I would argue that the security rule "l() already contains a check_plain() call by default" is not really a security concern, but more a precaution which is not necessary. It would make more sense to have it in a different code review category. Also, it would be good to add a link to the security handbook page containing more information on how to use l() in a secure way.

l() already contains a check_plain() call by default. see http://drupal.org/node/28984

Comments

stella’s picture

stella commented
Version: 6.x-1.x-dev » 6.x-2.x-dev
Status: Active » Fixed

Unfortunately it doesn't seem to fit that well into any of the other categories either (comment, coding style, sql, i18n, upgrades). It's more a check to see if you implemented the api correctly. We may need a new category for this, but don't really want to write all the rules that would be required for such a category! So for now I've given it a 'minor' severity (and added the link) and if we end up having more rules like this in future we can introduce a new category.

Change made to 6.x-2.x and 7.x

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.