Escape special characters in entity_label() usages.

2020-04-23 11:00:34 -04:00 · 2020-04-23 11:00:34 -04:00 · 327894095f
parent ba90a84c19
commit 327894095f
3 changed files with 8 additions and 4 deletions
--- a/modules/farm/farm_fields/farm_fields.module
+++ b/modules/farm/farm_fields/farm_fields.module
@ -202,7 +202,8 @@ function farm_fields_prepopulate_entityreference(&$form, $entity_type, $field_na
    // For "autocomplete tags", implode them all into one comma-separated list.
    elseif ($field_instance['widget']['type'] == 'entityreference_autocomplete_tags') {
      if (empty($form[$field_name][LANGUAGE_NONE]['#default_value'])) {
-        $form[$field_name][LANGUAGE_NONE]['#default_value'] = implode(', ', $labels);
+        // We use htmlspecialchars() so that apostrophe's are not escaped.
+        $form[$field_name][LANGUAGE_NONE]['#default_value'] = htmlspecialchars(implode(', ', $labels));
      }
    }
  }
@ -231,7 +232,7 @@ function farm_fields_prepopulate_entityreference(&$form, $entity_type, $field_na
        '#attributes' => array(
          'checked' => 'checked',
        ),
-        '#title' => entity_label($entity_type, $entity),
+        '#title' => check_plain(entity_label($entity_type, $entity)),
      );
    }
  }
--- a/modules/farm/farm_map/farm_map_kml/farm_map_kml.module
+++ b/modules/farm/farm_map/farm_map_kml/farm_map_kml.module
@ -76,7 +76,8 @@ function farm_map_kml_action(array $entities, $context = array()) {
      // Create a placemark.
      $placemark = array(
        'pid' => $id,
-        'name' => $label,
+        // We use htmlspecialchars() so that apostrophes are not escaped.
+        'name' => htmlspecialchars($label),
        'geometry' => $geometry,
      );

--- a/modules/farm/farm_sensor/farm_sensor_listener/farm_sensor_listener.module
+++ b/modules/farm/farm_sensor/farm_sensor_listener/farm_sensor_listener.module
@ -72,7 +72,9 @@ function farm_sensor_listener_mail($key, &$message, $params) {
      '@value' => $params['value'],
    ));
    $uri = entity_uri('farm_asset', $params['sensor']);
-    $message['body'][] = entity_label('farm_asset', $params['sensor']) . ': ' . url($uri['path'], array('absolute' => TRUE));
+    // We use htmlspecialchars() so that apostrophes are not escaped.
+    $entity_label = htmlspecialchars(entity_label('farm_asset', $params['sensor']));
+    $message['body'][] = $entity_label . ': ' . url($uri['path'], array('absolute' => TRUE));
  }
 }