From e89afbf603d1c08a889555c4f77a63c13b4f8d1e Mon Sep 17 00:00:00 2001 From: Bachir Soussi Chiadmi Date: Sun, 19 Apr 2015 21:20:32 +0200 Subject: [PATCH] security update for addressfiled_token --- .../dev/addressfield_tokens/.gitignore | 2 + .../addressfield_tokens.admin.inc | 20 ++---- .../addressfield_tokens.components.inc | 50 ++++++------- .../addressfield_tokens.info | 14 +--- .../addressfield_tokens.module | 70 +++++++++---------- .../addressfield_tokens.theme.inc | 7 +- .../addressfield_tokens.tokens.inc | 54 +++++++------- 7 files changed, 100 insertions(+), 117 deletions(-) create mode 100644 sites/all/modules/contrib/dev/addressfield_tokens/.gitignore diff --git a/sites/all/modules/contrib/dev/addressfield_tokens/.gitignore b/sites/all/modules/contrib/dev/addressfield_tokens/.gitignore new file mode 100644 index 00000000..45142848 --- /dev/null +++ b/sites/all/modules/contrib/dev/addressfield_tokens/.gitignore @@ -0,0 +1,2 @@ +.idea +*.patch \ No newline at end of file diff --git a/sites/all/modules/contrib/dev/addressfield_tokens/addressfield_tokens.admin.inc b/sites/all/modules/contrib/dev/addressfield_tokens/addressfield_tokens.admin.inc index 94bd256a..c72bcea9 100644 --- a/sites/all/modules/contrib/dev/addressfield_tokens/addressfield_tokens.admin.inc +++ b/sites/all/modules/contrib/dev/addressfield_tokens/addressfield_tokens.admin.inc @@ -1,17 +1,9 @@ . - * You can contact New Signature by electronic mail at labs@newsignature.com -or- by U.S. Postal Service at 1100 H St. NW, Suite 940, Washington, DC 20005. - */ -/** - * @file Provides an Administrative UI for the addressfield_tokens module. +/** + * @file + * Provides an Administrative UI for the addressfield_tokens module. */ - + /** * Provides a form for configuring regional options for addresses. * @@ -44,8 +36,8 @@ function addressfield_tokens_admin_form($form, &$form_state) { foreach ($props as $name => $prop) { $form['addressfield_tokens_property_names'][$name] = array( '#type' => 'textfield', - '#title' => $prop['label'], - '#description' => $name, + '#title' => check_plain($prop['label']), + '#description' => filter_xss($name), '#default_value' => !empty($names[$name]) ? $names[$name] : $prop['label'], ); } diff --git a/sites/all/modules/contrib/dev/addressfield_tokens/addressfield_tokens.components.inc b/sites/all/modules/contrib/dev/addressfield_tokens/addressfield_tokens.components.inc index 06f2e155..35934551 100644 --- a/sites/all/modules/contrib/dev/addressfield_tokens/addressfield_tokens.components.inc +++ b/sites/all/modules/contrib/dev/addressfield_tokens/addressfield_tokens.components.inc @@ -1,15 +1,7 @@ . - * You can contact New Signature by electronic mail at labs@newsignature.com -or- by U.S. Postal Service at 1100 H St. NW, Suite 940, Washington, DC 20005. - */ -/** - * @file Webform Component information for an address field type +/** + * @file + * Webform Component information for an address field type */ /** @@ -19,16 +11,16 @@ * An array defining the default structure of a component. */ function _webform_defaults_addressfield() { - return array ( + return array( 'name' => '', 'form_key' => NULL, - 'mandatory' => 0, + 'required' => 0, 'pid' => 0, 'weight' => 0, - 'extra' => array ( + 'extra' => array( 'title_display' => 0, 'private' => FALSE, - 'attributes' => array (), + 'attributes' => array(), 'description' => '', 'available_countries' => array(), 'csv_separate' => 0, @@ -51,7 +43,7 @@ function _webform_defaults_addressfield() { * An array of form items to be displayed on the edit component page */ function _webform_edit_addressfield($component) { - $form = array (); + $form = array(); $form['extra']['available_countries'] = array( '#type' => 'select', @@ -92,16 +84,16 @@ function _webform_edit_addressfield($component) { * @see _webform_client_form_add_component() */ function _webform_render_addressfield($component, $value = NULL, $filter = TRUE) { - $element = array ( + $element = array( '#type' => 'fieldset', '#title' => $filter ? _webform_filter_xss($component['name']) : $component['name'], '#title_display' => $component['extra']['title_display'] ? $component['extra']['title_display'] : 'before', '#attributes' => $component['extra']['attributes'], - '#theme_wrappers' => array ( 'webform_element' ), + '#theme_wrappers' => array('webform_element'), '#description' => $filter ? _webform_filter_descriptions($component['extra']['description']) : $component['extra']['description'], - '#required' => $component['mandatory'], + '#required' => $component['required'], '#weight' => $component['weight'], - '#translatable' => array ( + '#translatable' => array( 'title', 'description', ), @@ -220,12 +212,12 @@ function _webform_display_addressfield($component, $value, $format = 'html') { $address = unserialize($address); } } - return array ( + return array( '#title' => $component['name'], '#weight' => $component['weight'], '#theme' => $format == 'html' ? 'addressfield_formatter' : 'addressfield_formatter__linear', - '#theme_wrappers' => $format == 'html' ? array ( 'webform_element' ) : array ( 'webform_element_text' ), - '#post_render' => array ( 'webform_element_wrapper' ), + '#theme_wrappers' => $format == 'html' ? array('webform_element' ) : array('webform_element_text'), + '#post_render' => array('webform_element_wrapper'), '#component' => $component, '#format' => $format, '#address' => $address, @@ -275,12 +267,12 @@ function _webform_submit_addressfield($component, $value) { * An array of data rows, each containing a statistic for this component's * submissions. */ -function _webform_analysis_addressfield($component, $sids = array (), $single = FALSE) { +function _webform_analysis_addressfield($component, $sids = array(), $single = FALSE) { // TODO Update this function // Generate the list of options and questions. $query = db_select('webform_submitted_data', 'wsd') - ->fields('wsd', array ('data')) + ->fields('wsd', array('data')) ->condition('nid', $component['nid']) ->condition('cid', $component['cid']); @@ -296,11 +288,11 @@ function _webform_analysis_addressfield($component, $sids = array (), $single = } $submissions++; } - $rows[0] = array ( + $rows[0] = array( t('Left Blank'), ( $submissions - $non_blanks ) ); - $rows[1] = array ( + $rows[1] = array( t('User entered value'), $non_blanks ); @@ -343,7 +335,7 @@ function _webform_table_addressfield($component, $value) { * including either prefixed or trailing commas. */ function _webform_csv_headers_addressfield($component, $export_options) { - $header = array (); + $header = array(); if (!empty($component['extra']['csv_separate']) && $component['extra']['csv_separate'] == 1) { $header[0] = array(); $header[1] = array(); @@ -395,4 +387,4 @@ function _webform_csv_data_addressfield($component, $export_options, $value) { } return ''; } -} \ No newline at end of file +} diff --git a/sites/all/modules/contrib/dev/addressfield_tokens/addressfield_tokens.info b/sites/all/modules/contrib/dev/addressfield_tokens/addressfield_tokens.info index 392c321e..833cbe53 100644 --- a/sites/all/modules/contrib/dev/addressfield_tokens/addressfield_tokens.info +++ b/sites/all/modules/contrib/dev/addressfield_tokens/addressfield_tokens.info @@ -1,24 +1,16 @@ -; $Id$ -; Copyright © 2012 New Signature -; -; This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. -; This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. -; You should have received a copy of the GNU General Public License along with this program. If not, see . -; You can contact New Signature by electronic mail at labs@newsignature.com �or- by U.S. Postal Service at 1100 H St. NW, Suite 940, Washington, DC 20005. name = Address Field Tokens description = Creates tokens for address fields, adds new addressfield renders, and adds webform integration. core = 7.x package = Fields -version = 7.x-1.0-dev dependencies[] = addressfield dependencies[] = entity_token dependencies[] = token -; Information added by Drupal.org packaging script on 2014-05-14 -version = "7.x-1.4" +; Information added by Drupal.org packaging script on 2014-10-29 +version = "7.x-1.5" core = "7.x" project = "addressfield_tokens" -datestamp = "1400081330" +datestamp = "1414599829" diff --git a/sites/all/modules/contrib/dev/addressfield_tokens/addressfield_tokens.module b/sites/all/modules/contrib/dev/addressfield_tokens/addressfield_tokens.module index f601db66..92ad204d 100644 --- a/sites/all/modules/contrib/dev/addressfield_tokens/addressfield_tokens.module +++ b/sites/all/modules/contrib/dev/addressfield_tokens/addressfield_tokens.module @@ -1,12 +1,7 @@ ', $settings['separator']); - $summary = implode($sep, $comps); + $summary = filter_xss(implode($sep, $comps)); } return $summary; } @@ -141,26 +136,28 @@ function addressfield_tokens_field_formatter_view($entity_type, $entity, $field, switch ($display['type']) { case 'addressfield_citystate': $theme = array('addressfield_formatter__citystate', 'addressfield_formatter'); - if (!empty($item['country'])) { - array_unshift($theme, 'addressfield_formatter__citystate__' . $item['country']); - } + foreach ($items as $delta => $item) { + if (!empty($item['country'])) { + array_unshift($theme, 'addressfield_formatter__citystate__' . $item['country']); + } $element[$delta] = array( '#theme' => $theme, - '#address' => $item, + '#address' => array_map('filter_xss', $item), ); } break; case 'addressfield_linear': $theme = array('addressfield_formatter__linear', 'addressfield_formatter'); - if (!empty($item['country'])) { - array_unshift($theme, 'addressfield_formatter__linear__' . $item['country']); - } + foreach ($items as $delta => $item) { + if (!empty($item['country'])) { + array_unshift($theme, 'addressfield_formatter__linear__' . $item['country']); + } $element[$delta] = array( '#theme' => $theme, - '#address' => $item, + '#address' => array_map('filter_xss', $item), ); } break; @@ -171,7 +168,7 @@ function addressfield_tokens_field_formatter_view($entity_type, $entity, $field, $country = _addressfield_tokens_country($item['country']); $element[$delta] = array( '#type' => 'markup', - '#markup' => $country, + '#markup' => filter_xss($country), '#prefix' => '', '#suffix' => '', ); @@ -185,7 +182,7 @@ function addressfield_tokens_field_formatter_view($entity_type, $entity, $field, $state = _addressfield_tokens_state($item['country'], $item['administrative_area']); $element[$delta] = array( '#type' => 'markup', - '#markup' => $state, + '#markup' => filter_xss($state), '#prefix' => '', '#suffix' => '', ); @@ -195,17 +192,16 @@ function addressfield_tokens_field_formatter_view($entity_type, $entity, $field, case 'addressfield_components': $theme = array('addressfield_formatter__components', 'addressfield_formatter'); - if (!empty($item['country'])) { - array_unshift($theme, 'addressfield_formatter__components__' . $item['country']); - } - $settings = $display['settings']; foreach ($items as $delta => $item) { + if (!empty($item['country'])) { + array_unshift($theme, 'addressfield_formatter__components__' . $item['country']); + } $element[$delta] = array( '#theme' => $theme, - '#address' => $item, + '#address' => array_map('filter_xss', $item), '#components' => $settings['components'], - '#separator' => $settings['separator'], + '#separator' => filter_xss($settings['separator']), ); } break; @@ -227,7 +223,7 @@ function addressfield_tokens_property_names() { $names = variable_get('addressfield_tokens_property_names', array()); if (empty($names)) { $props = addressfield_data_property_info(); - foreach($props as $name => $prop) { + foreach ($props as $name => $prop) { $names[$name] = $prop['label']; } } @@ -277,24 +273,26 @@ function _addressfield_tokens_country($country) { // Country abbreviations will always be two uppercase letters. $country = drupal_strtoupper($country); if (!empty($country) && isset($countries[$country])) { - return $countries[$country]; + return check_plain($countries[$country]); } - return $country; + return check_plain($country); } /** * Gets the abbreviation of the country with the given name * - * @param string The name of the country - * @return string $country The 2-letter abbreviation of the country, or FALSE. + * @param string + * The name of the country. + * @return string $country + * The 2-letter abbreviation of the country, or FALSE. */ function _addressfield_tokens_country_abbr($country) { $countries = array_flip(array_map('strtolower', _addressfield_tokens_countries())); if (isset($countries[strtolower($country)])) { - return $countries[strtolower($country)]; + return check_plain($countries[strtolower($country)]); } - return $country; + return check_plain($country); } /** @@ -341,20 +339,20 @@ function _addressfield_tokens_state($country, $state) { // State abbreviations will usually be two uppercase letters. $state = drupal_strtoupper($state); if (!empty($state) && !empty($states[$state])) { - return $states[$state]; + return check_plain($states[$state]); } - return $state; + return check_plain($state); } /** * Implements hook_webform_component_info(). */ function addressfield_tokens_webform_component_info() { - $components = array (); - $components['addressfield'] = array ( + $components = array(); + $components['addressfield'] = array( 'label' => t('Address'), 'description' => t('Address field.'), - 'features' => array ( + 'features' => array( // Add content to CSV downloads. Defaults to TRUE. 'csv' => TRUE, // Show this component in e-mailed submissions. Defaults to TRUE. diff --git a/sites/all/modules/contrib/dev/addressfield_tokens/addressfield_tokens.theme.inc b/sites/all/modules/contrib/dev/addressfield_tokens/addressfield_tokens.theme.inc index 948dd750..74182dfc 100644 --- a/sites/all/modules/contrib/dev/addressfield_tokens/addressfield_tokens.theme.inc +++ b/sites/all/modules/contrib/dev/addressfield_tokens/addressfield_tokens.theme.inc @@ -1,4 +1,9 @@ . - * You can contact New Signature by electronic mail at labs@newsignature.com -or- by U.S. Postal Service at 1100 H St. NW, Suite 940, Washington, DC 20005. - */ - -/** - * @file Provides token replacements for address fields. -*/ +/** + * @file Provides token replacements for address fields. +*/ /** * Implements hook_token_info_alter(). @@ -40,8 +30,6 @@ function addressfield_tokens_token_info_alter(&$info) { foreach ($props as $field => $data) { $fieldtoken = str_replace('_', '-', $field); - $name = ''; - $descr = ''; if (!empty($names[$field])) { $name = $names[$field]; @@ -58,7 +46,7 @@ function addressfield_tokens_token_info_alter(&$info) { } } $info['tokens']['addressfield'][$fieldtoken] = array( - 'name' => $name, + 'name' => $name, 'description' => $descr, 'type' => 'text', ); @@ -139,6 +127,7 @@ function addressfield_tokens_token_info_alter(&$info) { */ function addressfield_tokens_tokens($type, $tokens, array $data = array(), array $options = array()) { $url_options = array(); + // @todo: why are we setting $language_code and not using it? if (isset($options['language'])) { $url_options['language'] = $options['language']; $language_code = $options['language']->language; @@ -146,18 +135,21 @@ function addressfield_tokens_tokens($type, $tokens, array $data = array(), array else { $language_code = LANGUAGE_NONE; } + $sanitize = !empty($options['sanitize']); $replacements = array(); - + $last_original = NULL; + // Process address field tokens if ($type == 'addressfield' && !empty($data['addressfield'])) { foreach ($tokens as $name => $original) { + $last_original = $original; $name = str_replace('-', '_', $name); $address = $data['addressfield']; // If the address field exists, use it. if (isset($address[$name])) { - $replacements[$original] = $address[$name]; + $replacements[$original] = $sanitize ? filter_xss($address[$name]) : $address[$name]; } else { // Otherwise, it's a special token @@ -166,7 +158,7 @@ function addressfield_tokens_tokens($type, $tokens, array $data = array(), array $render = addressfield_generate($address, array('address'), array( 'mode' => 'render', )); - $replacements[$original] = drupal_render($render); + $replacements[$original] = $sanitize ? filter_xss(drupal_render($render)) : drupal_render($render); break; case 'text': @@ -188,7 +180,7 @@ function addressfield_tokens_tokens($type, $tokens, array $data = array(), array if (!empty($address['country']) && $address['country'] != addressfield_tokens_default_country()) { $out[2] = _addressfield_tokens_country($address['country']); } - $replacements[$original] = implode("\n", $out); + $replacements[$original] = $sanitize ? filter_xss(implode("\n", $out)) : implode("\n", $out); break; case 'city_state': @@ -202,18 +194,28 @@ function addressfield_tokens_tokens($type, $tokens, array $data = array(), array if (!empty($address['country']) && $address['country'] != addressfield_tokens_default_country()) { $out[] = _addressfield_tokens_country($address['country']); } - $replacements[$original] = implode(", ", $out); + $replacements[$original] = $sanitize ? filter_xss(implode(", ", $out)) : implode(", ", $out); break; case 'state_name': if (!empty($address['administrative_area']) && !empty($address['country'])) { - $replacements[$original] = _addressfield_tokens_state($address['country'], $address['administrative_area']); + if ($sanitize) { + $replacements[$original] = filter_xss(_addressfield_tokens_state($address['country'], $address['administrative_area'])); + } + else { + $replacements[$original] = _addressfield_tokens_state($address['country'], $address['administrative_area']); + } } break; case 'country_name': if (!empty($address['country'])) { - $replacements[$original] = _addressfield_tokens_country($address['country']); + if ($sanitize) { + $replacements[$original] = filter_xss(_addressfield_tokens_country($address['country'])); + } + else { + $replacements[$original] = _addressfield_tokens_country($address['country']); + } } break; @@ -232,8 +234,8 @@ function addressfield_tokens_tokens($type, $tokens, array $data = array(), array } } } - if (!isset($replacements[$original])) { - $replacements[$original] = ''; + if (!isset($replacements[$last_original])) { + $replacements[$last_original] = ''; } } else { @@ -252,7 +254,7 @@ function addressfield_tokens_tokens($type, $tokens, array $data = array(), array } catch (EntityMetadataWrapperException $e) { // The property doesn't exist, so skip it. - $replacements[$original] = ''; + $replacements[$last_original] = ''; } } }