Seven's template.php override of theme_admin_block_content() outputs a menu item's description without sanitizing. Core's theme_admin_block_content() runs through filter_xss_admin() so attached patch complies.
Comment | File | Size | Author |
---|---|---|---|
seven-filter-menu-description.patch | 780 bytes | coltrane | |
Comments
Comment #1
coltraneWe should be filtering and escaping before the theme system ...
Comment #2
coltraneMissed setting status.
Comment #3
cosmicdreams CreditAttribution: cosmicdreams commentedseven-filter-menu-description.patch queued for re-testing.
Comment #5
aspilicious CreditAttribution: aspilicious commentedseven-filter-menu-description.patch queued for re-testing.
Comment #6
coltraneMarking critical since this has to be fixed before a 1.0 release.
Comment #7
seutje CreditAttribution: seutje commentedmakes sense to me, handing it to the security folks
Comment #8
catchfilter_xss_admin() is what we use in the theme_*() function so this just brings it into line.
Comment #9
Dries CreditAttribution: Dries commentedCommitted to CVS HEAD.