Coder Review yields a critical false positive if the title or description of a form API array is filtered with field_filter_xss() instead of filter_xss() / check_plain() etc.:

Potential problem: FAPI elements '#title' and '#description' only accept filtered text, be sure to use check_plain(), filter_xss() or similar to ensure your $variable is fully sanitized.

.

Comments

douggreen’s picture

douggreen commented
Status: Active » Fixed

I added http://api.drupal.org/api/drupal/modules--field--field.module/function/f... to the exclussions. Thanks!

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.