The content of the admin field "Message to display in the logout dialog" is passed to check_plain() before being saved to the database.
In Drupal the user-input sanitization must be done at display only, in order for other code to do something on it. The user-input must be stored as it on database.
The module current validation code saved an already processed string in database, and so make impossible for the user to put special characters as quote in his message.
To reproduce:
-go to admin page
-put a quote or something else in the "Message to display in the logout dialog" field
-save
=>the field content is not what you have entered, nor the front-end message.
Comment | File | Size | Author |
---|---|---|---|
#1 | autologout-remove-check-plain-admin-1482158-1.patch | 512 bytes | jgalletta |
Comments
Comment #1
jgalletta CreditAttribution: jgalletta commentedHere's a patch that remove the check_plain call.
Note that this is completely safe as the string if given to t() with a @ placeholder, which run a check_plain() on the user string (see autologout_init() in autologout.module).
Comment #2
jgalletta CreditAttribution: jgalletta commentedComment #3
johnennew CreditAttribution: johnennew commentedHi @jgalletta,
You are right - patch committed to 6.x-4.x and 7.x-4.x
Thanks!