Closed (fixed)
Project:
Side Content
Version:
4.5.x-1.x-dev
Component:
Code
Priority:
Normal
Category:
Bug report
Assigned:
Unassigned
Reporter:
Created:
10 Feb 2005 at 21:50 UTC
Updated:
25 Apr 2005 at 00:30 UTC
Side Content currently always treat the input as raw HTML, which stops the users from putting dynamic content in it and, depending on the settings, also lets them inject potentially harmfull stuff. This patch makes each side content use the same input filter as the node it's are attached to:
--- sidecontent/sidecontent.module 2005-01-15 05:00:11.000000000 +0200
+++ sidecontent.module 2005-02-10 23:28:26.000000000 +0200
@@ -45,9 +45,10 @@
if (is_numeric(arg(1))) {
$sidecontent = db_result(db_query("SELECT sidecontent FROM {sidecontent} WHERE nid = '%d'", arg(1)));
if ($sidecontent) {
+ $format = db_result(db_query("SELECT format FROM {node} WHERE nid = '%d'", arg(1)));
$sidecontent_title = variable_get('sidecontent_title', NULL);
$block['subject'] = $sidecontent_title;
- $block['content'] = $sidecontent;
+ $block['content'] = check_output($sidecontent, $format);
return $block;
}
}
(No, it's not really PHP code, but the auto linebreak filter added extra lines to the <pre> and <code> lost the indentations. D'oh.)
Comments
Comment #1
ht-1 commentedCould you please explain how to use the patch? Does it go into the module code itself, and is so, where?
Thanks,
ht
Comment #2
elonen commentedIt's in the regular "unified diff format" -- despite the < ? php>, which I put just in just to get the web page formatting right..
So, the changes are supposed to be made to
sidecontent/sidecontent.module. Lines starting with '-' are to be removed and those starting with '+' are to be added.Comment #3
robert castelo commentedFixed in 4.6 version of module.
Side content can now use any input filter, independant of the node it's attached to.
Do not use the patch above.
Comment #4
robert castelo commented