The default output for premium content to non subscribers doesn't filter the nodes teaser text before display. THis means undesirable content may appear.

The $node->teaser should be passed through the check_markup() function to make sure it's safe.

A better theme function would be:

function theme_premium_body($node) {
  return check_markup($node->teaser, $node->format, FALSE) . '<br />'.variable_get('premium_message','');
}

Comments

moshe weitzman’s picture

moshe weitzman commented

sounds like a critical to me too

mark matuschka’s picture

mark matuschka commented

+1

allie micka’s picture

allie micka
she/her
commented
Status: Active » Fixed

Fixed - thanks!

Anonymous’s picture

(not verified) commented
Status: Fixed » Closed (fixed)