Careless use of decode_entities() can result in security vulnerabilities. Patch to add a warning to the doxygen comments, as well as some doc clean-up.

CommentFileSizeAuthor
#7 decode_entities_d6.patch1.23 KBmr.baileys
#3 decode_entities.patch1.24 KBmr.baileys
decode_entities.patch1.24 KBmr.baileys
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

Damien Tournoud’s picture

Damien Tournoud CreditAttribution: Damien Tournoud commented
Status: Active » Reviewed & tested by the community

That's a reasonable improvement.

jbrown’s picture

jbrown CreditAttribution: jbrown commented
Status: Reviewed & tested by the community » Needs work

it should be @return , not @returns

mr.baileys’s picture

mr.baileys
Primary language Dutch
Location 🇧🇪 (Ghent)
CreditAttribution: mr.baileys commented
Status: Needs work » Needs review
FileSize
decode_entities.patch1.24 KB

Indeed it should, thanks!

Damien Tournoud’s picture

Damien Tournoud CreditAttribution: Damien Tournoud commented
Status: Needs review » Reviewed & tested by the community

Good catch.

Dries’s picture

Dries CreditAttribution: Dries commented
Status: Reviewed & tested by the community » Fixed

Committed to CVS HEAD. Thanks.

Damien Tournoud’s picture

Damien Tournoud CreditAttribution: Damien Tournoud commented
Version: 7.x-dev » 6.x-dev
Status: Fixed » Patch (to be ported)

Let's consider a backport to D6.

mr.baileys’s picture

mr.baileys
Primary language Dutch
Location 🇧🇪 (Ghent)
CreditAttribution: mr.baileys commented
Status: Patch (to be ported) » Needs review
FileSize
decode_entities_d6.patch1.23 KB

Straight backport

Damien Tournoud’s picture

Damien Tournoud CreditAttribution: Damien Tournoud commented
Status: Needs review » Reviewed & tested by the community

Doesn't hurt to get into D6 too, I believe.

Gábor Hojtsy’s picture

Gábor Hojtsy
he/him
Primary language Hungarian
Location Hungary
CreditAttribution: Gábor Hojtsy commented
Status: Reviewed & tested by the community » Fixed

Committed thank you!

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.