Using booktree 6.x-1.4 multi-site setup on Drupal 6.14 with a custom theme.
I narrowed down the offending code to this line:

  drupal_set_title(check_plain($node->title));
>  $content = '<p>'. check_markup($node->body, $node->format, FALSE) .'</p>'; 
  $ricursione = 1;

The root node is set to 0 in order to display the contents of all the books' sub-trees in the site.
But on the first line when viewing mysite.org/site_name/booktree printed n/a
I changed the line to
$content = '<h1>'. variable_get('site_name') .'</h1>';
so it now displays the site name at the top. I'm not sure if the check_markup call was really important in certain situations, but it might be worth changing the module in future releases so it doesn't print out n/a.
My personal fix probably isn't an acceptable solution because some people want to display the content of specific books rather than the entire site's sub-trees.
Please comment why the call to check_markup was returning n/a if you have an idea on that, or challenge me to write up some conditionals to either print the site_name if the root node is 0 or the root node's title. Or if you have time, write it yourself and contrib! :)

Thanks,
Milo

CommentFileSizeAuthor
#7 booktree.patch692 bytesmdlamar

Comments

mdlamar’s picture

mdlamar commented

sorry it was variable_get('site_name', '') ... i forgot the 2nd arg.

uccio’s picture

uccio commented

Attention: The check_markup call is really important to prevent XSS attack of yours system.

To fix this issue you can move all your books in a root book node.

mdlamar’s picture

mdlamar commented

Thank you for the reply. I'll check into doing that while preserving the navigation look. Is there if you know an easy way to toggle display of the root book while still displaying its sub-books, do advise :)

mdlamar’s picture

mdlamar commented

I also am concerned about the cross site scripting vulnerability. Is there a way to detect such scripting?

mdlamar’s picture

mdlamar commented

Ultimately the easiest, quickest, and safest fix for me is to just put the check_markup return in a hidden div.

Mo’s picture

Mo commented

I modified it this way. Line 124 and 125.

drupal_set_title(check_plain($node->title?$node->title:variable_get('site_name', '')));
$content = '<p>'. check_markup($node->body?$node->body:"", $node->format, FALSE) .'</p>';
mdlamar’s picture

mdlamar commented
StatusFileSize
new booktree.patch692 bytes

That's a good fix, Mo! That should be committed to the module. I'll make a patch. I'll have to figure out the naming conventions for drupal patches, but here's a preliminary.

uccio’s picture

uccio commented
Status: Needs review » Fixed

Fixed on dev.

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.