Line 108: Potential problem: drupal_set_message() only accepts filtered text, be sure all !placeholders for $variables in t() are fully sanitized using check_plain(), filter_xss() or similar. (Drupal Docs)
drupal_set_message(t('The Rubik theme requires the !tao base theme in order to work properly.', array('!tao' => l('Tao', 'http://code.developmentseed.org/tao'))), 'warning');

CommentFileSizeAuthor
#1 1946084.patch399 bytesjmmarquez

Comments

jmmarquez’s picture

Status: Active » Needs review
StatusFileSize
new399 bytes

Security bugs found. Must use check_plain() and filter_xss() to solve the problem.

nesta_’s picture

Status: Needs review » Reviewed & tested by the community

Thnx!

Fix :)

nesta_’s picture

Status: Reviewed & tested by the community » Patch (to be ported)
nesta_’s picture

Assigned: jmmarquez » Unassigned
Status: Patch (to be ported) » Needs review
haydeniv’s picture

Version: 6.x-3.0-beta3 » 7.x-4.x-dev
Status: Needs review » Closed (won't fix)

This is not an XSS vulnerability because it is not accepting any user input and l() does it's own escaping.