Posted by fago on March 28, 2007 at 7:50pm
Jump to:
| Project: | Documentation |
| Component: | Correction/Clarification |
| Category: | bug report |
| Priority: | critical |
| Assigned: | Unassigned |
| Status: | closed (fixed) |
Issue Summary
ok, it's hard to check all, but isn't there a XSS even in the basic "getting started" example?
Comments
#1
#2
drupal5 does nearly the same
<?php$output .= '<dt class="'. $item['class'] .'">'. $item['title'] .'</dt>';
?>
This items get there by hook_user $op = 'view'
-> the modules should provide the safety stuff
for example the profile module
http://api.drupal.org/api/function/profile_view_field/6
so there should be no xss problem or not?
#3
this has since been fixed (according to smrt people in #drupal)
see: http://drupal.org/node/35730/revisions/view/346769/680458
"the check_plain() part fixes it"
#4
Automatically closed -- issue fixed for 2 weeks with no activity.