If you put something like
<script>alert('test')</script>
in the comment field (other -> comment), the whole Views UI blows up and becomes unusable beyond repair. You cannot save, cancel or configure anything in that view.

Patch will follow in a minute.

CommentFileSizeAuthor
#2 script-tag-in-comment-field-blows-ui-1397944-2.patch912 bytesbfr
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

bfr’s picture

bfr CreditAttribution: bfr commented

Here's a patch.

bfr’s picture

bfr CreditAttribution: bfr commented
FileSize
script-tag-in-comment-field-blows-ui-1397944-2.patch912 bytes

And the patch ;)

bfr’s picture

bfr CreditAttribution: bfr commented
Status: Active » Needs review
dawehner’s picture

dawehner
Primary language German
CreditAttribution: dawehner commented
Status: Needs review » Fixed

Thanks! Committed to both 6x-3.x and 7.x-3.x

bfr’s picture

bfr CreditAttribution: bfr commented

Ok, great.
By the way, it would be nice if you commited with
git am < filename.patch
so the author would actually get the credit, as described here.

dawehner’s picture

dawehner
Primary language German
CreditAttribution: dawehner commented

OH i never did because most patches don't have that.

bfr’s picture

bfr CreditAttribution: bfr commented

Well, maybe you could start from this patch? :)

Note, that there is an alternative method:
git commit --author="username <[username]@[uid].no-reply.drupal.org>", so for example your patch would be commited like this:
git commit --author="dereine <dereine@99340.no-reply.drupal.org>".

You can use that if the patch is not "git aware". You can tell the difference by looking at the patch:
If it has "email-like header"(like my patch above), then it's formatted correctly and you can use git am. Otherwise
you need to use the --author(or, better, teach the patcher to properly format his/her patches).

Proper authoring is very nice way of saying "thanks", since it makes the project show on authors profile(and, of course, is the proper "git" way of doing things).

dawehner’s picture

dawehner
Primary language German
CreditAttribution: dawehner commented

Well the patch is already committed.

Sadly this adds an additional "overhead" to all patches, but yeah it's worth to do that.

bfr’s picture

bfr CreditAttribution: bfr commented

Easily fixable:

git revert HEAD
git am <Script-tag-in-comment-field-blows-ui-1397944-2.patch

Yes, proper authoring introduces some overhead but it's the right thing to do to encourage contribution.

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.

Anonymous’s picture

(not verified) CreditAttribution: commented
Issue summary: View changes

Typo