Closed (fixed)
Project:
Abuse
Version:
6.x-2.x-dev
Component:
User interface
Priority:
Critical
Category:
Bug report
Assigned:
Unassigned
Issue tags:
Reporter:
Created:
13 Apr 2011 at 08:59 UTC
Updated:
4 Jan 2014 at 00:53 UTC
Jump to comment: Most recent, Most recent file
Comments
Comment #1
MAMONT commentedSmall correction.
print l(check_plain($object->title), $object->path['URL'], array('html' => TRUE, 'query' => $object->path['QUERY'], 'fragment' => $object->path['BREADCRUMB']));In H2 don't use filter_xss_admin, please use check_plain.
Comment #2
MAMONT commentedSteps to reproduce.
alert('xss1');1. Create a new node with
in title and
alert('xss2');in body.
2. Click to 'Flag as offensive'.
3. Go to admin/content/abuse.
Comment #3
jcisio commentedIt's easier to remove
'html' => TRUE, isn't it?Comment #4
MAMONT commentedFixed in http://drupal.org/node/1127046
Comment #5
dave reidtagging
Comment #6
gregglesSubscribe.
I agree with jcisio in #3 on that one particular section of code it is clearer to simply remove the html => true.
Comment #7
jcisio commentedI committed in both 1.x and 2.x branch. A new official release for 1.x branch has been out. I'm quite busy and don't have time for other fixes in this release.