In better_exposed_filters.theme.

Please note my addition of htmlspecialchars() calls.

  $output = '<div class="bef-select-as-links">';
  $output .= theme('form_element', array('element' => $properties));
  if (!empty($element['#value'])) {
    if (is_array($element['#value'])) {
      foreach ($element['#value'] as $value) {
        $output .= '<input type="hidden" name="' . $name . '[]" value="' . htmlspecialchars($value) . '" />';
    else {
      $output .= '<input type="hidden" name="' . $name . '" value="' . htmlspecialchars($element['#value']) . '" />';
  $output .= '</div>';

Sorry I dont know how to create a patch.

#1 unsanitized_output_2088443_1.patch837 bytesnonsie
Test request sent.
[ View ]


nonsie’s picture

Version:7.x-3.0-beta3» 7.x-3.x-dev
Status:Active» Needs review
new837 bytes
Test request sent.
[ View ]

It's actually quite easy to create patches, just follow the directions on

Here's the patch against 7.x-3.x-dev with filter_xss() instead of htmlspecialchars().

mikeker’s picture

Status:Needs review» Closed (cannot reproduce)

This has been fixed since this commit. Make sure you're using the latest release before reporting bugs.

Also, security issues should be reported using Drupal's security issue reporting system, not through an open forum like the issue queue.