security update core+modules
This commit is contained in:
Bachir Soussi Chiadmi
@@ -196,8 +196,14 @@ class EntityFieldHandlerHelper {
|
||||
if ($handler->relationship) {
|
||||
$current_handler = $handler;
|
||||
$view = $current_handler->view;
|
||||
while (!empty($current_handler->relationship) && !empty($view->relationship[$current_handler->relationship])) {
|
||||
$current_handler = $view->relationship[$current_handler->relationship];
|
||||
$relationships = array();
|
||||
// Collect all relationships, keyed by alias.
|
||||
foreach ($view->relationship as $key => $relationship) {
|
||||
$key = $relationship->alias ? $relationship->alias : $key;
|
||||
$relationships[$key] = $relationship;
|
||||
}
|
||||
while (!empty($current_handler->relationship) && !empty($relationships[$current_handler->relationship])) {
|
||||
$current_handler = $relationships[$current_handler->relationship];
|
||||
$return = $current_handler->real_field . ($return ? ":$return" : '');
|
||||
}
|
||||
}
|
||||
@@ -337,7 +343,7 @@ class EntityFieldHandlerHelper {
|
||||
$values->_entity_properties[$selector] = $wrapper->value();
|
||||
}
|
||||
else {
|
||||
$values->_entity_properties[$selector] = isset($wrapper->$field) ? $wrapper->$field->value(array('identifier' => TRUE)) : $default;
|
||||
$values->_entity_properties[$selector] = isset($wrapper->$field) ? $wrapper->$field->value(array('identifier' => TRUE, 'sanitize' => TRUE)) : $default;
|
||||
}
|
||||
}
|
||||
catch (EntityMetadataWrapperException $e) {
|
||||
|
||||
@@ -10,6 +10,7 @@ class entity_views_handler_area_entity extends views_handler_area {
|
||||
$options['entity_type'] = array('default' => 'node');
|
||||
$options['entity_id'] = array('default' => '');
|
||||
$options['view_mode'] = array('default' => 'full');
|
||||
$options['bypass_access'] = array('default' => FALSE);
|
||||
return $options;
|
||||
}
|
||||
|
||||
@@ -73,6 +74,12 @@ class entity_views_handler_area_entity extends views_handler_area {
|
||||
);
|
||||
}
|
||||
}
|
||||
$form['bypass_access'] = array(
|
||||
'#type' => 'checkbox',
|
||||
'#title' => t('Bypass access checks'),
|
||||
'#description' => t('If enabled, access permissions for rendering the entity are not checked.'),
|
||||
'#default_value' => !empty($this->options['bypass_access']),
|
||||
);
|
||||
return $form;
|
||||
}
|
||||
|
||||
@@ -99,10 +106,12 @@ class entity_views_handler_area_entity extends views_handler_area {
|
||||
*/
|
||||
public function render_entity($entity_type, $entity_id, $view_mode) {
|
||||
if (!empty($entity_type) && !empty($entity_id) && !empty($view_mode)) {
|
||||
$entities = entity_load($entity_type, array($entity_id));
|
||||
$render = entity_view($entity_type, $entities, $view_mode);
|
||||
$render_entity = reset($render);
|
||||
return drupal_render($render_entity);
|
||||
$entity = entity_load_single($entity_type, $entity_id);
|
||||
if (!empty($this->options['bypass_access']) || entity_access('view', $entity_type, $entity)) {
|
||||
$render = entity_view($entity_type, array($entity), $view_mode);
|
||||
$render_entity = reset($render);
|
||||
return drupal_render($render_entity);
|
||||
}
|
||||
}
|
||||
else {
|
||||
return '';
|
||||
|
||||
@@ -122,8 +122,10 @@ class entity_views_handler_field_duration extends views_handler_field {
|
||||
if ($this->options['format_interval']) {
|
||||
$value = format_interval($value, (int) $this->options['granularity']);
|
||||
}
|
||||
// Value sanitization is handled by the wrapper, see
|
||||
// EntityFieldHandlerHelper::get_value().
|
||||
return $this->sanitize_value($this->options['prefix'], 'xss') .
|
||||
$this->sanitize_value($value) .
|
||||
$value .
|
||||
$this->sanitize_value($this->options['suffix'], 'xss');
|
||||
}
|
||||
|
||||
|
||||
@@ -80,6 +80,7 @@ class entity_views_handler_field_entity extends views_handler_field {
|
||||
$options['display'] = array('default' => 'label');
|
||||
$options['link_to_entity']['default'] = TRUE;
|
||||
$options['view_mode'] = array('default' => 'default');
|
||||
$options['bypass_access'] = array('default' => FALSE);
|
||||
|
||||
return $options;
|
||||
}
|
||||
@@ -134,6 +135,12 @@ class entity_views_handler_field_entity extends views_handler_field {
|
||||
'#value' => $options ? key($options) : 'default',
|
||||
);
|
||||
}
|
||||
$form['bypass_access'] = array(
|
||||
'#type' => 'checkbox',
|
||||
'#title' => t('Bypass access checks'),
|
||||
'#description' => t('If enabled, access permissions for rendering the entity are not checked.'),
|
||||
'#default_value' => !empty($this->options['bypass_access']),
|
||||
);
|
||||
}
|
||||
|
||||
public function render($values) {
|
||||
@@ -175,7 +182,8 @@ class entity_views_handler_field_entity extends views_handler_field {
|
||||
if (!is_object($entity) && isset($entity) && $entity !== FALSE) {
|
||||
$entity = entity_load_single($type, $entity);
|
||||
}
|
||||
if (!$entity) {
|
||||
// Make sure the entity exists and access is either given or bypassed.
|
||||
if (!$entity || !(!empty($this->options['bypass_access']) || entity_access('view', $type, $entity))) {
|
||||
return '';
|
||||
}
|
||||
|
||||
|
||||
@@ -112,8 +112,9 @@ class entity_views_handler_field_options extends views_handler_field {
|
||||
if ($this->options['format_name'] && isset($this->option_list[$value])) {
|
||||
$value = $this->option_list[$value];
|
||||
}
|
||||
|
||||
return $this->sanitize_value($value);
|
||||
// Sanitization is handled by the wrapper, see
|
||||
// EntityFieldHandlerHelper::get_value().
|
||||
return $value;
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
@@ -93,7 +93,9 @@ class entity_views_handler_field_text extends views_handler_field {
|
||||
* Render a single field value.
|
||||
*/
|
||||
public function render_single_value($value, $values) {
|
||||
return $this->sanitize_value($value, 'xss');
|
||||
// Sanitization is handled by the wrapper, see
|
||||
// EntityFieldHandlerHelper::get_value().
|
||||
return $value;
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
@@ -93,7 +93,7 @@ class entity_views_handler_relationship_by_bundle extends views_handler_relation
|
||||
$def['extra'] = array(
|
||||
array(
|
||||
// The table and the IN operator are implicit.
|
||||
'field' => $entity_info['bundle keys']['bundle'],
|
||||
'field' => $entity_info['entity keys']['bundle'],
|
||||
'value' => $this->options['bundle_types'],
|
||||
),
|
||||
);
|
||||
|
||||
Reference in New Issue
Block a user