[development] Porting - Quick security reminders
Heine Deelstra
hdeelstra at gmail.com
Tue Dec 19 15:25:01 UTC 2006
Heine Deelstra wrote:
> Depending on the placeholder's sigil, it is passed through theme('placeholder')
> (%) or check_plain (@) automatically.
>
> t('I escape %user_data', '%user_data'); // I escape <em>user_data</em> (safe)
> t('I escape @user_data', '@user_data'); // I escape user_data (safe)
> t('I don't escape !user_data', '!user_data'); // XSS vulnerability
>
Somewhere in the preparation of themail, I horribly mutilated the call to t(),
which should have read:
t('I escape %user_data', array('%user_data' => $data));
t('I escape @user_data', array('@user_data' => $data));
t('I don't escape !user_data', array('!user_data' => $data));
Regards,
Heine
More information about the development
mailing list