User submitted strings (which role name definitely is) should never be passed to t(). I also added check_plain() to it. It's not a security threat/bug, because roles are always created by administrator, but let's do this the right way and be sure.

Attaching a patch. I also fixed one english typo and removed $role_varname, as you never used it.

Originally reported here: http://drupal.org/node/216433, I just use code from Google analytics for this part.

CommentFileSizeAuthor
google_analytics.patch1.48 KBmichal.cihar

Comments

hass’s picture

hass commented
Version: 7.x-1.x-dev » 6.x-1.x-dev
Status: Active » Needs work

I committed the typo in the first line, but haven't removed the t() from roles translation. I know user defined strings shouldn't be t'ified, but you should take a look to D6 admin/user/roles... they are translated.

And i'm finaly not sure why you change this:

-    // can't use empty spaces in varname
-    $role_varname = $string = str_replace(' ', '_', $role->name);
hass’s picture

hass commented
Status: Needs work » Fixed
Anonymous’s picture

Anonymous (not verified) commented
Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for two weeks with no activity.