Quick review of the 7.x module:

$cancel = $_REQUEST['cancel'];

seems like it exposes a hole for refelcted XSS. Otherwise, looks like pretty reasonable code.

Comments

pwolanin’s picture

pwolanin commented

Probably not really a hole, looking at http://api.drupal.org/api/drupal/includes--common.inc/function/url/7

dangerous stuff from the path is supposed to be neutralized.

Still, important to note that this is potentially hazardous user input.