Make WordPress Core

Opened 8 years ago

Closed 8 years ago

#11811 closed defect (bug) (fixed)

insufficient sanitization in get_body_class()

Reported by: Denis-de-Bernardy Owned by:
Milestone: 3.0 Priority: normal
Severity: normal Version: 3.0
Component: Validation Keywords:
Focuses: Cc:


following up on #11439, the template file could be something like foo.bar.php, which is an invalid css class.

likewise, the $class argument could potentially contain unsanitized class names.

we should change sanitize_html_class so as to make its second argument default to an empty string, and array map the resulting mess accordingly.

the same might apply for get_post_class()

(lastly, and slightly off topic, there is a preg_split() call with a \s class in it. at some point, we'll need to make this stuff work with utf8 chars, which would require the /u delimiter.)

Change History (2)

#1 @willmot
8 years ago

#11722 is related to the first part of this ticked and has a patch.

#2 @Denis-de-Bernardy
8 years ago

  • Resolution set to fixed
  • Status changed from new to closed
Note: See TracTickets for help on using tickets.