Was applied to 6.x for http://drupal.org/node/280571

patch by pwolanin, not me.

CommentFileSizeAuthor
#15 param-6.x.patch1.3 KBlilou
#8 remove-param-d7.patch1.29 KBlilou
remove-object-d7.patch1.32 KBcatch

Comments

pwolanin’s picture

pwolanin commented

this was part of SA-2008-044 for D6

dries’s picture

dries commented
Status: Reviewed & tested by the community » Fixed

Committed to CVS HEAD. Thanks.

Anonymous’s picture

Anonymous (not verified) commented
Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for two weeks with no activity.

BioALIEN’s picture

BioALIEN commented

If we are NOT allowing <object> tags, shouldn't we also disallow <param> tags?

pwolanin’s picture

pwolanin commented
Status: Closed (fixed) » Active

@BioALIEN - see patch: we are NOT allowing object tags any longer

BioALIEN’s picture

BioALIEN commented

Thanks pwolanin, post corrected. Issue still valid.

pwolanin’s picture

pwolanin commented

oh, sorry - I mis-read your commend. If param tags only are useful with object tags, then yes, I think you have a good point.

lilou’s picture

lilou commented
Title: Remove <object> from allowed tags in filter_xss_admin() » Remove <param> from allowed tags in filter_xss_admin()
Status: Active » Needs review
StatusFileSize
new remove-param-d7.patch1.29 KB
lilou’s picture

lilou commented
Title: Remove <param> from allowed tags in filter_xss_admin() » Remove "param" from allowed tags in filter_xss_admin()
pwolanin’s picture

pwolanin commented

since the param tag is only used int he context of an object tag, this makes sense to me. Patch applies cleanly (Stripping trailing CRs from patch.)

BioALIEN’s picture

BioALIEN commented
Priority: Critical » Normal
Status: Needs review » Reviewed & tested by the community

Lowering the priority, but lets get this in.

dries’s picture

dries commented
Status: Reviewed & tested by the community » Fixed

Committed to CVS HEAD. Thanks.

pwolanin’s picture

pwolanin commented
Version: 7.x-dev » 6.x-dev
Status: Fixed » Patch (to be ported)

should also go into 6.x and 5.x

BioALIEN’s picture

BioALIEN commented

Wrong person was credited in CVS commit :/

Yes, lets get this ported. Patch still applies.

lilou’s picture

lilou commented
Status: Patch (to be ported) » Postponed
StatusFileSize
new param-6.x.patch1.3 KB
lilou’s picture

lilou commented
Status: Postponed » Patch (to be ported)

oups

catch’s picture

catch
he/him
Primary language English
commented
Status: Patch (to be ported) » Needs review

I think you wanted this ;)

gábor hojtsy’s picture

gábor hojtsy
he/him
Primary language Hungarian
Location Hungary
commented
Status: Needs review » Fixed

Straightforward. Committed to 6.x. Thanks!

pwolanin’s picture

pwolanin commented
Version: 6.x-dev » 5.x-dev
Status: Fixed » Patch (to be ported)

probably Drupal 5 too

drumm’s picture

drumm
he/him
Location NY, US
commented
Status: Patch (to be ported) » Fixed

Committed to 5.x.

Anonymous’s picture

Anonymous (not verified) commented
Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for two weeks with no activity.