Opened 14 years ago
Closed 7 years ago
#13377 closed defect (bug) (fixed)
Add more sanitization in _cleanup_header_comment
Reported by: | seanklein | Owned by: | johnbillion |
---|---|---|---|
Milestone: | 4.8.2 | Priority: | normal |
Severity: | normal | Version: | 3.0 |
Component: | Security | Keywords: | |
Focuses: | Cc: |
Description
The _cleanup_header_comment function is used in multiple places, but one in particular can cause some problems on the Page edit screen (or any screen that uses page templates). The get_page_templates function (which gets the list of page templates to display in a <select> box on the page edit screen) uses to cleanup the page templates retrieved from a file.
Unfortunately the function does not sanitize enough, and if (for instance) JavaScript existed in the page template name it would be run on the Page Edit screen.
To test, add some JavaScript (with <script> tags) to the "Template Name:" line of a page template, and load the Page edit screen.
Attachments (2)
Change History (24)
#4
@
8 years ago
- Keywords dev-feedback added; needs-refresh removed
Patch refreshed but I am not sure if there are other part that require this sanitization because it is very old that ticket.
This ticket was mentioned in Slack in #core by mte90. View the logs.
7 years ago
#6
@
7 years ago
- Milestone changed from Future Release to 4.8.2
- Owner set to johnbillion
- Status changed from assigned to reviewing
It appears to be used in
get_file_data()
(which is sanitized properly where used),get_file_description()
andget_page_templates()
.The attached patch sanitizes uses of the latter two with
esc_html()
, apart fromget_page_templates()
inwp_getPageTemplates()
. Not really sure what to do with that.It also standardises
trim()
usage onget_file_description($file)
and makes the$filedesc
logic actually understandable.