[development] Video module getting ready for 4.7 release: need
help debugging
Earl Dunovant
prometheus6 at gmail.com
Mon Jun 19 16:41:54 UTC 2006
These fields are coming from the database, and the table is populated with
data from Amazon.com. I prefer scrubbing it on the way in (admittedly not
doing that at the moment because I figured if you can hijack Amazon.com's
servers you're going to get me if you want to anyway). The fewer places I
have to worry about it, the better.
On 6/19/06, Dries Buytaert <dries.buytaert at gmail.com> wrote:
>
>
> On 19 Jun 2006, at 16:50, Earl Dunovant wrote:
> > What was the query you used to identify the problem? I think
> > amazon.module is one of the false positives, but I want ot make
> > sure I'm looking at the same thing you are.
>
> This line is vulnerable (amongst other):
>
> $datacell .= "<img src=\"$node->smallimageurl\" height=\"$node-
> >smallimageheight\" width=\"$node->smallimagewidth\" alt=\"cover of
> $node->title\" />"
>
> --
> Dries Buytaert :: http://www.buytaert.net/
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.drupal.org/pipermail/development/attachments/20060619/10b7a868/attachment.htm
More information about the development
mailing list