-
+
Index: modules/taxonomy/taxonomy.module
===================================================================
RCS file: /cvs/drupal/drupal/modules/taxonomy/taxonomy.module,v
retrieving revision 1.414.2.8
diff -u -p -r1.414.2.8 taxonomy.module
--- modules/taxonomy/taxonomy.module 27 Apr 2009 11:49:05 -0000 1.414.2.8
+++ modules/taxonomy/taxonomy.module 13 May 2009 19:58:31 -0000
@@ -415,7 +415,7 @@ function taxonomy_del_term($tid) {
*/
function taxonomy_form($vid, $value = 0, $help = NULL, $name = 'taxonomy') {
$vocabulary = taxonomy_vocabulary_load($vid);
- $help = ($help) ? $help : $vocabulary->help;
+ $help = ($help) ? $help : filter_xss_admin($vocabulary->help);
if (!$vocabulary->multiple) {
$blank = ($vocabulary->required) ? t('- Please choose -') : t('- None selected -');
@@ -514,7 +514,7 @@ function taxonomy_form_alter(&$form, $fo
$typed_string = taxonomy_implode_tags($terms, $vocabulary->vid) . (array_key_exists('tags', $terms) ? $terms['tags'][$vocabulary->vid] : NULL);
}
if ($vocabulary->help) {
- $help = $vocabulary->help;
+ $help = filter_xss_admin($vocabulary->help);
}
else {
$help = t('A comma-separated list of terms describing this content. Example: funny, bungee jumping, "Company, Inc.".');
@@ -538,7 +538,7 @@ function taxonomy_form_alter(&$form, $fo
$default_terms[$term->tid] = $term;
}
}
- $form['taxonomy'][$vocabulary->vid] = taxonomy_form($vocabulary->vid, array_keys($default_terms), $vocabulary->help);
+ $form['taxonomy'][$vocabulary->vid] = taxonomy_form($vocabulary->vid, array_keys($default_terms), filter_xss_admin($vocabulary->help));
$form['taxonomy'][$vocabulary->vid]['#weight'] = $vocabulary->weight;
$form['taxonomy'][$vocabulary->vid]['#required'] = $vocabulary->required;
}
@@ -1018,6 +1018,35 @@ function taxonomy_get_term($tid) {
return $terms[$tid];
}
+/**
+ * Create a select form element for a given taxonomy vocabulary.
+ *
+ * NOTE: This function expects input that has already been sanitized and is
+ * safe for display. Callers must properly sanitize the $title and
+ * $description arguments to prevent XSS vulnerabilities.
+ *
+ * @param $title
+ * The title of the vocabulary. This MUST be sanitized by the caller.
+ * @param $name
+ * Ignored.
+ * @param $value
+ * The currently selected terms from this vocabulary, if any.
+ * @param $vocabulary_id
+ * The vocabulary ID to build the form element for.
+ * @param $description
+ * Help text for the form element. This MUST be sanitized by the caller.
+ * @param $multiple
+ * Boolean to control if the form should use a single or multiple select.
+ * @param $blank
+ * Optional form choice to use when no value has been selected.
+ * @param $exclude
+ * Optional array of term ids to exclude in the selector.
+ * @return
+ * A FAPI form array to select terms from the given vocabulary.
+ *
+ * @see taxonomy_form()
+ * @see taxonomy_form_term()
+ */
function _taxonomy_term_select($title, $name, $value, $vocabulary_id, $description, $multiple, $blank, $exclude = array()) {
$tree = taxonomy_get_tree($vocabulary_id);
$options = array();