# HG changeset patch
# User Franck Deroche <webmaster@defr.org>
# Date 1230038961 -3600
# Node ID 165d43f946a8bec4cfbbf224990cd388a375ef10
# Parent  85b5b336180c43777ecc5433d0bb775923b5ba46
Drupal 6.1

diff -r 85b5b336180c -r 165d43f946a8 CHANGELOG.txt
--- a/CHANGELOG.txt	Tue Dec 23 14:28:28 2008 +0100
+++ b/CHANGELOG.txt	Tue Dec 23 14:29:21 2008 +0100
@@ -1,4 +1,9 @@
-// $Id: CHANGELOG.txt,v 1.253.2.3 2008/02/13 14:25:42 goba Exp $
+// $Id: CHANGELOG.txt,v 1.253.2.5 2008/02/27 19:44:44 goba Exp $
+
+Drupal 6.1, 2008-02-27
+----------------------
+- fixed a variety of small bugs.
+- fixed a security issue (Cross site scripting), see SA-2008-018
 
 Drupal 6.0, 2008-02-13
 ----------------------
diff -r 85b5b336180c -r 165d43f946a8 includes/common.inc
--- a/includes/common.inc	Tue Dec 23 14:28:28 2008 +0100
+++ b/includes/common.inc	Tue Dec 23 14:29:21 2008 +0100
@@ -1,5 +1,5 @@
 <?php
-// $Id: common.inc,v 1.756.2.4 2008/02/13 14:25:42 goba Exp $
+// $Id: common.inc,v 1.756.2.7 2008/02/27 19:44:44 goba Exp $
 
 /**
  * @file
@@ -1584,11 +1584,6 @@
 /**
  * Adds a CSS file to the stylesheet queue.
  *
- * Themes may replace module-defined CSS files by adding a stylesheet with the
- * same filename. For example, themes/garland/system-menus.css would replace
- * modules/system/system-menus.css. This allows themes to override complete
- * CSS files, rather than specific selectors, when necessary.
- *
  * @param $path
  *   (optional) The path to the CSS file relative to the base_path(), e.g.,
  *   /modules/devel/devel.css.
@@ -1597,6 +1592,7 @@
  *   name, for example: system-menus.css rather than simply menus.css. Themes
  *   can override module-supplied CSS files based on their filenames, and this
  *   prefixing helps prevent confusing name collisions for theme developers.
+ *   See drupal_get_css where the overrides are performed.
  *
  *   If the direction of the current language is right-to-left (Hebrew,
  *   Arabic, etc.), the function will also look for an RTL CSS file and append
@@ -1605,10 +1601,6 @@
  *   file added to the list, if exists in the same directory. This CSS file
  *   should contain overrides for properties which should be reversed or
  *   otherwise different in a right-to-left display.
- *
- *   If the original CSS file is being overridden by a theme, the theme is
- *   responsible for supplying an accompanying RTL CSS file to replace the
- *   module's.
  * @param $type
  *   (optional) The type of stylesheet that is being added. Types are: module
  *   or theme.
@@ -1651,30 +1643,6 @@
     if (!isset($css[$media])) {
       $css[$media] = array('module' => array(), 'theme' => array());
     }
-
-    // If a theme is adding the current stylesheet, check for any existing CSS files
-    // with the same name. If they exist, remove them and allow the theme's own CSS
-    // file to replace it.
-    if ($type == 'theme') {
-      foreach ($css[$media]['module'] as $old_path => $old_preprocess) {
-        // Match by style sheet name.
-        if (basename($path) == basename($old_path)) {
-          unset($css[$media]['module'][$old_path]);
-
-          // If the current language is RTL and the CSS file had an RTL variant,
-          // pull out the original. The theme must provide its own RTL style.
-          if (defined('LANGUAGE_RTL') && $language->direction == LANGUAGE_RTL) {
-            $rtl_old_path = str_replace('.css', '-rtl.css', $old_path);
-            if (isset($css[$media]['module'][$rtl_old_path])) {
-              unset($css[$media]['module'][$rtl_old_path]);
-            }
-          }
-          // Set the preprocess state of the current module, then exit the search loop.
-          $preprocess = $old_preprocess;
-          break;
-        }
-      }
-    }
     $css[$media][$type][$path] = $preprocess;
 
     // If the current language is RTL, add the CSS file with RTL overrides.
@@ -1692,9 +1660,18 @@
 /**
  * Returns a themed representation of all stylesheets that should be attached to the page.
  *
- * It loads the CSS in order, with 'core' CSS first, then 'module' CSS, then
- * 'theme' CSS files. This ensures proper cascading of styles for easy
- * overriding in modules and themes.
+ * It loads the CSS in order, with 'module' first, then 'theme' afterwards.
+ * This ensures proper cascading of styles so themes can easily override
+ * module styles through CSS selectors.
+ *
+ * Themes may replace module-defined CSS files by adding a stylesheet with the
+ * same filename. For example, themes/garland/system-menus.css would replace
+ * modules/system/system-menus.css. This allows themes to override complete
+ * CSS files, rather than specific selectors, when necessary.
+ *
+ * If the original CSS file is being overridden by a theme, the theme is
+ * responsible for supplying an accompanying RTL CSS file to replace the
+ * module's.
  *
  * @param $css
  *   (optional) An array of CSS files. If no array is provided, the default
@@ -1724,7 +1701,19 @@
     // If CSS preprocessing is off, we still need to output the styles.
     // Additionally, go through any remaining styles if CSS preprocessing is on and output the non-cached ones.
     foreach ($types as $type => $files) {
+      if ($type == 'module') {
+        // Setup theme overrides for module styles.
+        $theme_styles = array();
+        foreach (array_keys($css[$media]['theme']) as $theme_style) {
+          $theme_styles[] = basename($theme_style);
+        }
+      }
       foreach ($types[$type] as $file => $preprocess) {
+        // If the theme supplies its own style using the name of the module style, skip its inclusion.
+        // This includes any RTL styles associated with its main LTR counterpart.
+        if ($type == 'module' && in_array(str_replace('-rtl.css', '.css', basename($file)), $theme_styles)) {
+          continue;
+        }
         if (!$preprocess || !($is_writable && $preprocess_css)) {
           // If a CSS file is not to be preprocessed and it's a module CSS file, it needs to *always* appear at the *top*,
           // regardless of whether preprocessing is on or off.
diff -r 85b5b336180c -r 165d43f946a8 includes/menu.inc
--- a/includes/menu.inc	Tue Dec 23 14:28:28 2008 +0100
+++ b/includes/menu.inc	Tue Dec 23 14:29:21 2008 +0100
@@ -1,5 +1,5 @@
 <?php
-// $Id: menu.inc,v 1.255.2.7 2008/02/12 22:33:51 goba Exp $
+// $Id: menu.inc,v 1.255.2.9 2008/02/27 12:12:01 goba Exp $
 
 /**
  * @file
@@ -175,14 +175,13 @@
  * Returns the ancestors (and relevant placeholders) for any given path.
  *
  * For example, the ancestors of node/12345/edit are:
- *
- * node/12345/edit
- * node/12345/%
- * node/%/edit
- * node/%/%
- * node/12345
- * node/%
- * node
+ * - node/12345/edit
+ * - node/12345/%
+ * - node/%/edit
+ * - node/%/%
+ * - node/12345
+ * - node/%
+ * - node
  *
  * To generate these, we will use binary numbers. Each bit represents a
  * part of the path. If the bit is 1, then it represents the original
@@ -609,18 +608,18 @@
 
 /**
  * This function is similar to _menu_translate() but does link-specific
- * preparation such as always calling to_arg functions
+ * preparation such as always calling to_arg functions.
  *
  * @param $item
  *   A menu link
  * @return
  *   Returns the map of path arguments with objects loaded as defined in the
- *   $item['load_functions'].
- *   $item['access'] becomes TRUE if the item is accessible, FALSE otherwise.
- *   $item['href'] is generated from link_path, possibly by to_arg functions.
- *   $item['title'] is generated from link_title, and may be localized.
- *   $item['options'] is unserialized; it is also changed within the call here 
- *   to $item['localized_options'] by _menu_item_localize().
+ *   $item['load_functions']:
+ *   - $item['access'] becomes TRUE if the item is accessible, FALSE otherwise.
+ *   - $item['href'] is generated from link_path, possibly by to_arg functions.
+ *   - $item['title'] is generated from link_title, and may be localized.
+ *   - $item['options'] is unserialized; it is also changed within the call
+ *     here to $item['localized_options'] by _menu_item_localize().
  */
 function _menu_link_translate(&$item) {
   $item['options'] = unserialize($item['options']);
@@ -682,7 +681,7 @@
  *   The expected position for $type object. For node/%node this is 1, for
  *   comment/reply/%node this is 2. Defaults to 1.
  * @param $path
- *   See @menu_get_item for more on this. Defaults to the current path.
+ *   See menu_get_item() for more on this. Defaults to the current path.
  */
 function menu_get_object($type = 'node', $position = 1, $path = NULL) {
   $router_item = menu_get_item($path);
@@ -1708,8 +1707,7 @@
   }
   $placeholders = db_placeholders($menu, 'varchar');
   $paths = array_keys($menu);
-  // Updated items and customized items which router paths are gone need new
-  // router paths.
+  // Updated and customized items whose router paths are gone need new ones.
   $result = db_query("SELECT ml.link_path, ml.mlid, ml.router_path, ml.updated FROM {menu_links} ml WHERE ml.updated = 1 OR (router_path NOT IN ($placeholders) AND external = 0 AND customized = 1)", $paths);
   while ($item = db_fetch_array($result)) {
     $router_path = _menu_find_router_path($menu, $item['link_path']);
@@ -1720,7 +1718,7 @@
       db_query("UPDATE {menu_links} SET router_path = '%s', updated = %d WHERE mlid = %d", $router_path, $updated, $item['mlid']);
     }
   }
-  // Find any items where their router path does not exist any more.
+  // Find any item whose router path does not exist any more.
   $result = db_query("SELECT * FROM {menu_links} WHERE router_path NOT IN ($placeholders) AND external = 0 AND updated = 0 AND customized = 0 ORDER BY depth DESC", $paths);
   // Remove all such items. Starting from those with the greatest depth will
   // minimize the amount of re-parenting done by menu_link_delete().
@@ -1782,14 +1780,14 @@
  *
  * @param $item
  *   An array representing a menu link item. The only mandatory keys are
- *   link_path and link_title. Possible keys are
- *     menu_name   default is navigation
- *     weight      default is 0
- *     expanded    whether the item is expanded.
- *     options     An array of options, @see l for more.
- *     mlid        Set to an existing value, or 0 or NULL to insert a new link.
- *     plid        The mlid of the parent.
- *     router_path The path of the relevant router item.
+ *   link_path and link_title. Possible keys are:
+ *   - menu_name   default is navigation
+ *   - weight      default is 0
+ *   - expanded    whether the item is expanded.
+ *   - options     An array of options, @see l for more.
+ *   - mlid        Set to an existing value, or 0 or NULL to insert a new link.
+ *   - plid        The mlid of the parent.
+ *   - router_path The path of the relevant router item.
  */
 function menu_link_save(&$item) {
   $menu = menu_router_build();
diff -r 85b5b336180c -r 165d43f946a8 misc/drupal.js
--- a/misc/drupal.js	Tue Dec 23 14:28:28 2008 +0100
+++ b/misc/drupal.js	Tue Dec 23 14:29:21 2008 +0100
@@ -1,4 +1,4 @@
-// $Id: drupal.js,v 1.41.2.1 2008/02/06 12:18:04 goba Exp $
+// $Id: drupal.js,v 1.41.2.2 2008/02/27 19:44:44 goba Exp $
 
 var Drupal = Drupal || { 'settings': {}, 'behaviors': {}, 'themes': {}, 'locale': {} };
 
@@ -51,7 +51,8 @@
   str = String(str);
   var replace = { '&': '&amp;', '"': '&quot;', '<': '&lt;', '>': '&gt;' };
   for (var character in replace) {
-    str = str.replace(character, replace[character]);
+    var regex = new RegExp(character, 'g');
+    str = str.replace(regex, replace[character]);
   }
   return str;
 };
diff -r 85b5b336180c -r 165d43f946a8 modules/block/block.admin.inc
--- a/modules/block/block.admin.inc	Tue Dec 23 14:28:28 2008 +0100
+++ b/modules/block/block.admin.inc	Tue Dec 23 14:29:21 2008 +0100
@@ -1,5 +1,5 @@
 <?php
-// $Id: block.admin.inc,v 1.14 2007/12/22 23:24:24 goba Exp $
+// $Id: block.admin.inc,v 1.14.2.1 2008/02/27 12:07:42 goba Exp $
 
 /**
  * @file
@@ -123,8 +123,7 @@
     return $status;
   }
   // Sort by region (in the order defined by theme .info file).
-  $place = $regions[$a['region']] - $regions[$b['region']];
-  if ($place) {
+  if ((!empty($a['region']) && !empty($b['region'])) && ($place = ($regions[$a['region']] - $regions[$b['region']]))) {
     return $place;
   }
   // Sort by weight.
diff -r 85b5b336180c -r 165d43f946a8 modules/node/node.module
--- a/modules/node/node.module	Tue Dec 23 14:28:28 2008 +0100
+++ b/modules/node/node.module	Tue Dec 23 14:29:21 2008 +0100
@@ -1,5 +1,5 @@
 <?php
-// $Id: node.module,v 1.947.2.2 2008/02/13 14:10:22 goba Exp $
+// $Id: node.module,v 1.947.2.3 2008/02/27 17:12:58 goba Exp $
 
 /**
  * @file
@@ -716,7 +716,7 @@
   elseif (is_array($param)) {
     // Turn the conditions into a query.
     foreach ($param as $key => $value) {
-      $cond[] = 'n.'. db_escape_string($key) ." = '%s'";
+      $cond[] = 'n.'. db_escape_table($key) ." = '%s'";
       $arguments[] = $value;
     }
     $cond = implode(' AND ', $cond);
diff -r 85b5b336180c -r 165d43f946a8 modules/node/node.pages.inc
--- a/modules/node/node.pages.inc	Tue Dec 23 14:28:28 2008 +0100
+++ b/modules/node/node.pages.inc	Tue Dec 23 14:29:21 2008 +0100
@@ -1,5 +1,5 @@
 <?php
-// $Id: node.pages.inc,v 1.28 2008/02/03 19:26:10 goba Exp $
+// $Id: node.pages.inc,v 1.28.2.1 2008/02/27 19:44:44 goba Exp $
 
 /**
  * @file
@@ -11,7 +11,7 @@
  * Menu callback; presents the node editing form, or redirects to delete confirmation.
  */
 function node_page_edit($node) {
-  drupal_set_title($node->title);
+  drupal_set_title(check_plain($node->title));
   return drupal_get_form($node->type .'_node_form', $node);
 }
 
diff -r 85b5b336180c -r 165d43f946a8 modules/system/system.module
--- a/modules/system/system.module	Tue Dec 23 14:28:28 2008 +0100
+++ b/modules/system/system.module	Tue Dec 23 14:29:21 2008 +0100
@@ -1,5 +1,5 @@
 <?php
-// $Id: system.module,v 1.585.2.6 2008/02/13 14:25:42 goba Exp $
+// $Id: system.module,v 1.585.2.8 2008/02/27 19:44:44 goba Exp $
 
 /**
  * @file
@@ -9,7 +9,7 @@
 /**
  * The current system version.
  */
-define('VERSION', '6.0');
+define('VERSION', '6.1');
 
 /**
  * Core API compatibility.