Closed (fixed)
Project:
Field Formatter Class
Version:
7.x-1.0-rc1
Component:
Code
Priority:
Normal
Category:
Feature request
Assigned:
Unassigned
Reporter:
Created:
25 Sep 2011 at 17:24 UTC
Updated:
6 May 2012 at 22:50 UTC
lines 25 + 57 use filter_xss_admin() to sanitize the user-specified class.
since HTML class names shouldn't contain markup, wouldn't it be better to use check_plain(0 instead?
Comments
Comment #1
andrewmacpherson commentedWhoops. I meant filter_xss() with no allowed tags.
Comment #2
andrewmacpherson commentedFixed in 7.x-1.0-rc1
http://drupalcode.org/project/field_formatter_class.git/commit/70fde72