lines 25 + 57 use filter_xss_admin() to sanitize the user-specified class.

since HTML class names shouldn't contain markup, wouldn't it be better to use check_plain(0 instead?

Comments

andrewmacpherson’s picture

Title: use check_plain() instead of filter_xss_admin() » strip all tags from class name

Whoops. I meant filter_xss() with no allowed tags.

andrewmacpherson’s picture

Version: » 7.x-1.0-rc1
Status: Active » Fixed

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.