XSS issue, drupal mail instead of mail system

basic_cart.admin.inc

@@ -25,7 +25,7 @@ function basic_cart_admin_content_type() {
     '#description' => t('Please select the content types for which you wish to have the "Add to cart" option.'),
   );
 
-  $form['content_type']['types'] = array(
+  $form['content_type']['basic_cart_content_types'] = array(
     '#title' => t('Content types'),
     '#type' => 'checkboxes',
     '#options' => $options,
@@ -38,34 +38,34 @@ function basic_cart_admin_content_type() {
     '#description' => t('Here you can customize the mails sent to the site administrator and customer, after an order is placed.'),
   );
 
-  $form['messages']['admin_subject'] = array(
+  $form['messages']['basic_cart_admin_subject'] = array(
     '#title' => t('Subject'),
     '#type' => 'textfield',
     '#description' => t("Subject field for the administrator's email."),
     '#default_value' => variable_get('basic_cart_admin_subject'),
   );
 
-  $form['messages']['admin_message'] = array(
+  $form['messages']['basic_cart_admin_message'] = array(
     '#title' => t('Admin email'),
     '#type' => 'textarea',
     '#description' => t('This email will be sent to the site administrator just after an order is placed. Availabale tokes: %CUSTOMER_NAME, %CUSTOMER_EMAIL, %CUSTOMER_PHONE, %CUSTOMER_ADDRESS, %CUSTOMER_MESSAGE, %ORDER_DETAILS'),
     '#default_value' => variable_get('basic_cart_admin_message'),
   );
 
-  $form['messages']['send_user_message'] = array(
+  $form['messages']['basic_cart_send_user_message'] = array(
     '#title' => t('Send an email to the customer after an order is placed'),
     '#type' => 'checkbox',
     '#default_value' => variable_get('basic_cart_send_user_message'),
   );
 
-  $form['messages']['user_subject'] = array(
+  $form['messages']['basic_cart_user_subject'] = array(
     '#title' => t('Subject'),
     '#type' => 'textfield',
     '#description' => t("Subject field for the user's email."),
     '#default_value' => variable_get('basic_cart_user_subject'),
   );
 
-  $form['messages']['user_message'] = array(
+  $form['messages']['basic_cart_user_message'] = array(
     '#title' => t('User email'),
     '#type' => 'textarea',
     '#description' => t('This email will be sent to the user just after an order is placed. Availabale tokes: %CUSTOMER_NAME, %CUSTOMER_EMAIL, %CUSTOMER_PHONE, %CUSTOMER_ADDRESS, %CUSTOMER_MESSAGE, %ORDER_DETAILS'),
@@ -78,57 +78,19 @@ function basic_cart_admin_content_type() {
     '#description' => t('Here you can customize the thank you page.'),
   );
 
-  $form['thank_you']['thank_you_title'] = array(
+  $form['thank_you']['basic_cart_thank_you_title'] = array(
     '#title' => t('Title'),
     '#type' => 'textfield',
     '#description' => t('Thank you page title.'),
     '#default_value' => variable_get('basic_cart_thank_you_title'),
   );
 
-  $form['thank_you']['thank_you_message'] = array(
+  $form['thank_you']['basic_cart_thank_you_message'] = array(
     '#title' => t('Text'),
     '#type' => 'textarea',
     '#description' => t('Thank you page text.'),
     '#default_value' => variable_get('basic_cart_thank_you_message'),
   );
 
-  $form['save'] = array(
-    '#type' => 'submit',
-    '#value' => t('Save configuration'),
-  );
-
-  return $form;
-}
-
-
-/**
- * Callback for the admin configuration page submit function
- */
-function basic_cart_admin_content_type_submit($form_id, $form_state) {
-  $types = $form_state['values']['types'];
-  $selected_types = array();
-  foreach ($types as $type) {
-    if (!empty($type)) {
-      $selected_types[] = $type;
-    }
-  }
-
-  // Content types.
-  variable_set('basic_cart_content_types', $selected_types);
-
-  // Admin message.
-  variable_set('basic_cart_admin_message', $form_state['values']['admin_message']);
-  variable_set('basic_cart_admin_subject', $form_state['values']['admin_subject']);
-
-  // User message.
-  variable_set('basic_cart_send_user_message', $form_state['values']['send_user_message']);
-  variable_set('basic_cart_user_message', $form_state['values']['user_message']);
-  variable_set('basic_cart_user_subject', $form_state['values']['user_subject']);
-
-  // Thank you message.
-  variable_set('basic_cart_thank_you_title', $form_state['values']['thank_you_title']);
-  variable_set('basic_cart_thank_you_message', $form_state['values']['thank_you_message']);
-
-  // Message.
-  drupal_set_message(t('The configuration options have been saved.'));
+  return system_settings_form($form);
 }

basic_cart.cart.inc

@@ -236,47 +236,29 @@ function basic_cart_checkout_form_submit($form, &$form_state) {
   // Admin mail.
   $message_html = variable_get('basic_cart_admin_message');
   $message_html = str_replace($search, $replace, $message_html);
+  $params['admin_message'] = filter_xss($message_html);
+
+  $site_mail = variable_get('site_mail');
 
   // Sending mail.
-  $my_module = 'basic_cart';
-  $my_mail_token = 'checkout';
-  $from = variable_get('site_mail');
-
-  $message = array(
-    'id' => $my_module . '_' . $my_mail_token,
-    'to' => $from,
-    'subject' => variable_get('basic_cart_admin_subject'),
-    'body' => $message_html,
-    'headers' => array(
-      'From' => $from,
-      'Sender' => $from,
-      'Return-Path' => $from,
-    ),
-  );
-  $system = drupal_mail_system($my_module, $my_mail_token);
+  $message = drupal_mail('basic_cart', 'admin_mail', $site_mail, language_default(), $params);
+
   $mails_sent = 0;
-  if ($system->mail($message)) {
+  if ($message['result']) {
     $mails_sent++;
   }
+
   // User email.
   $send_user_mail = variable_get('basic_cart_send_user_message');
   if ($send_user_mail) {
     $message_html = variable_get('basic_cart_user_message');
     $message_html = str_replace($search, $replace, $message_html);
+    $params['user_message'] = filter_xss($message_html);
 
-    $message = array(
-      'id' => $my_module . '_' . $my_mail_token,
-      'to' => $form_state['values']['basic_cart_checkout_email'],
-      'subject' => variable_get('basic_cart_user_subject'),
-      'body' => $message_html,
-      'headers' => array(
-        'From' => $from,
-        'Sender' => $from,
-        'Return-Path' => $from,
-      ),
-    );
-    $system = drupal_mail_system($my_module, $my_mail_token);
-    if ($system->mail($message)) {
+    // Sending mail.
+    $message = drupal_mail('basic_cart', 'user_mail', $form_state['values']['basic_cart_checkout_email'], language_default(), $params);
+
+    if ($message['result']) {
       $mails_sent++;
     }
   }
@@ -290,12 +272,30 @@ function basic_cart_checkout_form_submit($form, &$form_state) {
   }
 }
 
+
+/**
+ * Implements hook_mail().
+ */
+function basic_cart_mail($key, &$message, $params) {
+  switch($key) {
+    case 'admin_mail':
+      $message['subject'] = check_plain(variable_get('basic_cart_admin_subject'));
+      $message['body'][] = $params['admin_message'];
+      break;
+
+    case 'user_mail':
+      $message['subject'] = check_plain(variable_get('basic_cart_user_subject'));
+      $message['body'][] = $params['user_message'];
+      break;
+  }
+}
+
 /**
  * Callback for thank you page.
  */
 function basic_cart_checkout_thank_you() {
   $title = variable_get('basic_cart_thank_you_title');
   drupal_set_title($title);
   $message = variable_get('basic_cart_thank_you_message');
-  return nl2br($message);
+  return nl2br(filter_xss($message));
 }

basic_cart_cart_render.tpl.php

@@ -3,6 +3,7 @@
  * @file
  * Basic cart shopping cart html template
  */
+
 ?>
 
 <?php if( empty($cart) ): ?>
@@ -36,7 +37,15 @@
 
             <?php if(!$is_checkout): ?>
               <div class="basic-cart-delete-image cell">
-                <?php print l('<img src="' . $base_path . drupal_get_path('module', 'basic_cart') . '/images/delete.gif" border="0" />', 'cart/remove/' . $nid, array('html' => TRUE)); ?>
+                <?php 
+                $variables = array(
+                  'path' => $base_path . drupal_get_path('module', 'basic_cart') . '/images/delete.gif',
+                  'alt' => t('Remove from cart'),
+                  'title' => t('Remove from cart'),
+                  'attributes' => array('class' => 'basic-cart-delete-image-image'),
+                );
+                print l(theme('image', $variables), 'cart/remove/' . $nid, array('html' => TRUE));
+                ?>
               </div>
             <?php endif; ?>
         </div>

basic_cart_cart_render_block.tpl.php

@@ -3,6 +3,7 @@
  * @file
  * Basic cart shopping cart block
  */
+
 ?>
 
 <?php if( empty($cart) ): ?>