I noticed that the latest update added check_plain to the Bean subject titles.

The Bean subject is the default implementation of a block title, and some people may want there to be some HTML in this title (such as a link).
Having the check_plain on the subject limits what a Drupal admin/developer can do with it.

Because the subject is hard-coded, there isn't any reason to check_plain it. Even if it weren't hard-coded, there's no way a non-privileged user can edit the title, so it's still secure to allow HTML.

Here's an example of why one might want HTML in the subject:
Our company has a couple custom Beans that provide default implementations of the block title (which is the Bean subject). We chose to make the Bean subject dynamically link to a taxonomy term associated with a given page that a user is on.

Members fund testing for the Drupal project. Drupal Association Learn more


stevenlafl’s picture

Here's the patch that removes check_plain.

Edit: can't set status after posting comment, meant to select 'needs review'

indytechcook’s picture

Status: Active » Closed (works as designed)

Thanks for your patch.

This was added as part of #1885238: xss bean type label not escaped sufficiently. The label is entered by users via the UI and therefor needs to be escaped. A better workaround would to use a field with a formatter and render the title as part of the bean content. Also Related to #1858416: Rendered bean does not display the title when display settings indicate it should.

davidwbarratt’s picture

Version: 7.x-1.0-rc8 » 7.x-1.x-dev


two things..
1) All bugs reported need to be on the lasted dev release. (include the patch being created).
2) If you need to change the status (or do something you can't do by editing the comment), it's acceptible to just create a new (empty) comment with that change.



davidwbarratt’s picture

Status: Closed (works as designed) » Active


What if you want to alter the title in a bean plugin?

Can the check_plain() be called before it's handed off to the plugin?

It seems like adding a field is a poor work around for plugin makers who just want to alter the title before display (on the plugin level).


indytechcook’s picture

Status: Active » Closed (works as designed)


I see what you are saying, the problem is that that title of the block/page is not accessible via the plugins. I can see the merit of a feature request allowing bean atributes to be accesible via a plugin but that's not something that really fits in with the current architecture of bean.

I did move the check_plain into the entity class so if you do a hook_entity_alter and change the class used to handle the entity you can override the behavior.


davidwbarratt’s picture

Status: Closed (works as designed) » Active

I see,

well, the title was available to plugins in something like this:

public function view($bean, $content, $view_mode = 'default', $langcode = NULL) {
  foreach ($content['bean'] as $delta => &$build) {
    $build['#entity']->title = t('Trending');

This worked before the update, will this work now with the commit you just pushed?

I'm assuming it will since the check_plain() is happening when the entity is being loaded, rather than on display, but I just want to make sure before breaking anything.

Also, thanks for all of your help and support, it really means a lot to have incredible project maintainers like yourself in the Drupal community.


indytechcook’s picture

Status: Active » Fixed

Yeah, I do agree on this. I removed that code. The original security issue was for the bean_type pages.


Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.

Anonymous’s picture

Issue summary: View changes

Removed the part about patch being included, didn't know the issue # so couldn't provide the patch as specified in the 'submitting patches' article for drupal modules.