>>> [!note] Migrated issue <!-- Drupal.org comment --> <!-- Migrated from issue #2855666. --> Reported by: [mustanggb](https://www.drupal.org/user/796188) >>> <p>A reasonable security hardening is to filter drupal_set_message() for XSS, for an example/background see <span class="drupalorg-gitlab-issue-link project-issue-status-info project-issue-status-6"><a href="https://www.drupal.org/project/bootstrap/issues/2824575" title="Status: Closed (works as designed)">#2824575: 7.x-3.8 breaks dpm() Krumo and string output</a></span>.</p> <p>However this breaks Krumo as it injects <code>&lt;script&gt;</code> and <code>&lt;style&gt;</code> tags, inline javascript event handlers (onClick, onMouseOver, and onMouseOut), and inline css via the style attribute into the message.</p> <p>The idea here is to move away from all this inline stuff by:</p> <ul> <li><code>&lt;script&gt;</code> tags -&gt; drupal_add_js()</li> <li><code>&lt;style&gt;</code> tags -&gt; drupal_add_css()</li> <li>javascript event handlers -&gt; devel_krumo.js</li> <li>style attributes -&gt; devel_krumo.css</li> </ul> > Related issue: [Issue #2962943](https://www.drupal.org/node/2962943)