[drupal-devel] important: check_output()

Dries Buytaert dries at buytaert.net
Fri Jul 1 06:20:35 UTC 2005

Because of the recent security issue, we were forced to modify  
check_output()'s API.  check_output() now takes a third paramter  
$check.  If check = TRUE, check_output() checks whether the current  
user is allowed to use the specified input format.

Note that this will check the permissions of the current user, so you  
should specify $check = FALSE when viewing other people's content.   
When showing content that is not (yet) stored in the database (eg.  
upon preview), set to TRUE so the user's permissions are checked.

In DRUPAL-4-6, $check defaults to FALSE.  However, in HEAD, $check  
defaults to TRUE for extra safety.  This means you'll have to check  
your code in DRUPAL-4-6 to see if you don't need to insert a TRUE,  
and that you'll have to check your code in HEAD, as most of them will  
need an explicit FALSE.

Dries Buytaert  ::  http://www.buytaert.net/

More information about the drupal-devel mailing list