Make WordPress Core

Opened 8 years ago

Closed 8 years ago

#12781 closed defect (bug) (fixed)

Minor XSS issue in Twenty Ten theme

Reported by: Viper007Bond Owned by: ryan
Milestone: 3.0 Priority: high
Severity: major Version: 3.0
Component: Security Keywords:
Focuses: Cc:


This is in Twenty Ten's search.php:

<h1 class="page-title"><?php printf( __( 'Search Results for: %s', 'twentyten' ), '<span>' . get_search_query() . '</span>' ); ?></h1>

get_search_query() does not feature any sanitization, so the search string is displayed raw.

To show the vulnerability, write a post with the following content and publish it:

<a href="http://wordpress.org/">This is a link</a>

Now enter that same string into the search box. The post will show up in the results as expected, but you'll get Search Results for: This is a link (which is clickable) instead of the actual search string.

Luckily Twenty Ten shows "Nothing Found" if there's no results, so this requires the string to be located in a post.

Still needs to be fixed though. See attached patch.

Attachments (1)

12781.patch (785 bytes) - added by Viper007Bond 8 years ago.
Replace get_search_query() call with source of the_search_query() function

Download all attachments as: .zip

Change History (3)

8 years ago

Replace get_search_query() call with source of the_search_query() function

#2 @nacin
8 years ago

  • Resolution set to fixed
  • Status changed from new to closed

get_search_query() now escapes. #12780

Note: See TracTickets for help on using tickets.