The twitter_search module currently misuses calls to check_plain(), and therefor search queries to Twitter containing quotes won't work.

The check_plain() function is not for input checking, but for output 'cleaning'. For example, in twitter_search_add_form_submit($form, &$form_state) the following use of check_plain() is incorrect:

$search = array(
  'search' => check_plain($form_state['values']['search_string']),
  'last_twitter_id' => 0,
  'last_refresh' => 0,
);
// Insert entry into the database.
drupal_write_record('twitter_search', $search);

should be without the check_plain():

$search = array(
  'search' => $form_state['values']['search_string'],
  'last_twitter_id' => 0,
  'last_refresh' => 0,
);

// Insert entry into the database.
drupal_write_record('twitter_search', $search);

Otherwise Twitter search queries would be incorrectly encoded -- if you want to search for Drupal OR "open source" it should be stored in the database like it is, and not encoded to Drupal OR "open source"

An example of correct use of check_plain() is in the function twitter_search_list_page() where it is used for output 'cleaning':

$rows[] = array(
  check_plain($search['search']),
  array('data' => l(t('delete'), 'admin/settings/twitter_search/delete/'. $search['twitter_search_id'])),
);

Comments

sheldon rampton’s picture

sheldon rampton commented
Status: Active » Closed (fixed)

I've fixed this in both the 6.x and 7.x dev branches.