19 Jun
2006
19 Jun
'06
7:26 a.m.
On 19 Jun 2006, at 01:42, Steven Wittens wrote:
t('play %link', array('%link' => $node->title))
this is used as title attribute for a link... maybe check_plain() should be used insted of theme('placeholder') as suggested.
Neither check_plain() or theme('placeholder') are necessary or even make sense here. Title attributes cannot contain HTML, so their content is passed as plain-text to l(). The attribute content is escaped right before outputting in drupal_attributes().
Yes, I picked the wrong example. There are still dozens of other security bugs in the video module though. drupal_set_title(t('Playing') . ' ' . $node->title); -- Dries Buytaert :: http://www.buytaert.net/