diff --git a/includes/file.inc b/includes/file.inc
index 36e7893ed91a82c3ce51d42189e1838a2de7deae..0d4af76931b73acb296a938de87a0391f438db20 100644
--- a/includes/file.inc
+++ b/includes/file.inc
@@ -331,9 +331,9 @@ function file_stream_wrapper_get_instance_by_scheme($scheme) {
*
* @return
* A string containing a URL that may be used to access the file.
- * If the provided string already contains a preceding 'http', nothing is done
- * and the same string is returned. If a valid stream wrapper could not be
- * found to generate an external URL, then FALSE will be returned.
+ * If the provided string already contains a preceding 'http', 'https', or
+ * '/', nothing is done and the same string is returned. If a stream wrapper
+ * could not be found to generate an external URL, then FALSE is returned.
*/
function file_create_url($uri) {
// Allow the URI to be altered, e.g. to serve a file from a CDN or static
@@ -355,8 +355,8 @@ function file_create_url($uri) {
}
else {
// If this is not a properly formatted stream, then it is a shipped file.
- // Therefor, return the URI with the base URL prepended.
- return $GLOBALS['base_url'] . '/' . $uri;
+ // Therefore, return the urlencoded URI with the base URL prepended.
+ return $GLOBALS['base_url'] . '/' . drupal_encode_path($uri);
}
}
elseif ($scheme == 'http' || $scheme == 'https') {
diff --git a/modules/simpletest/tests/common.test b/modules/simpletest/tests/common.test
index 61e6f8d26059a5c28e862542ebd49378086627fb..315b7762299d1192d1732516b574fbb57d7877fd 100644
--- a/modules/simpletest/tests/common.test
+++ b/modules/simpletest/tests/common.test
@@ -749,8 +749,9 @@ class CascadingStylesheetsTestCase extends DrupalWebTestCase {
*/
function testAddCssFileWithQueryString() {
$this->drupalGet('common-test/query-string');
- $query_string = substr(variable_get('css_js_query_string', '0'), 0, 1);
- $this->assertRaw(drupal_get_path('module', 'node') . '/node.css?arg1=value1&arg2=value2&' . $query_string, t('Query string was appended correctly to css.'));
+ $query_string = variable_get('css_js_query_string', '0');
+ $this->assertRaw(drupal_get_path('module', 'node') . '/node.css?' . $query_string, t('Query string was appended correctly to css.'));
+ $this->assertRaw(drupal_get_path('module', 'node') . '/node-fake.css?arg1=value1&arg2=value2', t('Query string not escaped on a URI.'));
}
}
@@ -1354,8 +1355,8 @@ class JavaScriptTestCase extends DrupalWebTestCase {
*/
function testAddJsFileWithQueryString() {
$this->drupalGet('common-test/query-string');
- $query_string = substr(variable_get('css_js_query_string', '0'), 0, 1);
- $this->assertRaw(drupal_get_path('module', 'node') . '/node.js?arg1=value1&arg2=value2&' . $query_string, t('Query string was appended correctly to js.'));
+ $query_string = variable_get('css_js_query_string', '0');
+ $this->assertRaw(drupal_get_path('module', 'node') . '/node.js?' . $query_string, t('Query string was appended correctly to js.'));
}
}
diff --git a/modules/simpletest/tests/common_test.module b/modules/simpletest/tests/common_test.module
index 7320bdaa7ae640373b48bbbd59af3186ee1f0570..449da4a975f6fafe2189b79f9374085cb2a70d41 100644
--- a/modules/simpletest/tests/common_test.module
+++ b/modules/simpletest/tests/common_test.module
@@ -220,7 +220,9 @@ function common_test_library() {
* Adds a JavaScript file and a CSS file with a query string appended.
*/
function common_test_js_and_css_querystring() {
- drupal_add_js(drupal_get_path('module', 'node') . '/node.js?arg1=value1&arg2=value2');
- drupal_add_css(drupal_get_path('module', 'node') . '/node.css?arg1=value1&arg2=value2');
+ drupal_add_js(drupal_get_path('module', 'node') . '/node.js');
+ drupal_add_css(drupal_get_path('module', 'node') . '/node.css');
+ // A relative URI may have a query string.
+ drupal_add_css('/' . drupal_get_path('module', 'node') . '/node-fake.css?arg1=value1&arg2=value2');
return '';
}
diff --git a/modules/system/system.tokens.inc b/modules/system/system.tokens.inc
index e13a4a2ab3e377ed523a101a953ba3990652a2a2..f57daf2da20f786f0bdf1e2ba110a3375b44a519 100644
--- a/modules/system/system.tokens.inc
+++ b/modules/system/system.tokens.inc
@@ -202,7 +202,7 @@ function system_tokens($type, $tokens, array $data = array(), array $options = a
break;
case 'raw':
- $replacements[$original] = filter_xss($date);
+ $replacements[$original] = $sanitize ? check_plain($date) : $date;
break;
}
}
@@ -230,15 +230,15 @@ function system_tokens($type, $tokens, array $data = array(), array $options = a
break;
case 'description':
- $replacements[$original] = $sanitize ? filter_xss($file->description) : $file->description;
+ $replacements[$original] = $sanitize ? check_plain($file->description) : $file->description;
break;
case 'path':
- $replacements[$original] = $sanitize ? filter_xss($file->uri) : $file->uri;
+ $replacements[$original] = $sanitize ? check_plain($file->uri) : $file->uri;
break;
case 'mime':
- $replacements[$original] = $sanitize ? filter_xss($file->filemime) : $file->filemime;
+ $replacements[$original] = $sanitize ? check_plain($file->filemime) : $file->filemime;
break;
case 'size':
@@ -246,7 +246,7 @@ function system_tokens($type, $tokens, array $data = array(), array $options = a
break;
case 'url':
- $replacements[$original] = url(file_create_url($file->uri), $url_options);
+ $replacements[$original] = $sanitize ? check_plain(file_create_url($file->uri)) : file_create_url($file->uri);
break;
// These tokens are default variations on the chained tokens handled below.
@@ -256,7 +256,7 @@ function system_tokens($type, $tokens, array $data = array(), array $options = a
case 'owner':
$account = user_load($file->uid);
- $replacements[$original] = $sanitize ? filter_xss($account->name) : $account->name;
+ $replacements[$original] = $sanitize ? check_plain($account->name) : $account->name;
break;
}
}