Block descriptions on admin/build/block/configure can potentially be escaped twice.

For example: enable aggregator & create a feed (rest assumes feed 1).
Visit admin/build/block/configure/aggregator/feed-1 where you will note as page title:

'<em>[feed name] feed latest items</em>' block .

As custom block descriptions are escaped by block_block, I suggest to remove the placeholder call from block_admin_configure.

Please review carefully as we do not want to introduce a possibility for XSS.

Comments

dries’s picture

This change is not particularly transparent. As a rule, the escaping should happen just before output. I'd say that we keep the escaping in the block.module, but that we correct the behavior in the aggregator.module.

heine’s picture

StatusFileSize
new3.95 KB

Happy to oblige.

In my opinion, one should escape when adding user supplied data to trusted, potentially markup containing, text. My preference is still the patch in #1 with the em's removed from drupal_set_title in block_admin_configure.

drumm’s picture

Status: Needs review » Fixed

Committed to HEAD.

Anonymous’s picture

Status: Fixed » Closed (fixed)