I reported this issue to the security team a few months ago, and also talked about it with Earl in IRC a few weeks ago. They do not consider this critical enough to be managed as a security issue. I'm opening this issue here because it has not been fixed yet, so this is in the hope that it doesn't get missed.

The issue affects views/includes/admin.inc and it can be fixed like this:

-          $queries .= t('[@time ms]', array('@time' => intval($query[1] * 100000) / 100)) . ' ' . $query[0];
+          $queries .= t('[@time ms]', array('@time' => intval($query[1] * 100000) / 100)) . ' ' . check_plain($query[0]);

Comments

merlinofchaos’s picture

merlinofchaos commented
Status: Needs review » Fixed
markus_petrux’s picture

markus_petrux commented

Thanks!

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.