Index: modules/project/release/package-release-nodes.php
===================================================================
RCS file: /cvs/drupal-contrib/contributions/modules/project/release/Attic/package-release-nodes.php,v
retrieving revision 1.1.2.9
diff -u -p -r1.1.2.9 package-release-nodes.php
--- modules/project/release/package-release-nodes.php	8 Nov 2006 05:08:43 -0000	1.1.2.9
+++ modules/project/release/package-release-nodes.php	8 Nov 2006 21:26:08 -0000
@@ -170,13 +170,13 @@ function package_releases($type) {
     $nid = $release->nid;
     $rev = ($tag == 'TRUNK' || $tag == 'HEAD') ? '-A' : "-r $tag";
     watchdog('release_package', t("Working on %type release: %id from $type: %tag", array('%type' => $release->rid == 1 ? t('core') : t('contrib'), '%id' => theme_placeholder($id), '%tag' => theme_placeholder($tag))));
-    $id = escapeshellcmd(filter_xss($id, array()));
-    $rev = escapeshellcmd(filter_xss($rev, array()));
+    $id = escapeshellcmd($id);
+    $rev = escapeshellcmd($rev);
     if ($release->rid == 1) {
       $built = package_release_core($nid, $id, $rev, $check_new);
     }
     else {
-      $dir = escapeshellcmd(filter_xss($release->directory, array()));
+      $dir = escapeshellcmd($release->directory);
       $built = package_release_contrib($nid, $id, $rev, $dir, $check_new);
     }
     if ($built) {
Index: modules/project/release/project_release.module
===================================================================
RCS file: /cvs/drupal-contrib/contributions/modules/project/release/Attic/project_release.module,v
retrieving revision 1.1.2.32
diff -u -p -r1.1.2.32 project_release.module
--- modules/project/release/project_release.module	5 Nov 2006 22:12:42 -0000	1.1.2.32
+++ modules/project/release/project_release.module	8 Nov 2006 21:26:09 -0000
@@ -2,6 +2,8 @@
 /* $Id: project_release.module,v 1.1.2.32 2006/11/05 22:12:42 dww Exp $ */
 
 define('PROJECT_RELEASE_DEFAULT_VERSION_FORMAT', '!major%minor%patch#extra');
+define('PROJECT_RELEASE_VERSION_FORMAT_VALID_MSG', t("The version format string can only contain letters, numbers, and the characters . _ and - (in addition to the special characters used for identifying variables: % ! and #)."));
+define('PROJECT_RELEASE_VERSION_FORMAT_HELP', t('Available variables are:') .' %api, %major, %minor, %patch, %extra. '. t("The percent sign ('%') at the front of the variable name indicates that a period ('.') should be inserted as a delimiter before the value of the variable. The '%' can be replaced with a hash mark ('#') to use a hyphen ('-') delimiter, or with an exclaimation point ('!') to have the value printed without a delimiter. Any variable in the format string that has no value will be removed entirely from the final string.") .' '. PROJECT_RELEASE_VERSION_FORMAT_VALID_MSG);
 
 /**
  * @defgroup project_release_core Core Drupal hooks
@@ -65,7 +67,7 @@ function project_release_settings() {
     '#default_value' => variable_get('project_release_default_version_format', PROJECT_RELEASE_DEFAULT_VERSION_FORMAT),
     '#size' => 50,
     '#maxlength' => 255,
-    '#description' => t('Customize the default format of the version strings for releases of projects on this site. Users with "administer projects" permissions can override this setting for each project.') .' '. t('Available variables are:') .' %api, %major, %minor, %patch, %extra. '. t("The percent sign ('%') at the front of the variable name indicates that a period ('.') should be inserted as a delimiter before the value of the variable. The '%' can be replaced with a hash mark ('#') to use a hyphen ('-') delimiter, or with an exclaimation point ('!') to have the value printed without a delimiter. Any variable in the format string that has no value will be removed entirely from the final string."),
+    '#description' => t('Customize the default format of the version strings for releases of projects on this site. Users with "administer projects" permissions can override this setting for each project.') .' '. PROJECT_RELEASE_VERSION_FORMAT_HELP,
   );
 
   // TODO: isn't this a dead setting, too?
@@ -121,6 +123,9 @@ function project_release_settings_valida
     $vocab = taxonomy_get_vocabulary(_project_release_get_api_vid());
     form_set_error('project_release_overview', t('Project release overview must be one of the active %vocab terms', array('%vocab' => check_plain($vocab->name))));
   }
+  
+  // Make sure the default version format has no bad characters.
+  _project_release_validate_format_string($form_values, 'project_release_default_version_format');
 }
 
 /**
@@ -603,6 +608,19 @@ function project_release_get_version_for
 }
 
 /**
+ * Validates a version format string. Only alphanumeric characters and 
+ * [-_.] are allowed. Calls form_set_error() on error, else returns.
+ * @param $form_values Array of form values passed to validate hook.
+ * @param $element The name of the form element for the format string.
+ * @ingroup project_release_internal
+ */
+function _project_release_validate_format_string($form_values, $element) {
+  if (!preg_match('/^[a-zA-Z0-9_\-!%#]+$/', $form_values[$element])) {
+    form_set_error($element, PROJECT_RELEASE_VERSION_FORMAT_VALID_MSG);
+  }
+}
+
+/**
  * Returns the formatted version string for a given release node.
  * @ingroup project_release_api
  */
@@ -848,6 +866,8 @@ function project_release_alter_project_f
     );
   }
 
+  $form['project']['uri']['#description'] .= ' '. t("This string is also used to generate the name of releases associated with this project.");
+
   // TODO: disable this form element if the "Enable releases" checkbox
   // is not checked?
   if (user_access('administer projects')) {
@@ -857,8 +877,21 @@ function project_release_alter_project_f
       '#default_value' => $node->version_format,
       '#size' => 50,
       '#maxlength' => 255,
-      '#description' => t('Customize the format of the version strings for releases of this project.') .' '. t('Available variables are:') .' %api, %major, %minor, %patch, %extra. '. t("The percent sign ('%') at the front of the variable name indicates that a period ('.') should be inserted as a delimiter before the value of the variable. The '%' can be replaced with a hash mark ('#') to use a hyphen ('-') delimiter, or with an exclaimation point ('!') to have the value printed without a delimiter. Any variable in the format string that has no value will be removed entirely from the final string.") .' '. t('If blank, this project will use the site-wide default (currently set to: %default)', array('%default' => theme('placeholder', variable_get('project_release_default_version_format', PROJECT_RELEASE_DEFAULT_VERSION_FORMAT)))),
+      '#description' => t('Customize the format of the version strings for releases of this project.') .' '. PROJECT_RELEASE_VERSION_FORMAT_HELP .' '. t('If blank, this project will use the site-wide default (currently set to: %default)', array('%default' => theme('placeholder', variable_get('project_release_default_version_format', PROJECT_RELEASE_DEFAULT_VERSION_FORMAT)))),
     );
+    $form['#validate'] = array_merge($form['#validate'], array('project_release_project_form_validate' => array()));
+  }
+}
+
+/**
+ * Validates the project form regarding release-specific fields.
+ * Ensures that the version format string doesn't contain bad characters.
+ * @ingroup project_release_fapi
+ * @see project_release_alter_project_form
+ */
+function project_release_project_form_validate($form_id, $form_values, $form) {
+  if (!empty($form_values['version_format'])) {
+    _project_release_validate_format_string($form_values, 'version_format');
   }
 }
 
Index: modules/cvslog/cvs.module
===================================================================
RCS file: /cvs/drupal-contrib/contributions/modules/cvslog/cvs.module,v
retrieving revision 1.106.2.19.2.19
diff -u -p -r1.106.2.19.2.19 cvs.module
--- modules/cvslog/cvs.module	7 Nov 2006 19:47:24 -0000	1.106.2.19.2.19
+++ modules/cvslog/cvs.module	8 Nov 2006 21:26:11 -0000
@@ -356,6 +356,13 @@ function cvs_nodeapi(&$node, $op, $arg =
           if (!$node->cvs_directory) {
             form_set_error('cvs_directory', t('You have to specify a valid CVS directory.'));
           }
+          else if (!preg_match('/^[a-zA-Z0-9\/_-]+$/', $node->cvs_directory)) {
+            form_set_error('cvs_directory', t("The path of the CVS directory can only contain letters, numbers, slashes ('/'), hyphens ('-') and underscores ('_')."));
+          }
+          else if (preg_match('/\/\//', $node->cvs_directory)) {
+            form_set_error('cvs_directory', t("The path of the CVS directory cannot contain two slashes next to each other '//'."));
+          }
+
           else if (substr($node->cvs_directory, 0, 1) != '/') {
             form_set_error('cvs_directory', t('The path of the CVS directory should start with a slash.'));
           }