(line 116):

$variables['message'] = check_markup(variable_get('site_map_message', ''), variable_get('site_map_message_format', FILTER_FORMAT_DEFAULT));</code>

this code is used when you show content to user, but let's take a look into check_markup phpdoc:

 * Run all the enabled filters on a piece of text.
 * @param $text
 *    The text to be filtered.
 * @param $format
 *    The format of the text to be filtered. Specify FILTER_FORMAT_DEFAULT for
 *    the default format.
 * @param $check
 *    Whether to check the $format with filter_access() first. Defaults to TRUE.
 *    Note that this will check the permissions of the current user, so you
 *    should specify $check = FALSE when viewing other people's content. When
 *    showing content that is not (yet) stored in the database (eg. upon preview),
 *    set to TRUE so the user's permissions are checked.
function check_markup($text, $format = FILTER_FORMAT_DEFAULT, $check = TRUE) {

So we should not use $check = TRUE when we show content, this incorrect usage of check_markup makes impossible to show properly formatted content to user which have no right to use some input filter. It is possible to check this issue on default drupal installation:

  1. Write some content into «Site map message» field.
  2. Choose «Full HTML» filter below.
  3. Check out — anonymous user have no right to use «Full HTML» filter, but user who published site map have it.
  4. Open sitemap page as anonymous user.

Solution: (line 116):

$variables['message'] = check_markup(variable_get('site_map_message', ''), variable_get('site_map_message_format', FILTER_FORMAT_DEFAULT), FALSE);</code>


frjo’s picture

Title: incorrect usage of check_markup in template_preprocess_site_map » Incorrect usage of check_markup in template_preprocess_site_map
Status: Active » Fixed

Committed the fix to 6--2-dev. Thanks for finding this bug and telling me how to fix it at the same time!

Even better than pasting in the code fixes is to submit a patch, see for more info.

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.

guignonv’s picture

Status: Closed (fixed) » Reviewed & tested by the community

Fix proposed by Q-Zma works on my instance.

Since it's just adding a stupid ", FALSE" to the given line, the patch could be generated by someone who already knows well how to manage such kind of stuff. I'm new to git and I had a look to but it's quite complicated so I gave up doing the patch (too time consuming for me at the moment).

colan’s picture

Status: Reviewed & tested by the community » Closed (won't fix)

Not sure why this is RTBC. Setting status back.

colan’s picture

Status: Closed (won't fix) » Closed (fixed)

Sorry, wrong one.