Make WordPress Core

Opened 9 years ago

Closed 9 years ago

#11128 closed enhancement (fixed)

QuickPress XSS fix

Reported by: Simek Owned by: ryan
Milestone: 2.9 Priority: normal
Severity: minor Version: 2.9
Component: Security Keywords: has-patch tested
Focuses: Cc:


QuickPress XSS fix for dashboard widget.

Attachments (1)

quickpress.title.XSS.fix.patch (889 bytes) - added by Simek 9 years ago.

Download all attachments as: .zip

Change History (3)

#1 @ryan
9 years ago

That's pulling a title from the DB that should already be sanitized. We should go ahead escape it anyway, but this doesn't seem to be very dangerous.

#2 @azaozz
9 years ago

  • Resolution set to fixed
  • Status changed from new to closed

(In [12235]) Escape $title in dashboard Recent Drafts to reveal HTML tags, props Simek, fixes #11128

Note: See TracTickets for help on using tickets.