Was applied to 6.x for http://drupal.org/node/280571

patch by pwolanin, not me.

CommentFileSizeAuthor
#15 param-6.x.patch1.3 KBlilou
#8 remove-param-d7.patch1.29 KBlilou
remove-object-d7.patch1.32 KBcatch
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

pwolanin’s picture

pwolanin CreditAttribution: pwolanin commented

this was part of SA-2008-044 for D6

Dries’s picture

Dries CreditAttribution: Dries commented
Status: Reviewed & tested by the community » Fixed

Committed to CVS HEAD. Thanks.

Anonymous’s picture

Anonymous (not verified) CreditAttribution: Anonymous commented
Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for two weeks with no activity.

BioALIEN’s picture

BioALIEN CreditAttribution: BioALIEN commented

If we are NOT allowing <object> tags, shouldn't we also disallow <param> tags?

pwolanin’s picture

pwolanin CreditAttribution: pwolanin commented
Status: Closed (fixed) » Active

@BioALIEN - see patch: we are NOT allowing object tags any longer

BioALIEN’s picture

BioALIEN CreditAttribution: BioALIEN commented

Thanks pwolanin, post corrected. Issue still valid.

pwolanin’s picture

pwolanin CreditAttribution: pwolanin commented

oh, sorry - I mis-read your commend. If param tags only are useful with object tags, then yes, I think you have a good point.

lilou’s picture

lilou CreditAttribution: lilou commented
Title: Remove <object> from allowed tags in filter_xss_admin() » Remove <param> from allowed tags in filter_xss_admin()
Status: Active » Needs review
FileSize
remove-param-d7.patch1.29 KB
lilou’s picture

lilou CreditAttribution: lilou commented
Title: Remove <param> from allowed tags in filter_xss_admin() » Remove "param" from allowed tags in filter_xss_admin()
pwolanin’s picture

pwolanin CreditAttribution: pwolanin commented

since the param tag is only used int he context of an object tag, this makes sense to me. Patch applies cleanly (Stripping trailing CRs from patch.)

BioALIEN’s picture

BioALIEN CreditAttribution: BioALIEN commented
Priority: Critical » Normal
Status: Needs review » Reviewed & tested by the community

Lowering the priority, but lets get this in.

Dries’s picture

Dries CreditAttribution: Dries commented
Status: Reviewed & tested by the community » Fixed

Committed to CVS HEAD. Thanks.

pwolanin’s picture

pwolanin CreditAttribution: pwolanin commented
Version: 7.x-dev » 6.x-dev
Status: Fixed » Patch (to be ported)

should also go into 6.x and 5.x

BioALIEN’s picture

BioALIEN CreditAttribution: BioALIEN commented

Wrong person was credited in CVS commit :/

Yes, lets get this ported. Patch still applies.

lilou’s picture

lilou CreditAttribution: lilou commented
Status: Patch (to be ported) » Postponed
FileSize
param-6.x.patch1.3 KB
lilou’s picture

lilou CreditAttribution: lilou commented
Status: Postponed » Patch (to be ported)

oups

catch’s picture

catch
he/him
Primary language English
CreditAttribution: catch commented
Status: Patch (to be ported) » Needs review

I think you wanted this ;)

Gábor Hojtsy’s picture

Gábor Hojtsy
he/him
Primary language Hungarian
Location Hungary
CreditAttribution: Gábor Hojtsy commented
Status: Needs review » Fixed

Straightforward. Committed to 6.x. Thanks!

pwolanin’s picture

pwolanin CreditAttribution: pwolanin commented
Version: 6.x-dev » 5.x-dev
Status: Fixed » Patch (to be ported)

probably Drupal 5 too

drumm’s picture

drumm
he/him
Location NY, US
CreditAttribution: drumm commented
Status: Patch (to be ported) » Fixed

Committed to 5.x.

Anonymous’s picture

Anonymous (not verified) CreditAttribution: Anonymous commented
Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for two weeks with no activity.