When a comment changes the project of a case, the module generates two links leading to the old and the new project. Later on these HTML links are run through check_plain() via t('...@new...'), so they will not be clickable, since the <a href> will be fed to the browser as &lt;a href&gt; - in other words, check_plain() is called too later in this case.

Files: 

Comments

Boobaa’s picture

FileSize
2.49 KB

And here's a patch that solves it.

Boobaa’s picture

Status: Active » Needs review

Oh, somebody please give it a review.

cYu’s picture

Ran across this problem as well after a recent upgrade to latest Open Atrium code. You can see the issue in action at their site right now too, https://community.openatrium.com/issues/node/70#comment-1284

Applied your patch and everything is working fine. Code appears to still perform all the needed check_plain calls to keep things secure.

Boobaa’s picture

I wouldn't set my own patch to RTBC, but this asks for it.

zserno’s picture

Status: Needs review » Reviewed & tested by the community

Patch from #1 works as expected and simple enough to give it RTBC. Thanks Boobaa!

jmiccolis’s picture

Status: Reviewed & tested by the community » Fixed

Sorry it took so long to get to this! Committed!

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.

David Goode’s picture

Status: Closed (fixed) » Reviewed & tested by the community
FileSize
1023 bytes

Don't check_plain text to be passed to l() because l() does that itself. Mangles & and " and so forth, which are allowed in project titles. New patch to current head, which includes the old one.

jmiccolis’s picture

Status: Reviewed & tested by the community » Fixed

Thanks for the fix David, it's been commited.

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.