Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
In better_exposed_filters.theme.
Please note my addition of htmlspecialchars() calls.
$output = '<div class="bef-select-as-links">';
$output .= theme('form_element', array('element' => $properties));
if (!empty($element['#value'])) {
if (is_array($element['#value'])) {
foreach ($element['#value'] as $value) {
$output .= '<input type="hidden" name="' . $name . '[]" value="' . htmlspecialchars($value) . '" />';
}
}
else {
$output .= '<input type="hidden" name="' . $name . '" value="' . htmlspecialchars($element['#value']) . '" />';
}
}
$output .= '</div>';
Sorry I dont know how to create a patch.
Comment | File | Size | Author |
---|---|---|---|
#1 | unsanitized_output_2088443_1.patch | 837 bytes | nonsie |
Comments
Comment #1
nonsieIt's actually quite easy to create patches, just follow the directions on https://drupal.org/node/640962/git-instructions/7.x-3.x
Here's the patch against 7.x-3.x-dev with filter_xss() instead of htmlspecialchars().
Comment #2
mikeker CreditAttribution: mikeker commentedThis has been fixed since this commit. Make sure you're using the latest release before reporting bugs.
Also, security issues should be reported using Drupal's security issue reporting system, not through an open forum like the issue queue.