#11782 closed defect (bug) (fixed)
improperly sanitized attributes in ms-options.php and ms-sites.php
Reported by: | Denis-de-Bernardy | Owned by: | ryan |
---|---|---|---|
Milestone: | 3.0 | Priority: | normal |
Severity: | normal | Version: | 3.0 |
Component: | Security | Keywords: | |
Focuses: | multisite | Cc: |
Description
We've things such as:
<input name="dashboard_blog_orig" type="hidden" id="dashboard_blog_orig" value="<?php echo $blogname; ?>" />
they ought to use esc_attr()
Change History (7)
#2
@
15 years ago
- Summary changed from improperly escaped attributes in ms-options.php to improperly sanitized attributes in ms-options.php
#3
@
15 years ago
- Summary changed from improperly sanitized attributes in ms-options.php to improperly sanitized attributes in ms-options.php and ms-sites.php
there are plenty more in ms-sites.php
This ticket was mentioned in Slack in #core-editor by websupporter. View the logs.
6 years ago
Note: See
TracTickets for help on using
tickets.
and textarea fields ought to use esc_html()