The URLs inserted into the HTML header for the meta tag and link rels should be passed through check_url(). Otherwise, ampersands and such will not be escaped properly, and the page would be invalid HTML.

If these fields were user submittable, you'd have an XSS problem on your hands. Please read the Drupal secure code guidelines before writing another line of code. Contributors who do not pay attention to security do more damage than good.

Comments

jhuckabee’s picture

jhuckabee commented
Status: Active » Closed (fixed)