I ran the "Code review" for the Pay module since it's throwing errors at me. These are the results:
SITES/ALL/MODULES/PAY/INCLUDES/HANDLERS/PAY_METHOD_GATEWAY.INC
pay_method_gateway.inc
- severity: criticalreview: security_5Line 559: Potential problem: form_set_error() and form_error() only accept filtered text, be sure all !placeholders for $variables in t() are fully sanitized using check_plain(), filter_xss() or similar. (Drupal Docs) [security_5]
form_error($element[$key], t('!name field is required.', array('!name' => $element[$key]['#title'])));
SITES/ALL/MODULES/PAY/INCLUDES/PAY.ADMIN.INC
pay.admin.inc
- severity: criticalreview: security_fapi_titleLine 253: Potential problem: FAPI elements '#title' and '#description' only accept filtered text, be sure to use check_plain(), filter_xss() or similar to ensure your $variable is fully sanitized. (Drupal Docs) [security_fapi_title]
'#title' => $info['title'],
- severity: criticalreview: security_fapi_titleLine 254: Potential problem: FAPI elements '#title' and '#description' only accept filtered text, be sure to use check_plain(), filter_xss() or similar to ensure your $variable is fully sanitized. (Drupal Docs) [security_fapi_title]
'#description' => $info['description'],
SITES/ALL/MODULES/PAY/INCLUDES/VIEWS/PAY_HANDLER_FILTER_AMOUNT.INC
pay_handler_filter_amount.inc
- severity: criticalreview: security_fapi_titleLine 49: Potential problem: FAPI elements '#title' and '#description' only accept filtered text, be sure to use check_plain(), filter_xss() or similar to ensure your $variable is fully sanitized. (Drupal Docs) [security_fapi_title]
'#title' => empty($form_state['exposed']) ? t('Value') : '',
- severity: criticalreview: security_fapi_titleLine 64: Potential problem: FAPI elements '#title' and '#description' only accept filtered text, be sure to use check_plain(), filter_xss() or similar to ensure your $variable is fully sanitized. (Drupal Docs) [security_fapi_title]
'#title' => empty($form_state['exposed']) ? t('Value') : '',
- severity: criticalreview: security_fapi_titleLine 76: Potential problem: FAPI elements '#title' and '#description' only accept filtered text, be sure to use check_plain(), filter_xss() or similar to ensure your $variable is fully sanitized. (Drupal Docs) [security_fapi_title]
'#title' => empty($form_state['exposed']) ? t('Min') : '',
- severity: criticalreview: security_fapi_titleLine 82: Potential problem: FAPI elements '#title' and '#description' only accept filtered text, be sure to use check_plain(), filter_xss() or similar to ensure your $variable is fully sanitized. (Drupal Docs) [security_fapi_title]
'#title' => empty($form_state['exposed']) ? t('And max') : t('And'),
- severity: criticalreview: security_13click to read moreLine 130: In SQL strings, Use db_query() placeholders in place of variables. This is a potential source of SQL injection attacks when the variable can come from user data. (Drupal Docs) [security_13]
$sql = "SELECT SUM($this->real_field) FROM {pay_transaction} px WHERE px.pfid = $this->table_alias.pfid";
SITES/ALL/MODULES/PAY/MODULES/PAY_NODE/INCLUDES/PAY_NODE.ADMIN.INC
pay_node.admin.inc
- severity: criticalreview: security_fapi_markupLine 252: Potential problem: when FAPI element '#type' is set to 'markup' (default), '#value' only accepts filtered text, be sure to use check_plain(), filter_xss() or similar to ensure your $variable is fully sanitized. (Drupal Docs) [security_fapi_markup]
}
Comments
Comment #1
Kebz CreditAttribution: Kebz commentedComment #2
Kebz CreditAttribution: Kebz commented