Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
The current state displays as <strong>State</strong>
rather than State. This is because check_plain() (and also t()) is being called twice on the state name, once in theme_workflow_current_state() and again in theme_workflow_history_table_row().
Patch attached that removes the calls in theme_workflow_history_table_row() but adds check_plain() and t() calls to ensure $state_name and $old_state_name don't enter theme_workflow_history_table_row() without being checked.
Comment | File | Size | Author |
---|---|---|---|
workflow-state-double-check-plain.patch | 1.38 KB | serenecloud | |
Comments
Comment #1
serenecloud CreditAttribution: serenecloud commentedUpping priority as this is likely to affect a lot of users over the next few days if not patched.
Comment #2
bengtan CreditAttribution: bengtan commented+1
I agree.
Having a security advisory out and no fix available (I can't find 6.x-1.2) is sort of ... not the ideal situation.
Comment #3
serenecloud CreditAttribution: serenecloud commentedI got the 6.x-1.2 by guessing the URL based on the 1.1 tarball download. I did a diff with what's in CVS and it's just the auto-generated info details that are added.
Comment #4
bengtan CreditAttribution: bengtan commented+1
I've tried the patch in the original post and it works.
Also bumping version to 6.x-1.2 in the hope it gets more attention that way.
Comment #5
jvandyk CreditAttribution: jvandyk commented6.x-1.3 released with this fix.
Comment #6
serenecloud CreditAttribution: serenecloud commentedConfirmed the fix is in 6.x-13.
Thanks :)