Opened 15 years ago
Closed 15 years ago
#12781 closed defect (bug) (fixed)
Minor XSS issue in Twenty Ten theme
| Reported by: |
|
Owned by: |
|
|---|---|---|---|
| Milestone: | 3.0 | Priority: | high |
| Severity: | major | Version: | 3.0 |
| Component: | Security | Keywords: | |
| Focuses: | Cc: |
Description
This is in Twenty Ten's search.php:
<h1 class="page-title"><?php printf( __( 'Search Results for: %s', 'twentyten' ), '<span>' . get_search_query() . '</span>' ); ?></h1>
get_search_query() does not feature any sanitization, so the search string is displayed raw.
To show the vulnerability, write a post with the following content and publish it:
<a href="http://wordpress.org/">This is a link</a>
Now enter that same string into the search box. The post will show up in the results as expected, but you'll get Search Results for: This is a link (which is clickable) instead of the actual search string.
Luckily Twenty Ten shows "Nothing Found" if there's no results, so this requires the string to be located in a post.
Still needs to be fixed though. See attached patch.
Attachments (1)
Change History (3)
Note: See
TracTickets for help on using
tickets.
Replace get_search_query() call with source of the_search_query() function