Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
$message = 'LESS ERROR: '. $e->getMessage() .', '. $input_file;
watchdog('LESS', $message, array(), WATCHDOG_ERROR);
That is both not translatable and could be an XSS vector.
It would be better as something like:
$message = 'LESS error: @message, @input_file';
watchdog('LESS', $message, array('@message' => $e->getMessage(), '@input_file' => $input_file), WATCHDOG_ERROR);
Because it requires the ability to write files to the server the XSS is considered a secondary issue and can be fixed publicly.
The issue was identified by http://drupal.org/user/302225
Comments
Comment #1
corey.aufang CreditAttribution: corey.aufang commentedFix for this should be in the latest dev.
Will be pushing new version soon.