19 Dec
2006
19 Dec
'06
4:25 p.m.
Heine Deelstra wrote:
Depending on the placeholder's sigil, it is passed through theme('placeholder') (%) or check_plain (@) automatically.
t('I escape %user_data', '%user_data'); // I escape <em>user_data</em> (safe) t('I escape @user_data', '@user_data'); // I escape user_data (safe) t('I don't escape !user_data', '!user_data'); // XSS vulnerability
Somewhere in the preparation of themail, I horribly mutilated the call to t(), which should have read: t('I escape %user_data', array('%user_data' => $data)); t('I escape @user_data', array('@user_data' => $data)); t('I don't escape !user_data', array('!user_data' => $data)); Regards, Heine