Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Title says it all
Comment | File | Size | Author |
---|---|---|---|
#14 | devel.switch-roles.14.patch | 571 bytes | sun |
#8 | 992938-devel-switch-user-format-username.patch | 4.02 KB | Dave Reid |
#7 | 992938-devel-switch-user-format-username.patch | 3.98 KB | Dave Reid |
#6 | 992938-devel-switch-user-format-username.patch | 3.61 KB | Dave Reid |
#1 | 992938-devel-switch-user-format-username.patch | 3.21 KB | Dave Reid |
Comments
Comment #1
Dave ReidComment #2
moshe weitzman CreditAttribution: moshe weitzman commented'title' => check_plain(format_username($account)),
won't that give you entity coded A tag with brackets and such? i can't think of an alternative though.
Comment #3
Dave ReidYep I think you're right. I'll re-roll.
Comment #4
salvisMaybe something like
check_plain(decode_entities(strip_tags(format_username($account))))
?Comment #5
Dave ReidThe format username *should* be HTML free. All we need is just format_username($account)
Comment #6
Dave ReidSo the only link that needed a check_plain() is the one that uses drupal_placeholder() because that calls check_plain() itself and uses 'html' => TRUE. All the other links do not have 'html' option defined, so in l() they will automatically have check_plain() applied. I tested with malicious HTML and it was all stripped out.
Comment #7
Dave ReidRevised patch that also fixes the query builder for the switch user block.
Comment #8
Dave ReidForgot the u.status condition
Comment #9
salvisIsn't what we see above between "Posted by" and "on December 12" the result of format_username()?
Comment #10
Dave Reidno. format_username is just the username in D7.
Comment #11
salvisTested and committed, thanks!
Comment #12
sunUpon initial installation, $roles is empty
=> Fatal error and nice WSOD. :(
Powered by Dreditor.
Comment #13
sunMore specifically:
note the empty
Comment #14
sunThis should do the trick.
Comment #15
sunTested, works.
Comment #16
Dave ReidThanks, committed #14 to CVS.
http://drupal.org/cvs?commit=467946