Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
In the sample batch operation, strings stored in $context['results'] and $context['message'] should be check_plain()'ed.
Comment | File | Size | Author |
---|---|---|---|
#5 | 852120-5-batch-example-sanitize.patch | 1.91 KB | cygri |
Comments
Comment #1
jhodgdonGood catch!
This issue relates to http://api.drupal.org/api/group/batch/6
That page already has a note:
But then the example code doesn't actually do that.
I'm not sure whether the 'results' have to be check_plain()'ed though... Someone should verify that.
The D7 version of this documentation is nearly (or completely?) identical, and suffers from the same problem. So it should be fixed there first and then ported back to D6.
Comment #2
pfournier CreditAttribution: pfournier commentedI can confirm that the results have to be check_plain()'ed in D6.
Comment #3
jhodgdonIf that's the case, then that should be added to the note about sanitizing the other stuff.
Comment #4
Anonymous (not verified) CreditAttribution: Anonymous commentedTagging as mine for now, I'm going to be showing 3 people how to roll patches tomorrow and will use this as an example.
Comment #5
cygri CreditAttribution: cygri commentedThis patch adds check_plain() around user input in both examples. Also extended the note that lists the fields that require sanitizing.
Comment #6
jhodgdonLooks good -- thanks for the patch!
One thing: we need to leave the version at 8.x, commit to 8.x first, and then to 7.x. The reason being that we don't want older versions of Drupal to have fixes that the newer versions don't already have. So I am setting the version to 8.x and clicking "re-test" so that the test bot can verify that the patch applies and doesn't break anything in the 8.x code base.
Comment #7
jhodgdon#5: 852120-5-batch-example-sanitize.patch queued for re-testing.
Comment #8
Dries CreditAttribution: Dries commentedCommitted to 7.x and 8.x. Thanks!