The following file (also attached to the post):

/**
 * @file
 * File description.
 */

/**
 * Implementation of hook_form_alter().
 */
function hook_form_alter(&$form, &$form_state, $form_id) {
  global $user;
  $form['txt1'] = array(
    '#value' => $user->uid,
  );

  $form['txt2'] = array(
    '#value' => $user->name,
  );

// Some code.

}

produces one warning:

Line 22: Potential problem: when FAPI element '#type' is set to 'markup' (default), '#value' only accepts filtered text, be sure to use check_plain(), filter_xss() or similar to ensure your $variable is fully sanitized.
}

There are several problems with this warning:
1. Only one warning is issued regardless of number of incorrect code instances.
2. Line is always the last line in the function. There can be any amount of code between the actual erroneous line and the reported line so it's not so easy to find out where the mistake is. At first it looks like false positive.

Comments

shrop’s picture

shrop commented

Having the same issue with 7.x version. It would be nice to have the line number of the issue. The form I am cleaning up is pretty long, so not obvious if there is one or many issues related to the error displayed.

harshil.maradiya’s picture

harshil.maradiya commented

Even i have same problem i am using following code snippet

$form['AAAA']['BBBB'] = array(.
'#type' => 'markup',
'#markup' => t('XXXXXX.'),
'#prefix' => '

',
'#suffix' => '

',
);

klausi’s picture

klausi
he/him||they/them
Primary language German
Location 🇦🇹 Vienna
commented
Issue summary: View changes
Status: Active » Closed (won't fix)

Coder for Drupal 6 is now frozen and only security fixes will be applied. Feel free to update this issue and reopen against 7.x-2.x or 8.x-2.x.

klausi’s picture

klausi
he/him||they/them
Primary language German
Location 🇦🇹 Vienna
commented

Coder for Drupal 6 is now frozen and only security fixes will be applied. Feel free to update this issue and reopen against 7.x-2.x or 8.x-2.x.