From b91de5e64ea8915cbc6045e6dcb074e12bbcf2e8 Mon Sep 17 00:00:00 2001
From: yqjiang <yqjiang0830@gmail.com>
Date: Fri, 18 Oct 2013 12:36:41 +0000
Subject: [PATCH] add filter xss

---
 includes/dublin_core.inc                    | 3 +--
 theme/islandora-dublin-core-display.tpl.php | 6 +++---
 theme/theme.inc                             | 6 +++---
 3 files changed, 7 insertions(+), 8 deletions(-)

diff --git a/includes/dublin_core.inc b/includes/dublin_core.inc
index ec058181..ecfcc7b1 100644
--- a/includes/dublin_core.inc
+++ b/includes/dublin_core.inc
@@ -131,7 +131,7 @@ class DublinCore {
           $dc_label = explode(':', $field);
           $element_label = drupal_ucfirst($dc_label[1]);
           $dc_array[$field]['label'] = $element_label;
-          $dc_array[$field]['value'] = $value;
+          $dc_array[$field]['value'] = filter_xss($value);
           $dc_array[$field]['class'] = drupal_strtolower(preg_replace('/[^A-Za-z0-9]/', '-', $field));
           $dc_array[$field]['dcterms'] = preg_replace('/^dc/', 'dcterms', $field);
         }
@@ -140,7 +140,6 @@ class DublinCore {
     return $dc_array;
   }
 
-
   /**
    * Creates a new instance of the class by parsing dc_xml.
    *
diff --git a/theme/islandora-dublin-core-display.tpl.php b/theme/islandora-dublin-core-display.tpl.php
index da67de18..2c2a02ee 100644
--- a/theme/islandora-dublin-core-display.tpl.php
+++ b/theme/islandora-dublin-core-display.tpl.php
@@ -20,11 +20,11 @@
     <dl xmlns:dcterms="http://purl.org/dc/terms/" class="islandora-inline-metadata islandora-metadata-fields">
       <?php $row_field = 0; ?>
       <?php foreach($dc_array as $key => $value): ?>
-        <dt property="<?php print $value['dcterms']; ?>" content="<?php print $value['value']; ?>" class="<?php print $value['class']; ?><?php print $row_field == 0 ? ' first' : ''; ?>">
-          <?php print $value['label']; ?>
+        <dt property="<?php print $value['dcterms']; ?>" content="<?php print filter_xss($value['value']); ?>" class="<?php print $value['class']; ?><?php print $row_field == 0 ? ' first' : ''; ?>">
+          <?php print filter_xss($value['label']); ?>
         </dt>
         <dd class="<?php print $value['class']; ?><?php print $row_field == 0 ? ' first' : ''; ?>">
-          <?php print $value['value']; ?>
+          <?php print filter_xss($value['value']); ?>
         </dd>
         <?php $row_field++; ?>
       <?php endforeach; ?>
diff --git a/theme/theme.inc b/theme/theme.inc
index 8ffffc4f..6a80fbb6 100644
--- a/theme/theme.inc
+++ b/theme/theme.inc
@@ -39,7 +39,7 @@ function islandora_preprocess_islandora_default_edit(array &$variables) {
     );
     $row[] = array(
       'class' => 'datastream-label',
-      'data' => $ds->label,
+      'data' => filter_xss($ds->label),
     );
     $row[] = array(
       'class' => 'datastream-control',
@@ -47,7 +47,7 @@ function islandora_preprocess_islandora_default_edit(array &$variables) {
     );
     $row[] = array(
       'class' => 'datastream-mime',
-      'data' => $ds->mimeType,
+      'data' => filter_xss($ds->mimeType),
     );
     $row[] = array(
       'class' => 'datastream-size',
@@ -81,7 +81,7 @@ function islandora_preprocess_islandora_default_edit(array &$variables) {
     );
     $rows[] = $row;
   }
-  $caption = $islandora_object->label . ' - ' . $islandora_object->id;
+  $caption = filter_xss($islandora_object->label) . ' - ' . $islandora_object->id;
   $table = array(
     'colgroups' => NULL,
     'sticky' => TRUE,