WordPress.org

Make WordPress Core

Opened 4 years ago

Closed 4 years ago

#11128 closed enhancement (fixed)

QuickPress XSS fix

Reported by: Simek Owned by: ryan
Milestone: 2.9 Priority: normal
Severity: minor Version: 2.9
Component: Security Keywords: has-patch tested
Focuses: Cc:

Description

QuickPress XSS fix for dashboard widget.

Attachments (1)

quickpress.title.XSS.fix.patch (889 bytes) - added by Simek 4 years ago.

Download all attachments as: .zip

Change History (3)

comment:1 ryan4 years ago

That's pulling a title from the DB that should already be sanitized. We should go ahead escape it anyway, but this doesn't seem to be very dangerous.

comment:2 azaozz4 years ago

  • Resolution set to fixed
  • Status changed from new to closed

(In [12235]) Escape $title in dashboard Recent Drafts to reveal HTML tags, props Simek, fixes #11128

Note: See TracTickets for help on using tickets.