wrong file inclusion may break website

Posted by suit4 on May 9, 2008 at 11:24am

Issue Summary

The way, safehtml.module includes files is problematic and can lead to a disfunctional site.

<?php
function safehtml_nodeapi(&$node, $op, $teaser = NULL, $page = NULL) {
  if ($op == 'submit') {
    $arr = array_keys(filter_list_format($node->format));
    if (in_array('safehtml/0', $arr)) {
      if (!defined('XML_HTMLSAX3')) {
          define('XML_HTMLSAX3', '');
      }
      require_once('classes/safehtml.php');
      if ($node->body) {
        $node->body = _safehtml_parse($node->body, $node->format);
      }
      if ($node->teaser) {
        $node->teaser = _safehtml_parse($node->teaser, $node->format);
      }
    }
  }
}
?>

should read:

<?php
function safehtml_nodeapi(&$node, $op, $teaser = NULL, $page = NULL) {
  if ($op == 'submit') {
    $arr = array_keys(filter_list_format($node->format));
    if (in_array('safehtml/0', $arr)) {
        $path = drupal_get_path('module', 'safehtml');
      if (!defined('XML_HTMLSAX3')) {
          define('XML_HTMLSAX3', "./$path/classes/");
      }
      require_once("./$path/classes/safehtml.php");
      if ($node->body) {
        $node->body = _safehtml_parse($node->body, $node->format);
      }
      if ($node->teaser) {
        $node->teaser = _safehtml_parse($node->teaser, $node->format);
      }
    }
  }
}
?>

Patch attached

Attachment	Size
safehtml_include.patch	696 bytes

Comments

#1

Posted by claudiu.cristea on August 11, 2009 at 10:36am

Version:	5.x-1.2	» 6.x-7.x-dev
Status:	needs review	» fixed

This was fixed in http://drupal.org/cvs?commit=249478 for 6.x

#2

Posted by claudiu.cristea on August 11, 2009 at 4:32pm

Status:

fixed

» closed (fixed)

Project:	Safe HTML
Version:	6.x-7.x-dev
Component:	Code
Category:	bug report
Priority:	normal
Assigned:	Unassigned
Status:	closed (fixed)

wrong file inclusion may break website

Jump to:

Issue Summary

Comments

#1

#2