Changeset 43301

Timestamp:

05/21/2018 12:39:54 PM (8 years ago)

Author:

SergeyBiryukov

Message:

Comments: Escape permalink values on edit screen to prevent XSS.

There doesn't appear to be any way for an attacker to introduce malicious input into the URL, unless a plugin is filtering the URL to add it, but it's better to be safe than sorry.

Props 1naveengiri, joyously.
Merges [43290] to the 4.9 branch.
Fixes #44115.

Location:

branches/4.9

Files:

• . (modified) (1 prop)
• src/wp-admin/edit-form-comment.php (modified) (1 diff)

branches/4.9/src/wp-admin/edit-form-comment.php

@@ -30 +30 @@
     <div id="comment-link-box">
         <strong><?php _ex( 'Permalink:', 'comment' ); ?></strong>
-        <span id="sample-permalink"><a href="<?php echo $comment_link; ?>"><?php echo $comment_link; ?></a></span>
+        <span id="sample-permalink">
+            <a href="<?php echo esc_url( $comment_link ); ?>">
+                <?php echo esc_html( $comment_link ); ?>
+            </a>
+        </span>
     </div>
 </div>