filter the token values or label them as raw

Also, I'm reporting this here instead of going the "security team" route since there has not been a ".0" release that includes the tokens. You should fix this prior to creating a "3.0" release which is why I've labeled this critical.

Greggles,
Thanks very much for pointing this out. I had read through the api.txt (though rather briefly) and thought I caught everything in the implementation. I will definitely double check our implementation (we're not actually doing anything with the tokens YET) and fix it WELL before we do the .) release. Thanks again for bringing this to our attention. Also, thanks for such a great module.
Jonathan

I finally have found some time to implement the filtering you suggested for my token values. Do I want to filter my values in the form itself? Do you have any good generic examples of how I would do this? Is it better to just filter as I'm committing the form values to my DB? (hook_insert) Or can I filter somewhere in hook_token_values.
Thanks for your help,
Jonathan

The place to filter them is on output - so, in the hook_token_values.

Basically

$tokens['family-individual-firstname'] = $node->FORE;

Should be something like

$tokens['family-individual-firstname'] = check_plain($node->FORE);

There is a lot of really good documentation about this on http://drupal.org/node/28984 though it is perhaps a bit long winded. If there is a specific section of that you have a question about just follow up here.

Thanks. That was exactly what I was looking for. I made a change to all the token values and committed to CVS on dev. I will check out the documentation you mentioned when I have a chance.
Thanks,
Jonathan

Setting to fixed.

Automatically closed -- issue fixed for two weeks with no activity.