The documentation about handling text in a secure fashion mentions that form #values need to be filtered if the #type is 'value' because value is assumed to be html.

You should run check_plain before displaying user submitted data (like usernames, email addresses) on the form.

Consider whether the username should actually be presented with theme('username', array('name' => $user->name)); instead of just printed.

I'm not sure that check_plain is right for all of the variables in the og_email_blast_mail. Especially if they will be check_plained in the form generation process they shouldn't be double filtered.

Comments

dcmouyard’s picture

dcmouyard commented
Status: Active » Fixed

I filtered the form #values with check_plain for group, admin, and admin_email. I didn't use theme(username) for admin because it's only displayed as plain text in the email and the watchdog message.

I also filtered the result of _group_emails() with check_plain.

Finally, I removed the redundant check_plain filters in og_email_blast_mail(), except for subject and body, since they haven't been filtered yet.

dcmouyard’s picture

dcmouyard commented
Assigned: Unassigned » dcmouyard
heine’s picture

heine commented

#type value never ends up in HTML. Doesn't the page talk about the default 'markup' type that used to take a #value (now #markup)?

greggles’s picture

greggles
he/him
Primary language English
Location Denver, Colorado, USA
commented
Assigned: dcmouyard » Unassigned

Thanks, I like to link to the commit which is at http://drupal.org/commitlog/commit/20580/809932956e11d28b543925ab2ac8009...

dcmouyard’s picture

dcmouyard commented
Status: Fixed » Closed (fixed)