In better_exposed_filters.theme.

Please note my addition of htmlspecialchars() calls.

  $output = '';

Sorry I dont know how to create a patch.

Files: 
CommentFileSizeAuthor
#1 unsanitized_output_2088443_1.patch837 bytesnonsie
None View

Comments

nonsie’s picture

Version: 7.x-3.0-beta3 » 7.x-3.x-dev
Status: Active » Needs review
FileSize
837 bytes
None View

It's actually quite easy to create patches, just follow the directions on https://drupal.org/node/640962/git-instructions/7.x-3.x

Here's the patch against 7.x-3.x-dev with filter_xss() instead of htmlspecialchars().

mikeker’s picture

Status: Needs review » Closed (cannot reproduce)

This has been fixed since this commit. Make sure you're using the latest release before reporting bugs.

Also, security issues should be reported using Drupal's security issue reporting system, not through an open forum like the issue queue.