Opened 3 years ago

Closed 3 years ago

#11782 closed defect (bug) (fixed)

improperly sanitized attributes in ms-options.php and ms-sites.php

Reported by: Denis-de-Bernardy Owned by: ryan
Priority: normal Milestone: 3.0
Component: Security Version: 3.0
Severity: normal Keywords: multisite
Cc:

Description

We've things such as:

<input name="dashboard_blog_orig" type="hidden" id="dashboard_blog_orig" value="<?php echo $blogname; ?>" />

they ought to use esc_attr()

Change History (6)

comment:1   nacin3 years ago

  • Keywords multisite added

comment:2   Denis-de-Bernardy3 years ago

  • Summary changed from improperly escaped attributes in ms-options.php to improperly sanitized attributes in ms-options.php

and textarea fields ought to use esc_html()

comment:3   Denis-de-Bernardy3 years ago

  • Summary changed from improperly sanitized attributes in ms-options.php to improperly sanitized attributes in ms-options.php and ms-sites.php

there are plenty more in ms-sites.php

comment:4   ryan3 years ago

(In [12617]) Add esc_attr to ms-sites.php. see #11782

comment:5   ryan3 years ago

(In [12619]) Add esc_attr to ms-options.php. see #11782

comment:6   nacin3 years ago

  • Resolution set to fixed
  • Status changed from new to closed

Appears handled.

Note: See TracTickets for help on using tickets.