XSS in theming snippets?
fago - March 28, 2007 - 19:50
| Project: | Documentation |
| Component: | Correction/Clarification |
| Category: | bug report |
| Priority: | critical |
| Assigned: | Unassigned |
| Status: | needs review |
Jump to:
Description
ok, it's hard to check all, but isn't there a XSS even in the basic "getting started" example?
#1
#2
drupal5 does nearly the same
<?php$output .= '<dt class="'. $item['class'] .'">'. $item['title'] .'</dt>';
?>
This items get there by hook_user $op = 'view'
-> the modules should provide the safety stuff
for example the profile module
http://api.drupal.org/api/function/profile_view_field/6
so there should be no xss problem or not?