The current state displays as <strong>State</strong> rather than State. This is because check_plain() (and also t()) is being called twice on the state name, once in theme_workflow_current_state() and again in theme_workflow_history_table_row().

Patch attached that removes the calls in theme_workflow_history_table_row() but adds check_plain() and t() calls to ensure $state_name and $old_state_name don't enter theme_workflow_history_table_row() without being checked.

CommentFileSizeAuthor
workflow-state-double-check-plain.patch1.38 KBserenecloud
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

serenecloud’s picture

serenecloud CreditAttribution: serenecloud commented
Priority: Normal » Critical
Issue tags: +check_plain

Upping priority as this is likely to affect a lot of users over the next few days if not patched.

bengtan’s picture

bengtan CreditAttribution: bengtan commented

+1

I agree.

Having a security advisory out and no fix available (I can't find 6.x-1.2) is sort of ... not the ideal situation.

serenecloud’s picture

serenecloud CreditAttribution: serenecloud commented

I got the 6.x-1.2 by guessing the URL based on the 1.1 tarball download. I did a diff with what's in CVS and it's just the auto-generated info details that are added.

bengtan’s picture

bengtan CreditAttribution: bengtan commented
Version: 6.x-1.x-dev » 6.x-1.2

+1

I've tried the patch in the original post and it works.

Also bumping version to 6.x-1.2 in the hope it gets more attention that way.

jvandyk’s picture

jvandyk CreditAttribution: jvandyk commented
Status: Active » Fixed

6.x-1.3 released with this fix.

serenecloud’s picture

serenecloud CreditAttribution: serenecloud commented
Status: Fixed » Closed (fixed)

Confirmed the fix is in 6.x-13.

Thanks :)