[development] Porting - Quick security reminders

Heine Deelstra hdeelstra at gmail.com
Tue Dec 19 15:25:01 UTC 2006

Heine Deelstra wrote:

> Depending on the placeholder's sigil, it is passed through theme('placeholder')
> (%) or check_plain (@) automatically.
> t('I escape %user_data', '%user_data'); // I escape <em>user_data</em> (safe)
> t('I escape @user_data', '@user_data'); // I escape user_data (safe)
> t('I don't escape !user_data', '!user_data'); // XSS vulnerability

Somewhere in the preparation of themail, I horribly mutilated the call to t(),
which should have read:

t('I escape %user_data', array('%user_data' => $data));
t('I escape @user_data', array('@user_data' => $data));
t('I don't escape !user_data', array('!user_data' => $data));



More information about the development mailing list