Because the _stanley_icon_classes() function directly uses arg values without filtering, it is possible to perform XSS through this theme.
Here is a patch that just filters the created class via drupal_clean_css_identifier().

CommentFileSizeAuthor
stanley_template_xss.patch844 byteskyoder
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

kyoder created an issue.