Merge pull request #420 from yqjiang/7.x-add-xss

7.x add xss
11 years ago · 3441ca755c
4 changed files with 8 additions and 9 deletions
--- a/includes/dublin_core.inc
+++ b/includes/dublin_core.inc
@ -131,7 +131,7 @@ class DublinCore {
          $dc_label = explode(':', $field);
          $element_label = drupal_ucfirst($dc_label[1]);
          $dc_array[$field]['label'] = $element_label;
-          $dc_array[$field]['value'] = $value;
+          $dc_array[$field]['value'] = filter_xss($value);
          $dc_array[$field]['class'] = drupal_strtolower(preg_replace('/[^A-Za-z0-9]/', '-', $field));
          $dc_array[$field]['dcterms'] = preg_replace('/^dc/', 'dcterms', $field);
        }
@ -140,7 +140,6 @@ class DublinCore {
    return $dc_array;
  }

-
  /**
   * Creates a new instance of the class by parsing dc_xml.
   *
--- a/islandora.module
+++ b/islandora.module
@ -993,7 +993,7 @@ function islandora_drupal_title(AbstractObject $object) {
  module_load_include('inc', 'islandora', 'includes/breadcrumb');
  drupal_set_breadcrumb(islandora_get_breadcrumbs($object));

-  return $object->label;
+  return filter_xss($object->label);
 }

 /**
--- a/theme/islandora-dublin-core-display.tpl.php
+++ b/theme/islandora-dublin-core-display.tpl.php
@ -20,11 +20,11 @@
    <dl xmlns:dcterms="http://purl.org/dc/terms/" class="islandora-inline-metadata islandora-metadata-fields">
      <?php $row_field = 0; ?>
      <?php foreach($dc_array as $key => $value): ?>
-        <dt property="<?php print $value['dcterms']; ?>" content="<?php print $value['value']; ?>" class="<?php print $value['class']; ?><?php print $row_field == 0 ? ' first' : ''; ?>">
-          <?php print $value['label']; ?>
+        <dt property="<?php print $value['dcterms']; ?>" content="<?php print filter_xss($value['value']); ?>" class="<?php print $value['class']; ?><?php print $row_field == 0 ? ' first' : ''; ?>">
+          <?php print filter_xss($value['label']); ?>
        </dt>
        <dd class="<?php print $value['class']; ?><?php print $row_field == 0 ? ' first' : ''; ?>">
-          <?php print $value['value']; ?>
+          <?php print filter_xss($value['value']); ?>
        </dd>
        <?php $row_field++; ?>
      <?php endforeach; ?>
--- a/theme/theme.inc
+++ b/theme/theme.inc
@ -39,7 +39,7 @@ function islandora_preprocess_islandora_default_edit(array &$variables) {
    );
    $row[] = array(
      'class' => 'datastream-label',
-      'data' => $ds->label,
+      'data' => filter_xss($ds->label),
    );
    $row[] = array(
      'class' => 'datastream-control',
@ -47,7 +47,7 @@ function islandora_preprocess_islandora_default_edit(array &$variables) {
    );
    $row[] = array(
      'class' => 'datastream-mime',
-      'data' => $ds->mimeType,
+      'data' => filter_xss($ds->mimeType),
    );
    $row[] = array(
      'class' => 'datastream-size',
@ -81,7 +81,7 @@ function islandora_preprocess_islandora_default_edit(array &$variables) {
    );
    $rows[] = $row;
  }
-  $caption = $islandora_object->label . ' - ' . $islandora_object->id;
+  $caption = filter_xss($islandora_object->label) . ' - ' . $islandora_object->id;
  $table = array(
    'colgroups' => NULL,
    'sticky' => TRUE,