Document security details for drupal_attributes()

This looks like a documentation-only issue, moving to that queue and removing tag.

Here's a first stab at this. I updated the rest of the Doxygen block too: third person for the intro sentence, removed the references to HTML as drupal_attributes can be used in some other contexts (like XML).

Good first stab. A few minor things:

a)
(e.g. a multi-value class attribute).
==>
(i.e., a multi-value class attribute).

b)

+ *   // The statement below demonstrates dangerous use of drupal_attributes, and
+ *   // will return an onmouseout attribute with javascript code that, when used
+ *   // as attribute in a tag, will cause users to be redirected to another site.
+ *   drupal_attributes(array('onmouseout' => 'window.location="http://malicious.com/";')));

I think this code comment needs to mention whitelisting (as mentioned in the paragraph above). Maybe add something like:
Probably the 'onmouseout' attribute should not be whitelisted -- you don't want users to have the ability to add this attribute or others that take JavaScript commands.

c) Needs a blank line between @param and @return sections.

d) Don't include the E_ALL hunk of index.php in the patch. :)

Thanks, taken care of all your comments. Also tried to make the first sentence better explain what the function is doing.

Much better!

a) First line:
+ * Converts an associative array to an attribute string for use in tags.

Should we say HTML tags, or perhaps XML tags, or perhaps XML/HTML tags, instead of just tags?
Willing to live with this as it is, especially if that would push it over the 80 character limit.

b) There needs to be a comma after i.e. -- and I guess I was wrong above, it should really be e.g., because it is an example and not a "that is". Even better, change
(i.e. a multi-value class attribute)
==>
(for example, a class attribute with multiple class values)

I had to read that three or four times as it was to even figure out what it meant, even though I had read it just a day or two ago.

Thanks, updated patch attached.

The first line now reads "Converts an associative array to an attribute string for use in XML/HTML tags." which goes over the 80-char limit by 1 character, but if I'm not mistaken the first-line of a doxygen is allowed to go slightly over the limit, right?

I've also added drupal_attributes to the "sanitization" group as it sanitizes the values.

How about just removing the "use in" so it reads:

Converts an associative array to an attribute string for XML/HTML tags.

That will come in under 80 characters, and we really do discourage going over 80.

Other than that, I am for RTBC on this one.

Thanks for the tip, that does sound better than the current form.

Looks good to me! Thanks mr.baileys!!

Committed to CVS HEAD. Thanks.