WordPress.org

Make WordPress Core

Opened 12 years ago

Closed 12 years ago

Last modified 3 years ago

#11782 closed defect (bug) (fixed)

improperly sanitized attributes in ms-options.php and ms-sites.php

Reported by: Denis-de-Bernardy Owned by: ryan
Milestone: 3.0 Priority: normal
Severity: normal Version: 3.0
Component: Security Keywords:
Focuses: multisite Cc:

Description

We've things such as:

<input name="dashboard_blog_orig" type="hidden" id="dashboard_blog_orig" value="<?php echo $blogname; ?>" />

they ought to use esc_attr()

Change History (7)

#1 @nacin
12 years ago

  • Keywords multisite added

#2 @Denis-de-Bernardy
12 years ago

  • Summary changed from improperly escaped attributes in ms-options.php to improperly sanitized attributes in ms-options.php

and textarea fields ought to use esc_html()

#3 @Denis-de-Bernardy
12 years ago

  • Summary changed from improperly sanitized attributes in ms-options.php to improperly sanitized attributes in ms-options.php and ms-sites.php

there are plenty more in ms-sites.php

#4 @ryan
12 years ago

(In [12617]) Add esc_attr to ms-sites.php. see #11782

#5 @ryan
12 years ago

(In [12619]) Add esc_attr to ms-options.php. see #11782

#6 @nacin
12 years ago

  • Resolution set to fixed
  • Status changed from new to closed

Appears handled.

This ticket was mentioned in Slack in #core-editor by websupporter. View the logs.


3 years ago

Note: See TracTickets for help on using tickets.