The content of the admin field "Message to display in the logout dialog" is passed to check_plain() before being saved to the database.
In Drupal the user-input sanitization must be done at display only, in order for other code to do something on it. The user-input must be stored as it on database.

The module current validation code saved an already processed string in database, and so make impossible for the user to put special characters as quote in his message.

To reproduce:
-go to admin page
-put a quote or something else in the "Message to display in the logout dialog" field
-save
=>the field content is not what you have entered, nor the front-end message.

CommentFileSizeAuthor
#1 autologout-remove-check-plain-admin-1482158-1.patch512 bytesjgalletta
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

jgalletta’s picture

jgalletta CreditAttribution: jgalletta commented
FileSize
autologout-remove-check-plain-admin-1482158-1.patch512 bytes

Here's a patch that remove the check_plain call.
Note that this is completely safe as the string if given to t() with a @ placeholder, which run a check_plain() on the user string (see autologout_init() in autologout.module).

jgalletta’s picture

jgalletta CreditAttribution: jgalletta commented
Status: Active » Needs review
johnennew’s picture

johnennew CreditAttribution: johnennew commented
Version: 6.x-4.0 » 6.x-4.x-dev
Status: Needs review » Fixed

Hi @jgalletta,

You are right - patch committed to 6.x-4.x and 7.x-4.x

Thanks!

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.

  • Commit 204b9bc on 7.x-4.x, 8.x-1.x authored by jgalletta, committed by ceng: 
    Issue #1482158 by jgalletta: Remove check plain from the admin screen