WordPress.org

Make WordPress Core

Opened 4 years ago

Closed 4 years ago

#11778 closed defect (bug) (fixed)

ms-edit.php updates options without the slightest sanitization or unslashing

Reported by: Denis-de-Bernardy Owned by:
Milestone: 3.0 Priority: normal
Severity: major Version: 3.0
Component: Multisite Keywords:
Focuses: Cc:

Description

we're at least missing a call to strip_slashes_deep() over in:

			foreach ( (array) $_POST['option'] as $key => $val ) {
				if( $key === 0 )
					continue; // Avoids "0 is a protected WP option and may not be modified" error when edit blog options
				if( $c == $count ) {
					update_option( $key, $val );
				} else {
					update_option( $key, $val, false ); // no need to refresh blog details yet
				}
				$c++;
			}

Change History (1)

comment:1 wpmuguru4 years ago

  • Resolution set to fixed
  • Status changed from new to closed

(In [13115]) strip slashes, block arrays in ms-edit.php, fixes #11778

Note: See TracTickets for help on using tickets.