Fixed possible XSS with field labels in Feed importer mapping settings.

62718444 · Dave Reid · 6f94dcc1 · 62718444 · 62718444 · 62718444
Commit 62718444 authored 13 years ago by Dave Reid
--- a/mappers/date.inc
+++ b/mappers/date.inc
@@ -17,14 +17,13 @@ function date_feeds_processor_targets_alter(&$targets, $entity_type, $bundle_nam
    $info = field_info_field($name);
    if (in_array($info['type'], array('date', 'datestamp', 'datetime'))) {
      $targets[$name . ':start'] = array(
-        'name' => $instance['label'] . ': Start',
+        'name' => t('@name: Start', array('@name' => $instance['label'])),
        'callback' => 'date_feeds_set_target',
-        'description' => t('The start date for the @name field. Also use if mapping both start and end.',
-          array('@name' => $instance['label'])),
+        'description' => t('The start date for the @name field. Also use if mapping both start and end.', array('@name' => $instance['label'])),
        'real_target' => $name,
      );
      $targets[$name . ':end'] = array(
-        'name' => $instance['label'] . ': End',
+        'name' => t('@name: End', array('@name' => $instance['label'])),
        'callback' => 'date_feeds_set_target',
        'description' => t('The end date for the @name field.', array('@name' => $instance['label'])),
        'real_target' => $name,

--- a/mappers/field.inc
+++ b/mappers/field.inc
@@ -40,7 +40,7 @@ function field_feeds_processor_targets_alter(&$targets, $entity_type, $bundle_na
    }
    if (isset($callback)) {
      $targets[$name] = array(
-        'name' => $instance['label'],
+        'name' => check_plain($instance['label']),
        'callback' => $callback,
        'description' => t('The @label field of the node.', array('@label' => $instance['label'])),
      );

--- a/mappers/file.inc
+++ b/mappers/file.inc
@@ -21,7 +21,7 @@ function file_feeds_processor_targets_alter(&$targets, $entity_type, $bundle_nam

    if (in_array($info['type'], array('file', 'image'))) {
      $targets[$name] = array(
-        'name' => $instance['label'],
+        'name' => check_plain($instance['label']),
        'callback' => 'file_feeds_set_target',
        'description' => t('The @label field of the node.', array('@label' => $instance['label'])),
      );

--- a/mappers/link.inc
+++ b/mappers/link.inc
@@ -16,14 +16,14 @@ function link_feeds_processor_targets_alter(&$targets, $entity_type, $bundle_nam
    if ($info['type'] == 'link_field') {
      if (array_key_exists('url', $info['columns'])) {
        $targets[$name . ':url'] = array(
-          'name' => $instance['label'] . ' URL',
+          'name' => t('@name URL', array('@name' => $instance['label'])),
          'callback' => 'link_feeds_set_target',
          'description' => t('The @label field of the node.', array('@label' => $instance['label'])),
        );
      }
      if (array_key_exists('title', $info['columns'])) {
        $targets[$name . ':title'] = array(
-          'name' => $instance['label'] . ' Title',
+          'name' => t('@name Title', array('@name' => $instance['label'])),
          'callback' => 'link_feeds_set_target',
          'description' => t('The @label field of the node.', array('@label' => $instance['label'])),
        );

--- a/mappers/taxonomy.inc
+++ b/mappers/taxonomy.inc
@@ -48,7 +48,7 @@ function taxonomy_feeds_processor_targets_alter(&$targets, $entity_type, $bundle
    $info = field_info_field($name);
    if ($info['type'] == 'taxonomy_term_reference') {
      $targets[$name] = array(
-        'name' => $instance['label'],
+        'name' => check_plain($instance['label']),
        'callback' => 'taxonomy_feeds_set_target',
        'description' => t('The @label field of the node.', array('@label' => $instance['label'])),
      );