$message = 'LESS ERROR: '. $e->getMessage() .', '. $input_file;
watchdog('LESS', $message, array(), WATCHDOG_ERROR);

That is both not translatable and could be an XSS vector.

It would be better as something like:

$message = 'LESS error: @message, @input_file';
watchdog('LESS', $message, array('@message' => $e->getMessage(), '@input_file' => $input_file), WATCHDOG_ERROR);

Because it requires the ability to write files to the server the XSS is considered a secondary issue and can be fixed publicly.

The issue was identified by http://drupal.org/user/302225

Comments

corey.aufang’s picture

corey.aufang CreditAttribution: corey.aufang commented
Status: Active » Fixed

Fix for this should be in the latest dev.

Will be pushing new version soon.

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.

  • Commit 278fadd on 7.x-2.x, 7.x-3.x, 7.x-4.x by corey.aufang: 
    by greggles, Justin_KleinKeane, corey.aufang: [#1600462] fixing minor...