In better_exposed_filters.theme.

Please note my addition of htmlspecialchars() calls.

<?php
  $output
= '<div class="bef-select-as-links">';
 
$output .= theme('form_element', array('element' => $properties));
  if (!empty(
$element['#value'])) {
    if (
is_array($element['#value'])) {
      foreach (
$element['#value'] as $value) {
       
$output .= '<input type="hidden" name="' . $name . '[]" value="' . htmlspecialchars($value) . '" />';
      }
    }
    else {
     
$output .= '<input type="hidden" name="' . $name . '" value="' . htmlspecialchars($element['#value']) . '" />';
    }
  }
 
$output .= '</div>';
?>

Sorry I dont know how to create a patch.

Files: 
CommentFileSizeAuthor
#1 unsanitized_output_2088443_1.patch837 bytesnonsie
Test request sent.
[ View ]

Comments

Version:7.x-3.0-beta3» 7.x-3.x-dev
Status:Active» Needs review
StatusFileSize
new837 bytes
Test request sent.
[ View ]

It's actually quite easy to create patches, just follow the directions on https://drupal.org/node/640962/git-instructions/7.x-3.x

Here's the patch against 7.x-3.x-dev with filter_xss() instead of htmlspecialchars().

Status:Needs review» Closed (cannot reproduce)

This has been fixed since this commit. Make sure you're using the latest release before reporting bugs.

Also, security issues should be reported using Drupal's security issue reporting system, not through an open forum like the issue queue.