If you're got a node that has PHP in it and you have the teaser enabled, it will show the raw PHP in the block.

I tried adding the following code into the module (similar.module) to fix it but it just prettified the output. Although, that helped with the fact that the output is, by default, not pretty.

Line 232:

      $node->teaser = check_markup($node->teaser);
CommentFileSizeAuthor
#8 checkplain.patch766 byteshickory
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

norio’s picture

norio CreditAttribution: norio commented

This quick and dirty fix will not show any nodes with '<?php' in it and will format the node according to the filters you've set.

Replace:

    if($teaser) {
      $items[] = '<div id="similar-title">'. l($node->title, 'node/'.$node->nid, NULL, NULL, NULL, NULL, true) .'</div><div id="simlar-teaser">'. $node->teaser .'</div>';
    } else {
      $items[] = l($node->title, 'node/'.$node->nid);
    }

With:

    if($teaser) {
      // Norri: Skip PHP stuff, and format the other stuff better
      if (preg_match("/<?php/", $node->teaser)) continue;
      $node->teaser = check_markup($node->teaser);

      $items[] = '<div id="similar-title">'. l($node->title, 'node/'.$node->nid, NULL, NULL, NULL, NULL, true) .'</div><div id="simlar-teaser">'. $node->teaser .'</div>';
    } else {
      $items[] = l($node->title, 'node/'.$node->nid);
    }

PS: You can replace preg_match with strpos(). It will probably run faster.

deekayen’s picture

deekayen CreditAttribution: deekayen commented
Assigned: Unassigned » deekayen
Priority: Critical » Normal
Status: Active » Fixed

I committed check_plain on the title and check_markup on the teaser. Skipping nodes with PHP in them isn't the solution.

Anonymous’s picture

(not verified) CreditAttribution: commented
Status: Fixed » Closed (fixed)
deekayen’s picture

deekayen CreditAttribution: deekayen commented
Version: » 4.7.x-1.x-dev
Status: Closed (fixed) » Active

Patch should be backed out. Check plain is converting too many characters.

deekayen’s picture

deekayen CreditAttribution: deekayen commented
Assigned: deekayen » Unassigned
Status: Active » Postponed

I reverted the check_plain/check_markup/check_output in 4.6 and 4.7. I'm not hot about the idea of evaluating PHP.

Perhaps this thread should take on discussing a way to ignore nodes with the PHP Code evaluator filter enabled or some other alternate patch.

deekayen’s picture

deekayen CreditAttribution: deekayen commented
Status: Postponed » Active

I re-committed the check_plain/markup/output if nothing else because it probably has some xss benefits.

deekayen’s picture

deekayen CreditAttribution: deekayen commented
Title: Shows raw PHP instead of evaluating it » Output filtering does unexpected character conversion

So perhaps now I should just make special str_replaces for this (from http://drupal.org/node/86666):?

e.g., &#039 ; [minus the space] instead of ', " instead of ".

hickory’s picture

hickory CreditAttribution: hickory commented
FileSize
checkplain.patch766 bytes

check_plain shouldn't be run on node titles in blocks, it's already being run by the l() function, so characters get double-escaped. Patch attached.

deekayen’s picture

deekayen CreditAttribution: deekayen commented
Status: Active » Fixed

applied in HEAD v1.7

Anonymous’s picture

(not verified) CreditAttribution: commented
Status: Fixed » Closed (fixed)