Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.I ran the "Code review" for the Pay module since it's throwing errors at me. These are the results:
SITES/ALL/MODULES/PAY/INCLUDES/HANDLERS/PAY_METHOD_GATEWAY.INC
pay_method_gateway.inc
- severity: criticalreview: security_5Line 559: Potential problem: form_set_error() and form_error() only accept filtered text, be sure all !placeholders for $variables in t() are fully sanitized using check_plain(), filter_xss() or similar. (Drupal Docs) [security_5]
form_error($element[$key], t('!name field is required.', array('!name' => $element[$key]['#title'])));
SITES/ALL/MODULES/PAY/INCLUDES/PAY.ADMIN.INC
pay.admin.inc
- severity: criticalreview: security_fapi_titleLine 253: Potential problem: FAPI elements '#title' and '#description' only accept filtered text, be sure to use check_plain(), filter_xss() or similar to ensure your $variable is fully sanitized. (Drupal Docs) [security_fapi_title]
'#title' => $info['title'],
- severity: criticalreview: security_fapi_titleLine 254: Potential problem: FAPI elements '#title' and '#description' only accept filtered text, be sure to use check_plain(), filter_xss() or similar to ensure your $variable is fully sanitized. (Drupal Docs) [security_fapi_title]
'#description' => $info['description'],
SITES/ALL/MODULES/PAY/INCLUDES/VIEWS/PAY_HANDLER_FILTER_AMOUNT.INC
pay_handler_filter_amount.inc
- severity: criticalreview: security_fapi_titleLine 49: Potential problem: FAPI elements '#title' and '#description' only accept filtered text, be sure to use check_plain(), filter_xss() or similar to ensure your $variable is fully sanitized. (Drupal Docs) [security_fapi_title]
'#title' => empty($form_state['exposed']) ? t('Value') : '',
- severity: criticalreview: security_fapi_titleLine 64: Potential problem: FAPI elements '#title' and '#description' only accept filtered text, be sure to use check_plain(), filter_xss() or similar to ensure your $variable is fully sanitized. (Drupal Docs) [security_fapi_title]
'#title' => empty($form_state['exposed']) ? t('Value') : '',
- severity: criticalreview: security_fapi_titleLine 76: Potential problem: FAPI elements '#title' and '#description' only accept filtered text, be sure to use check_plain(), filter_xss() or similar to ensure your $variable is fully sanitized. (Drupal Docs) [security_fapi_title]
'#title' => empty($form_state['exposed']) ? t('Min') : '',
- severity: criticalreview: security_fapi_titleLine 82: Potential problem: FAPI elements '#title' and '#description' only accept filtered text, be sure to use check_plain(), filter_xss() or similar to ensure your $variable is fully sanitized. (Drupal Docs) [security_fapi_title]
'#title' => empty($form_state['exposed']) ? t('And max') : t('And'),
- severity: criticalreview: security_13click to read moreLine 130: In SQL strings, Use db_query() placeholders in place of variables. This is a potential source of SQL injection attacks when the variable can come from user data. (Drupal Docs) [security_13]
$sql = "SELECT SUM($this->real_field) FROM {pay_transaction} px WHERE px.pfid = $this->table_alias.pfid";
SITES/ALL/MODULES/PAY/MODULES/PAY_NODE/INCLUDES/PAY_NODE.ADMIN.INC
pay_node.admin.inc
- severity: criticalreview: security_fapi_markupLine 252: Potential problem: when FAPI element '#type' is set to 'markup' (default), '#value' only accepts filtered text, be sure to use check_plain(), filter_xss() or similar to ensure your $variable is fully sanitized. (Drupal Docs) [security_fapi_markup]
}
Comments
Comment #1
Kebz CreditAttribution: Kebz commentedComment #2
Kebz CreditAttribution: Kebz commented