http://drupal.org/node/35730

ok, it's hard to check all, but isn't there a XSS even in the basic "getting started" example?

Comments

Anonymous’s picture

Component: Customization and Theming Guide » Correction/Clarification
dawehner’s picture

Status: Active » Needs review

drupal5 does nearly the same

<?php
$output .= '<dt class="'. $item['class'] .'">'. $item['title'] .'</dt>';
?>

This items get there by hook_user $op = 'view'
-> the modules should provide the safety stuff

for example the profile module
http://api.drupal.org/api/function/profile_view_field/6

so there should be no xss problem or not?

arianek’s picture

Status: Needs review » Fixed

this has since been fixed (according to smrt people in #drupal)

see: http://drupal.org/node/35730/revisions/view/346769/680458
"the check_plain() part fixes it"

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.