE_PASS_THROUGH, so the title should be
+ // returned with HTML.
+ drupal_set_title($title, TITLE_PASS_THROUGH);
+ $this->assertTrue(strpos(drupal_get_title(), '') !== FALSE, t('Tags in title are not converted to entities when $output is TITLE_PASS_THROUGH.'));
+ // Generate node content.
+ $edit = array(
+ 'title' => '!SimpleTest! ' . $title . $this->randomName(20),
+ 'body' => '!SimpleTest! test body' . $this->randomName(200),
+ );
+ // Create the node with HTML in the title.
+ $this->drupalPost('node/add/page', $edit, t('Save'));
+
+ $node = node_load(array('title' => $edit['title']));
+ $this->assertNotNull($node, 'Node created and found in database');
+ $this->drupalGet("node/" . $node->nid);
+ $this->assertText(check_plain($edit['title']), 'Check to make sure tags in the node title are converted.');
+ }
+}
+
Index: modules/taxonomy/taxonomy.pages.inc
===================================================================
RCS file: /cvs/drupal/drupal/modules/taxonomy/taxonomy.pages.inc,v
retrieving revision 1.15
diff -u -p -r1.15 taxonomy.pages.inc
--- modules/taxonomy/taxonomy.pages.inc 19 Sep 2008 20:25:03 -0000 1.15
+++ modules/taxonomy/taxonomy.pages.inc 11 Oct 2008 18:51:03 -0000
@@ -112,7 +112,7 @@ function theme_taxonomy_term_page($tids,
*/
function taxonomy_term_edit($term) {
if (isset($term)) {
- drupal_set_title(check_plain($term->name));
+ drupal_set_title($term->name);
return drupal_get_form('taxonomy_form_term', taxonomy_vocabulary_load($term->vid), (array)$term);
}
return drupal_not_found();
Index: modules/tracker/tracker.pages.inc
===================================================================
RCS file: /cvs/drupal/drupal/modules/tracker/tracker.pages.inc,v
retrieving revision 1.8
diff -u -p -r1.8 tracker.pages.inc
--- modules/tracker/tracker.pages.inc 17 Sep 2008 07:11:58 -0000 1.8
+++ modules/tracker/tracker.pages.inc 11 Oct 2008 18:51:03 -0000
@@ -19,7 +19,7 @@ function tracker_page($account = NULL, $
// When viewed from user/%user/track, display the name of the user
// as page title -- the tab title remains Track so this needs to be done
// here and not in the menu definiton.
- drupal_set_title(check_plain($account->name));
+ drupal_set_title($account->name);
}
// TODO: These queries are very expensive, see http://drupal.org/node/105639
$sql = 'SELECT DISTINCT(n.nid), n.title, n.type, n.changed, n.uid, u.name, GREATEST(n.changed, l.last_comment_timestamp) AS last_updated, l.comment_count FROM {node} n INNER JOIN {node_comment_statistics} l ON n.nid = l.nid INNER JOIN {users} u ON n.uid = u.uid LEFT JOIN {comments} c ON n.nid = c.nid AND (c.status = %d OR c.status IS NULL) WHERE n.status = 1 AND (n.uid = %d OR c.uid = %d) ORDER BY last_updated DESC';
Index: modules/translation/translation.pages.inc
===================================================================
RCS file: /cvs/drupal/drupal/modules/translation/translation.pages.inc,v
retrieving revision 1.4
diff -u -p -r1.4 translation.pages.inc
--- modules/translation/translation.pages.inc 1 Oct 2008 13:19:29 -0000 1.4
+++ modules/translation/translation.pages.inc 11 Oct 2008 18:51:03 -0000
@@ -54,6 +54,6 @@ function translation_node_overview($node
$rows[] = array($language_name, $title, $status, implode(" | ", $options));
}
- drupal_set_title(t('Translations of %title', array('%title' => $node->title)));
+ drupal_set_title(t('Translations of %title', array('%title' => $node->title)), TITLE_PASS_THROUGH);
return theme('table', $header, $rows);
}
Index: modules/user/user.pages.inc
===================================================================
RCS file: /cvs/drupal/drupal/modules/user/user.pages.inc,v
retrieving revision 1.18
diff -u -p -r1.18 user.pages.inc
--- modules/user/user.pages.inc 6 Oct 2008 11:30:12 -0000 1.18
+++ modules/user/user.pages.inc 11 Oct 2008 18:51:03 -0000
@@ -147,7 +147,7 @@ function user_logout() {
* Menu callback; Displays a user or user profile page.
*/
function user_view($account) {
- drupal_set_title(check_plain($account->name));
+ drupal_set_title($account->name);
// Retrieve all profile fields and attach to $account->content.
user_build_content($account);
@@ -218,7 +218,7 @@ function template_preprocess_user_profil
* @see user_edit_submit()
*/
function user_edit($account, $category = 'account') {
- drupal_set_title(check_plain($account->name));
+ drupal_set_title($account->name);
return drupal_get_form('user_profile_form', $account, $category);
}