check_plain is being run twice when displaying Current State in Workflow History - introduced by SA-CONTRIB-2009-088
serenecloud - October 29, 2009 - 02:19
| Project: | Workflow |
| Version: | 6.x-1.2 |
| Component: | Code |
| Category: | bug report |
| Priority: | critical |
| Assigned: | Unassigned |
| Status: | closed |
| Issue tags: | check_plain |
Jump to:
Description
The current state displays as <strong>State</strong> rather than State. This is because check_plain() (and also t()) is being called twice on the state name, once in theme_workflow_current_state() and again in theme_workflow_history_table_row().
Patch attached that removes the calls in theme_workflow_history_table_row() but adds check_plain() and t() calls to ensure $state_name and $old_state_name don't enter theme_workflow_history_table_row() without being checked.
| Attachment | Size |
|---|---|
| workflow-state-double-check-plain.patch | 1.38 KB |
#1
Upping priority as this is likely to affect a lot of users over the next few days if not patched.
#2
+1
I agree.
Having a security advisory out and no fix available (I can't find 6.x-1.2) is sort of ... not the ideal situation.
#3
I got the 6.x-1.2 by guessing the URL based on the 1.1 tarball download. I did a diff with what's in CVS and it's just the auto-generated info details that are added.
#4
+1
I've tried the patch in the original post and it works.
Also bumping version to 6.x-1.2 in the hope it gets more attention that way.
#5
6.x-1.3 released with this fix.
#6
Confirmed the fix is in 6.x-13.
Thanks :)