Code Review complains in several places:

Potential problem: drupal_set_message() only accepts filtered text, be sure all !placeholders for $variables in t() are fully sanitized using check_plain(), filter_xss() or similar. (Drupal Docs)

According to Dynamic or static links and HTML in translatable strings the recommended practice is to use @var so that the value is formatted for HTML inclusion. Patch attached.

Comments

jonathan webb’s picture

Found another drupal_set_message where this applied... updated patch attached.

neclimdul’s picture

Status: Needs review » Fixed

thanks berdir.

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.