check_plain applied twice for title to rss feeds [#304644]

in function station_archive_arg_program_nid_handler($op, &$query, $argtype, $arg = '') in archive/views.inc

case 'title':
$node = db_fetch_object(db_query("SELECT sap.title FROM {station_archive_program} sap WHERE sap.program_nid=%d", $query));
changed
//return check_plain($node->title);
to
return $node->title;

As function format_rss_channel applies check_plain to the title already.

Comment	File	Size	Author
#2	station-check_plain.patch	497 bytes	darrick

Comments

Comment #1

drewish commented 5 September 2008 at 23:24

Status:

Active

» Needs work

could you roll a patch?

Comment #2

darrick commented 6 September 2008 at 20:53

Status	File	Size
new	station-check_plain.patch	497 bytes

Here is a patch to the cvs.

Comment #3

vladimir.dolgopolov commented 16 September 2008 at 03:17

I don't think it was a good idea to remove check_plain().
Now I can enter a title like this:

alert('XSS');

We need here another decision.

Comment #4

damienmckenna

TN, USA

commented 21 February 2012 at 23:01

Status:

Needs work

» Closed (won't fix)

The Drupal 5 versions are no longer supported, if someone would like to step up to co-maintain it then please do so, otherwise future work will only happen for D6 and D7. Thank you.

check_plain applied twice for title to rss feeds

Comments

Comment #1

Comment #2

Comment #3

Comment #4

News items

Our community

Documentation

Drupal code base

Governance of community