Closed (fixed)
Project:
Webform
Version:
6.x-3.0-beta2
Component:
Code
Priority:
Minor
Category:
Bug report
Assigned:
Unassigned
Reporter:
Created:
5 Mar 2010 at 21:27 UTC
Updated:
4 Apr 2010 at 03:50 UTC
Jump to comment: Most recent file
Comments
Comment #1
quicksketchThanks, it looks like we do this escaping because Drupal core treats fieldsets and other elements differently. #title on most elements is run through filter_xss_admin() while fieldset titles are not filtered at all, meaning they could cause XSS vulnerabilities if unfiltered.
However, clearly the solution is not to over-compensate or treat fieldsets differently. To be consistent we should just run fieldset labels through filter_xss_admin() like other elements.
See:
http://api.lullabot.com/theme_fieldset
http://api.lullabot.com/theme_form_element
Comment #2
quicksketchFixed with this committed patch.