Posted by japanitrat on April 19, 2008 at 11:02pm
| Project: | ShareThis |
| Version: | 6.x-1.2-1 |
| Component: | Code |
| Category: | bug report |
| Priority: | normal |
| Assigned: | Unassigned |
| Status: | closed (fixed) |
Issue Summary
i wondered why i had one blognode without the sharethis button.
it took me a while to find out, that the word "won't" was the problem. of course, it should be escaped, but the module does not.
i think this is pretty important,
hope it got fixed for the next release.
best,
j
Comments
#1
I have the same problem, but you got further than I: some of my nodes were missing a ShareThis link, but I didn't pick up on why some were affected and others were not.
After reading your report, I found the problem: on lines 142, 175 and 186 of sharethis.module, $node->title is not being escaped. I added the addslashes() function around it, although I am certain that is not the proper fix. It is a good workaround for me, though, until the developer issues a new version with the correct fix.
#2
Hello.
I looked around for what might be a best practice for solving this issue.
I noticed some modules applying check_plain to node titles to handle quote issues.
I have tested the following:
Replaced:
$node->titleWith:
check_plain($node->title)On lines: 132, 142, 175, 186
Code changes could be reduced by applying check_plain to $node->title earlier in the function. But it may then confuse people in that they will not know that the $node->title had already been sanitized.
Best Regards,
Sean Buscay
#3
Here's a patch, based on Sean Buscay's fix above. I've tested it on my site at www.poorbrothertom.com and it appears to be working properly.
#4
Fixed in 1.3. Sorry for the delay.
#5