security update for addressfiled_token

sites/all/modules/contrib/dev/addressfield_tokens/.gitignore

@@ -0,0 +1,2 @@
+.idea
+*.patch

sites/all/modules/contrib/dev/addressfield_tokens/addressfield_tokens.admin.inc

@@ -1,17 +1,9 @@
 <?php
-// $Id$
-/*
- * Copyright © 2012 New Signature
- *
- * This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.
- * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more details.
- * You should have received a copy of the GNU General Public License along with this program.  If not, see <http://www.gnu.org/licenses/>.
- * You can contact New Signature by electronic mail at labs@newsignature.com -or- by U.S. Postal Service at 1100 H St. NW, Suite 940, Washington, DC 20005.
- */
-/**
- * @file Provides an Administrative UI for the addressfield_tokens module. 
+/**
+ * @file
+ * Provides an Administrative UI for the addressfield_tokens module.
 */
-
+
 /**
  * Provides a form for configuring regional options for addresses.
  * 
@@ -44,8 +36,8 @@ function addressfield_tokens_admin_form($form, &$form_state) {
   foreach ($props as $name => $prop) {
     $form['addressfield_tokens_property_names'][$name] = array(
       '#type' => 'textfield',
-      '#title' => $prop['label'],
-      '#description' => $name,
+      '#title' => check_plain($prop['label']),
+      '#description' => filter_xss($name),
       '#default_value' => !empty($names[$name]) ? $names[$name] : $prop['label'],
     );
   }

sites/all/modules/contrib/dev/addressfield_tokens/addressfield_tokens.components.inc

@@ -1,15 +1,7 @@
 <?php
-// $Id$
-/*
- * Copyright © 2012 New Signature
- *
- * This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.
- * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more details.
- * You should have received a copy of the GNU General Public License along with this program.  If not, see <http://www.gnu.org/licenses/>.
- * You can contact New Signature by electronic mail at labs@newsignature.com -or- by U.S. Postal Service at 1100 H St. NW, Suite 940, Washington, DC 20005.
- */
-/** 
- * @file Webform Component information for an address field type 
+/**
+ * @file
+ * Webform Component information for an address field type
  */
 
 /**
@@ -19,16 +11,16 @@
  *   An array defining the default structure of a component.
  */
 function _webform_defaults_addressfield() {
-  return array (
+  return array(
     'name'      => '',
     'form_key'  => NULL,
-    'mandatory' => 0,
+    'required' => 0,
     'pid'       => 0,
     'weight'    => 0,
-    'extra'     => array (
+    'extra'     => array(
       'title_display'             => 0,
       'private'                   => FALSE,
-      'attributes'                => array (),
+      'attributes'                => array(),
       'description'               => '',
       'available_countries'       => array(),
       'csv_separate'              => 0,
@@ -51,7 +43,7 @@ function _webform_defaults_addressfield() {
  *   An array of form items to be displayed on the edit component page
  */
 function _webform_edit_addressfield($component) {
-  $form = array ();
+  $form = array();
   
   $form['extra']['available_countries'] = array(
     '#type' => 'select',
@@ -92,16 +84,16 @@ function _webform_edit_addressfield($component) {
  * @see _webform_client_form_add_component()
  */
 function _webform_render_addressfield($component, $value = NULL, $filter = TRUE) {
-  $element = array (
+  $element = array(
     '#type'             => 'fieldset',
     '#title'            => $filter ? _webform_filter_xss($component['name']) : $component['name'],
     '#title_display'    => $component['extra']['title_display'] ? $component['extra']['title_display'] : 'before',
     '#attributes'       => $component['extra']['attributes'],
-    '#theme_wrappers'   => array ( 'webform_element' ),
+    '#theme_wrappers'   => array('webform_element'),
     '#description'      => $filter ? _webform_filter_descriptions($component['extra']['description']) : $component['extra']['description'],
-    '#required'         => $component['mandatory'],
+    '#required'         => $component['required'],
     '#weight'           => $component['weight'],
-    '#translatable'     => array (
+    '#translatable'     => array(
       'title',
       'description',
     ),
@@ -220,12 +212,12 @@ function _webform_display_addressfield($component, $value, $format = 'html') {
       $address = unserialize($address);
     }
   }
-  return array (
+  return array(
     '#title'          => $component['name'],
     '#weight'         => $component['weight'],
     '#theme'          => $format == 'html' ? 'addressfield_formatter' : 'addressfield_formatter__linear',
-    '#theme_wrappers' => $format == 'html' ? array ( 'webform_element' ) : array ( 'webform_element_text' ),
-    '#post_render'    => array ( 'webform_element_wrapper' ),
+    '#theme_wrappers' => $format == 'html' ? array('webform_element' ) : array('webform_element_text'),
+    '#post_render'    => array('webform_element_wrapper'),
     '#component'      => $component,
     '#format'         => $format,
     '#address'        => $address,
@@ -275,12 +267,12 @@ function _webform_submit_addressfield($component, $value) {
  *   An array of data rows, each containing a statistic for this component's
  *   submissions.
  */
-function _webform_analysis_addressfield($component, $sids = array (), $single = FALSE) {
+function _webform_analysis_addressfield($component, $sids = array(), $single = FALSE) {
   // TODO Update this function
   
   // Generate the list of options and questions.
   $query = db_select('webform_submitted_data', 'wsd')
-    ->fields('wsd', array ('data'))
+    ->fields('wsd', array('data'))
     ->condition('nid', $component['nid'])
     ->condition('cid', $component['cid']);
     
@@ -296,11 +288,11 @@ function _webform_analysis_addressfield($component, $sids = array (), $single =
     }
     $submissions++;
   }
-  $rows[0] = array (
+  $rows[0] = array(
     t('Left Blank'),
     ( $submissions - $non_blanks )
   );
-  $rows[1] = array (
+  $rows[1] = array(
     t('User entered value'),
     $non_blanks
   );
@@ -343,7 +335,7 @@ function _webform_table_addressfield($component, $value) {
  *   including either prefixed or trailing commas.
  */
 function _webform_csv_headers_addressfield($component, $export_options) {
-  $header = array ();
+  $header = array();
   if (!empty($component['extra']['csv_separate']) && $component['extra']['csv_separate'] == 1) {
     $header[0] = array();
     $header[1] = array();
@@ -395,4 +387,4 @@ function _webform_csv_data_addressfield($component, $export_options, $value) {
     }
     return '';
   }
-}
+}

sites/all/modules/contrib/dev/addressfield_tokens/addressfield_tokens.info

@@ -1,24 +1,16 @@
-; $Id$
-; Copyright © 2012 New Signature
-; 
-; This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.
-; This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more details.
-; You should have received a copy of the GNU General Public License along with this program.  If not, see <http://www.gnu.org/licenses/>.
-; You can contact New Signature by electronic mail at labs@newsignature.com �or- by U.S. Postal Service at 1100 H St. NW, Suite 940, Washington, DC 20005.
 
 name = Address Field Tokens
 description = Creates tokens for address fields, adds new addressfield renders, and adds webform integration.
 core = 7.x
 package = Fields
-version = 7.x-1.0-dev
 
 dependencies[] = addressfield
 dependencies[] = entity_token
 dependencies[] = token
 
-; Information added by Drupal.org packaging script on 2014-05-14
-version = "7.x-1.4"
+; Information added by Drupal.org packaging script on 2014-10-29
+version = "7.x-1.5"
 core = "7.x"
 project = "addressfield_tokens"
-datestamp = "1400081330"
+datestamp = "1414599829"
 

sites/all/modules/contrib/dev/addressfield_tokens/addressfield_tokens.module

@@ -1,12 +1,7 @@
 <?php
 /**
- * @file 
- * 
- * Copyright 2011 New Signature
- * http://www.newsignature.com
- *
- * @author Andrew Marcus
- * @since Oct 4, 2011
+ * @file
+ * Main components.
  */
 
 function addressfield_tokens_menu() {
@@ -127,7 +122,7 @@ function addressfield_tokens_field_formatter_settings_summary($field, $instance,
   if ($display['type'] == 'addressfield_components') {
     $comps = array_intersect_key(addressfield_tokens_components(), array_flip($settings['components']));
     $sep = str_replace('\n', '<br/>', $settings['separator']);
-    $summary = implode($sep, $comps);
+    $summary = filter_xss(implode($sep, $comps));
   }
   return $summary;
 }
@@ -141,26 +136,28 @@ function addressfield_tokens_field_formatter_view($entity_type, $entity, $field,
   switch ($display['type']) {
     case 'addressfield_citystate':
       $theme = array('addressfield_formatter__citystate', 'addressfield_formatter');
-      if (!empty($item['country'])) {
-        array_unshift($theme, 'addressfield_formatter__citystate__' . $item['country']);
-      }
+
       foreach ($items as $delta => $item) {
+        if (!empty($item['country'])) {
+          array_unshift($theme, 'addressfield_formatter__citystate__' . $item['country']);
+        }
         $element[$delta] = array(
           '#theme' => $theme,
-          '#address' => $item,
+          '#address' => array_map('filter_xss', $item),
         );
       }
       break;
       
     case 'addressfield_linear':
       $theme = array('addressfield_formatter__linear', 'addressfield_formatter');
-      if (!empty($item['country'])) {
-        array_unshift($theme, 'addressfield_formatter__linear__' . $item['country']);
-      }
+
       foreach ($items as $delta => $item) {
+        if (!empty($item['country'])) {
+          array_unshift($theme, 'addressfield_formatter__linear__' . $item['country']);
+        }
         $element[$delta] = array(
           '#theme' => $theme,
-          '#address' => $item,
+          '#address' => array_map('filter_xss', $item),
         );
       }
       break;
@@ -171,7 +168,7 @@ function addressfield_tokens_field_formatter_view($entity_type, $entity, $field,
           $country = _addressfield_tokens_country($item['country']);
           $element[$delta] = array(
             '#type' => 'markup',
-            '#markup' => $country,
+            '#markup' => filter_xss($country),
             '#prefix' => '<span class="addressfield-country">',
             '#suffix' => '</span>',
           );
@@ -185,7 +182,7 @@ function addressfield_tokens_field_formatter_view($entity_type, $entity, $field,
           $state = _addressfield_tokens_state($item['country'], $item['administrative_area']);
           $element[$delta] = array(
             '#type' => 'markup',
-            '#markup' => $state,
+            '#markup' => filter_xss($state),
             '#prefix' => '<span class="addressfield-state">',
             '#suffix' => '</span>',
           );
@@ -195,17 +192,16 @@ function addressfield_tokens_field_formatter_view($entity_type, $entity, $field,
       
     case 'addressfield_components':
       $theme = array('addressfield_formatter__components', 'addressfield_formatter');
-      if (!empty($item['country'])) {
-        array_unshift($theme, 'addressfield_formatter__components__' . $item['country']);
-      }
-      
       $settings = $display['settings'];
       foreach ($items as $delta => $item) {
+        if (!empty($item['country'])) {
+          array_unshift($theme, 'addressfield_formatter__components__' . $item['country']);
+        }      
         $element[$delta] = array(
           '#theme' => $theme,
-          '#address' => $item,
+          '#address' => array_map('filter_xss', $item),
           '#components' => $settings['components'],
-          '#separator' => $settings['separator'],
+          '#separator' => filter_xss($settings['separator']),
         );
       }
       break;
@@ -227,7 +223,7 @@ function addressfield_tokens_property_names() {
   $names = variable_get('addressfield_tokens_property_names', array());
   if (empty($names)) {
     $props = addressfield_data_property_info();
-    foreach($props as $name => $prop) {
+    foreach ($props as $name => $prop) {
       $names[$name] = $prop['label'];
     }
   }
@@ -277,24 +273,26 @@ function _addressfield_tokens_country($country) {
   // Country abbreviations will always be two uppercase letters. 
   $country = drupal_strtoupper($country);
   if (!empty($country) && isset($countries[$country])) {
-    return $countries[$country];
+    return check_plain($countries[$country]);
   }
-  return $country;
+  return check_plain($country);
 }
 
 /**
  * Gets the abbreviation of the country with the given name
  * 
- * @param string The name of the country
- * @return string $country The 2-letter abbreviation of the country, or FALSE.
+ * @param string
+ *   The name of the country.
+ * @return string $country
+ *   The 2-letter abbreviation of the country, or FALSE.
  */
 function _addressfield_tokens_country_abbr($country) {
   $countries = array_flip(array_map('strtolower', _addressfield_tokens_countries()));
 
   if (isset($countries[strtolower($country)])) {
-    return $countries[strtolower($country)];
+    return check_plain($countries[strtolower($country)]);
   }
-  return $country;
+  return check_plain($country);
 }
 
 /**
@@ -341,20 +339,20 @@ function _addressfield_tokens_state($country, $state) {
   // State abbreviations will usually be two uppercase letters. 
   $state = drupal_strtoupper($state);
   if (!empty($state) && !empty($states[$state])) {
-    return $states[$state];
+    return check_plain($states[$state]);
   }
-  return $state;
+  return check_plain($state);
 }
 
 /** 
  * Implements hook_webform_component_info(). 
  */
 function addressfield_tokens_webform_component_info() {
-  $components = array ();
-  $components['addressfield'] = array (
+  $components = array();
+  $components['addressfield'] = array(
     'label'       => t('Address'),
     'description' => t('Address field.'),
-    'features'    => array (
+    'features'    => array(
       // Add content to CSV downloads. Defaults to TRUE.
       'csv'           => TRUE,
       // Show this component in e-mailed submissions. Defaults to TRUE.

sites/all/modules/contrib/dev/addressfield_tokens/addressfield_tokens.theme.inc

@@ -1,4 +1,9 @@
 <?php
+/**
+ * @file
+ * Theme Controllers.
+ */
+
 /**
  * Implements theme_field();
  * 
@@ -102,5 +107,5 @@ function theme_addressfield_formatter__components($vars) {
     }
   }
   
-  return filter_xss(implode($separator, $out));
+  return implode($separator, $out);
 }

sites/all/modules/contrib/dev/addressfield_tokens/addressfield_tokens.tokens.inc

@@ -1,17 +1,7 @@
 <?php
-// $Id$
-/*
- * Copyright © 2012 New Signature
- *
- * This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.
- * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more details.
- * You should have received a copy of the GNU General Public License along with this program.  If not, see <http://www.gnu.org/licenses/>.
- * You can contact New Signature by electronic mail at labs@newsignature.com -or- by U.S. Postal Service at 1100 H St. NW, Suite 940, Washington, DC 20005.
- */
-
-/**
- * @file Provides token replacements for address fields.
-*/
+/**
+ * @file Provides token replacements for address fields.
+*/
 
 /**
  * Implements hook_token_info_alter().
@@ -40,8 +30,6 @@ function addressfield_tokens_token_info_alter(&$info) {
   
   foreach ($props as $field => $data) {
     $fieldtoken = str_replace('_', '-', $field);
-    $name = '';
-    $descr = '';
     
     if (!empty($names[$field])) {
       $name = $names[$field];
@@ -58,7 +46,7 @@ function addressfield_tokens_token_info_alter(&$info) {
       }
     }
     $info['tokens']['addressfield'][$fieldtoken] = array(
-  		'name' => $name,
+      'name' => $name,
       'description' => $descr,
       'type' => 'text',
     );
@@ -139,6 +127,7 @@ function addressfield_tokens_token_info_alter(&$info) {
  */
 function addressfield_tokens_tokens($type, $tokens, array $data = array(), array $options = array()) {
   $url_options = array();
+  // @todo: why are we setting $language_code and not using it?
   if (isset($options['language'])) {
     $url_options['language'] = $options['language'];
     $language_code = $options['language']->language;
@@ -146,18 +135,21 @@ function addressfield_tokens_tokens($type, $tokens, array $data = array(), array
   else {
     $language_code = LANGUAGE_NONE;
   }
+
   $sanitize = !empty($options['sanitize']);
   $replacements = array();
-  
+  $last_original = NULL;
+
   // Process address field tokens
   if ($type == 'addressfield' && !empty($data['addressfield'])) {
     foreach ($tokens as $name => $original) {
+      $last_original = $original;
       $name = str_replace('-', '_', $name);
       $address = $data['addressfield'];
       
       // If the address field exists, use it.
       if (isset($address[$name])) {
-        $replacements[$original] = $address[$name];
+        $replacements[$original] = $sanitize ? filter_xss($address[$name]) : $address[$name];
       }
       else {
         // Otherwise, it's a special token
@@ -166,7 +158,7 @@ function addressfield_tokens_tokens($type, $tokens, array $data = array(), array
             $render = addressfield_generate($address, array('address'), array(
               'mode' => 'render', 
             ));
-            $replacements[$original] = drupal_render($render);
+            $replacements[$original] = $sanitize ? filter_xss(drupal_render($render)) : drupal_render($render);
             break;
             
           case 'text':
@@ -188,7 +180,7 @@ function addressfield_tokens_tokens($type, $tokens, array $data = array(), array
             if (!empty($address['country']) && $address['country'] != addressfield_tokens_default_country()) {
               $out[2] = _addressfield_tokens_country($address['country']);
             }
-            $replacements[$original] = implode("\n", $out);
+            $replacements[$original] = $sanitize ? filter_xss(implode("\n", $out)) : implode("\n", $out);
             break;
             
           case 'city_state':
@@ -202,18 +194,28 @@ function addressfield_tokens_tokens($type, $tokens, array $data = array(), array
             if (!empty($address['country']) && $address['country'] != addressfield_tokens_default_country()) {
               $out[] = _addressfield_tokens_country($address['country']);
             }
-            $replacements[$original] = implode(", ", $out);
+            $replacements[$original] = $sanitize ? filter_xss(implode(", ", $out)) : implode(", ", $out); 
             break;
             
           case 'state_name':
             if (!empty($address['administrative_area']) && !empty($address['country'])) {
-              $replacements[$original] = _addressfield_tokens_state($address['country'], $address['administrative_area']);
+              if ($sanitize) {
+                $replacements[$original] = filter_xss(_addressfield_tokens_state($address['country'], $address['administrative_area']));
+              }
+              else {
+                $replacements[$original] = _addressfield_tokens_state($address['country'], $address['administrative_area']);
+              }
             }
             break;
             
           case 'country_name':
             if (!empty($address['country'])) {
-              $replacements[$original] = _addressfield_tokens_country($address['country']);
+              if ($sanitize) {
+                $replacements[$original] = filter_xss(_addressfield_tokens_country($address['country']));
+              }
+              else {
+                $replacements[$original] = _addressfield_tokens_country($address['country']);
+              }
             }
             break;
           
@@ -232,8 +234,8 @@ function addressfield_tokens_tokens($type, $tokens, array $data = array(), array
         }
       }
     }
-    if (!isset($replacements[$original])) {
-      $replacements[$original] = '';
+    if (!isset($replacements[$last_original])) {
+      $replacements[$last_original] = '';
     }
   }
   else {
@@ -252,7 +254,7 @@ function addressfield_tokens_tokens($type, $tokens, array $data = array(), array
             }
             catch (EntityMetadataWrapperException $e) {
               // The property doesn't exist, so skip it.
-              $replacements[$original] = '';
+              $replacements[$last_original] = '';
             }
           }
         }