SA-CORE-2010-001 - request_uri() can not be used as is in HTML

Isn't this equivalent to <a href=""> (i.e. with href set to an empty string)? Or doesn't that work in some older versions of IE? Anyway, this works and is easy to understand when reading the code.

Good catch. Committed to HEAD.

This patch fixes the remaining request_uri() in D7 which have been fixed in D6 as part of SA-CORE-2010-001 - Drupal core - Multiple vulnerabilities

adding security.drupal.org tag

Let's transform those href="!url" into proper href="@url". We don't need to promote bad patterns in core.

array('@url' => check_url(request_uri()) is going to run check_plain() twice. Ok, it's in the installer, but if we're talking about patterns in core, they are places where check_plain() does not need to be run at all (like when we're not dealing with user input). I'm digressing here: if there is an appropriate issue for this topic, let me know.

@scor: the standard (documented in t()) is:

$output .= '<p>'. t('Go to the <a href="@contact-page">contact page</a>.', array('@contact-page' => url('contact'))) .'</p>';

Of course, we need to remove the check_plain() when using @ instead of !.

including SA # in title

The comment from #7 is still valid: check_url calls filter_xss_bad_protocol which performs a check_plain before returning, so by using @url we are escaping the value twice...

yes, but isn't that what Damien was asking for? it seems check_url() is more correct than check_plain... so if the double-escaping is a problem then I think we should apply the patch in #4.

Double-escaping is a problem (and a bug: #715142: [beta blocker blocker] Various URLs escaped twice, since check_url() resp. filter_xss_bad_protocol() calls check_plain()). I agree that using check_url is preferable to check_plain in this case, so I feel we should commit #4 and knock this one of the critical list.

Cool, thanks. This RTBC is for scor's patch #4.

Committed to CVS HEAD.