Sec.vulnaraility #44039: Taxonomy-Administrators can inject XSS into public pages. 6.x-1.3
authorBčr Kessels
Tue, 1 Mar 2011 16:47:49 +0000 (17:47 +0100)
committerBčr Kessels
Wed, 16 Mar 2011 17:30:32 +0000 (18:30 +0100)
tagadelic.module

index 2ce7b02..5b61758 100644 (file)
@@ -146,7 +146,11 @@ function tagadelic_page_list($vocs) {
 
   foreach ($vocs as $vid) {
     $vocabulary = taxonomy_vocabulary_load($vid);
-
+    
+    //Clean out vocabulary, so that we don't have to leave security to our theme layer.
+    $vocabulary->description = filter_xss_admin($vocabulary->description);
+    $vocabulary->name = filter_xss_admin($vocabulary->name);
+    
     $tags = tagadelic_get_weighted_tags(array($vocabulary->vid), variable_get('tagadelic_levels', 6), variable_get('tagadelic_page_amount', '60'));
     $tags = tagadelic_sort_tags($tags);