Fixed XSS and CSRF vulnerabilities

If you're able to, it might help to write some tests that confirm the XSS and CSRF vulnerabilities are fixed by the patch.

FYI, when I reported this module's vulnerabilities, I created a patch for them too.
I'ts mostly similar, but fixes the tests too.

1. +++ b/node_notify.module
   @@ -831,9 +845,9 @@ function node_notify_log($subscription, $notification, $comment, $message = NULL
   +    '!comment' => l(check_plain($comment->subject), 'comment/' . $comment->cid, array('fragment' => 'comment-' . $comment->cid)),
   

   double escaping, l() will already run check_plain().

2. +++ b/node_notify.module
   @@ -866,7 +880,21 @@ function node_notify_log($subscription, $notification, $comment, $message = NULL
   +      '!comment' => l(check_plain($comment->subject), comment_uri($comment)),
   

   double escaping, l() will already run check_plain().

3. +++ b/node_notify.pages.inc
   @@ -31,14 +31,17 @@ function node_notify_disable_page($token) {
   +    drupal_access_denied();
   

   return MENU_ACCESS_DENIED here instead of calling drupal_access_denied().

Is there any chance that someone with the proper privileges could take a look at this patch and make @Alex Bukach co-maintainer, so we can get the module out of "red-box" state? @DamienMcKenna maybe?

@benjamin_dk, I have added @Alex Bukach to co-maintainers , so now he can submit new release

@prat thanks!

Please create a new release and mark it as security update, the Drupal Security Team will then publish that.

Hi Alex, 7.x-1.0-alpha1 is the wrong version number. The last release was 7.x-1.1, so the next release must be 7.x-1.2.

Is there any progress? I would like to use this module in a project I'm working on, and there is no release available.

Alex Bukach has not made a 7.x-1.2 release yet, so we are waiting on that.

Continuing in #2848833: Create 7.x-1.2 release.