function t() is being used to translate user submitted text
unknownguy - August 27, 2008 - 23:30
| Project: | Node Relativity |
| Version: | 5.x-2.3 |
| Component: | Code |
| Category: | bug report |
| Priority: | normal |
| Assigned: | Unassigned |
| Status: | needs work |
Description
Hello,
I have detected that some user submitted strings where being inserted into locales_source table.
Upon investigation I have found (using debug_backtrace() in the function locale), I have found that this module is the culprit. Look at the following lines:
...
1491 $children_box .= l(t($child_node->title), 'node/'.$child_node->nid, array('class' => 'relativity_view_' . $childtype)) . "<br />\n";
...
1639 $output .= node_get_types('name',$ancestor->type) . ': ' . l(t($ancestor->title), 'node/'.$ancestor-> nid, array('class' => 'relativity_view_' . $type));(maybe there are more places in the .module...)
Is this a bug? I guess it is.
#1
#2
Patch included
#3
Sorry, missed one t().. and this is for 5.x-2.3
#4
Patch works fine on DRUPAL5 version.
Here is a patch which applies clean to drupal5.
Set to "rtbc" for DRUPAL-5 Version.
#5
You meant D6 ? it's already fixed in D5. And it should use check_plain().