Ticket #3937 (closed defect (bug): fixed)
All browser-bound outputs of add_query_arg() or remove_query_arg() must be sanitized with attribute_escape()
| Reported by: |
|
Owned by: |
|
|---|---|---|---|
| Priority: | highest omg bbq | Milestone: | 2.0.10 |
| Component: | Security | Version: | 2.2 |
| Severity: | critical | Keywords: | security |
| Cc: |
Description
The add_query_arg() and remove_query_arg() functions do not generate XSS-proof URLs by default (because their output can also be used to redirect to the resultant URL). But all browser-bound outputs of these functions must be sanitized before being echoed. attribute_escape() is the function that escapes content used in attributes (and URLs are almost always used in attributes, like <a href="<?php echo attribute_escape(add_query_arg('foo', 'value', $initial_url)); ?>">link</a> )
XSS exploits have been tied to this vulnerability:
Triple milestone here:
- trunk
- 2.0.x
- 2.1.x
Attachments
-
add_query_arg_output_sanitization.001.diff
(13.6 KB) -
added by markjaquith 5 years ago.
- Patch for entire /wordpress/ family
Change History
markjaquith — 5 years ago
-
attachment
add_query_arg_output_sanitization.001.diff
added
comment:1
markjaquith — 5 years ago
- Status changed from new to closed
- Resolution set to fixed
Note: See
TracTickets for help on using
tickets.
Patch for entire /wordpress/ family