Make WordPress Core

Opened 8 years ago

Closed 8 years ago

#11128 closed enhancement (fixed)

QuickPress XSS fix

Reported by: Simek Owned by: ryan
Milestone: 2.9 Priority: normal
Severity: minor Version: 2.9
Component: Security Keywords: has-patch tested
Focuses: Cc:


QuickPress XSS fix for dashboard widget.

Attachments (1)

quickpress.title.XSS.fix.patch (889 bytes) - added by Simek 8 years ago.

Download all attachments as: .zip

Change History (3)

#1 @ryan
8 years ago

That's pulling a title from the DB that should already be sanitized. We should go ahead escape it anyway, but this doesn't seem to be very dangerous.

#2 @azaozz
8 years ago

  • Resolution set to fixed
  • Status changed from new to closed

(In [12235]) Escape $title in dashboard Recent Drafts to reveal HTML tags, props Simek, fixes #11128

Note: See TracTickets for help on using tickets.