Side Content currently always treat the input as raw HTML, which stops the users from putting dynamic content in it and, depending on the settings, also lets them inject potentially harmfull stuff. This patch makes each side content use the same input filter as the node it's are attached to:

--- sidecontent/sidecontent.module      2005-01-15 05:00:11.000000000 +0200
+++ sidecontent.module  2005-02-10 23:28:26.000000000 +0200
@@ -45,9 +45,10 @@
     if (is_numeric(arg(1))) {
         $sidecontent = db_result(db_query("SELECT sidecontent FROM {sidecontent} WHERE nid = '%d'", arg(1)));
         if ($sidecontent) {
+            $format = db_result(db_query("SELECT format FROM {node} WHERE nid = '%d'", arg(1)));
         $sidecontent_title = variable_get('sidecontent_title', NULL);
         $block['subject'] = $sidecontent_title;
-        $block['content'] = $sidecontent;
+        $block['content'] = check_output($sidecontent, $format);
         return $block;
         }
     }

(No, it's not really PHP code, but the auto linebreak filter added extra lines to the <pre> and <code> lost the indentations. D'oh.)

Comments

ht-1’s picture

Could you please explain how to use the patch? Does it go into the module code itself, and is so, where?

Thanks,

ht

elonen’s picture

It's in the regular "unified diff format" -- despite the < ? php>, which I put just in just to get the web page formatting right..

So, the changes are supposed to be made to sidecontent/sidecontent.module. Lines starting with '-' are to be removed and those starting with '+' are to be added.

robert castelo’s picture

Fixed in 4.6 version of module.

Side content can now use any input filter, independant of the node it's attached to.

Do not use the patch above.

robert castelo’s picture