I believe the $key and $value may contain javascript which could be used for XSS since watchdog messages are not filtered during output. I suggest using check_plain or filter_xss or whatever feels most appropriate. See http://drupalscout.com/knowledge-base/anything-you-can-do-xss-can-do-better and http://drupalscout.com/knowledge-base/drupal-text-filtering-cheat-sheet-... for advice on XSS.

This is made worse by the fact that the callback doesn't have any CSRF protection such as a token. See http://drupalscout.com/knowledge-base/protecting-your-drupal-module-agai... for details.

Comments

IRuslan’s picture

IRuslan commented
Status: Active » Fixed

For $key i've add check_plain().
But for $value, i think it's not necessary, because it's outputed thru @ placeholder.

greggles’s picture

greggles
he/him
Primary language English
Location Denver, Colorado, USA
commented

Yes indeed. And I see you added anti-CSRF token support as well - thanks!

IRuslan’s picture

IRuslan commented
Status: Fixed » Closed (fixed)