id	summary	reporter	owner	description	type	status	priority	milestone	component	version	severity	resolution	keywords	cc
20476	Twenty Eleven: replace esc_attr( printf() ) with sprintf to prevent potential xss and potential broken code.	chellycat		"The following code is problematic and may lead to xss as well as broken code depending on when/how it is used:

{{{esc_attr( printf() )}}}

Take for example the following test:

{{{
function mfields_printf_test() {
	$test = '<h1 style=""font-size: 50px; font-weight: bold; color: red;"">TACO!</h1>';

	$good = esc_attr( sprintf( $test ) );
	var_dump( $good );

	$bad = esc_attr( printf( $test ) );
	var_dump( $bad );
}
add_action( 'get_header', 'mfields_printf_test' );
}}}

This will produce the following output:

https://img.skitch.com/20120310-cjfm9aiqmym87f5we647k9equh.png

Notice how the string in {{{$good}}} is correctly escaped while the string in {{{$bad}}} has been ""converted"" to a numeric string with the value of ""70"". This is because {{{printf()}}} is intended to echo a value to the screen. It does have a return a value which represents the length of the outputted string. Since test is 70 chars long, this value is 70.

Also notice how the string ""TACO!"" is echoed to the screen in large, red text. This proves that {{{esc_attr()}}} is bypassed by {{{printf()}}} allowing unescaped data to be echoed to the screen."	defect (bug)	closed	normal		Bundled Theme	3.3	normal	invalid		mfields