Make WordPress Core

Opened 7 years ago

Last modified 7 months ago

#13377 assigned defect (bug)

Add more sanitization in _cleanup_header_comment

Reported by: seanklein Owned by:
Milestone: Future Release Priority: normal
Severity: normal Version: 3.0
Component: Security Keywords: has-patch dev-feedback
Focuses: Cc:


The _cleanup_header_comment function is used in multiple places, but one in particular can cause some problems on the Page edit screen (or any screen that uses page templates). The get_page_templates function (which gets the list of page templates to display in a <select> box on the page edit screen) uses to cleanup the page templates retrieved from a file.

Unfortunately the function does not sanitize enough, and if (for instance) JavaScript existed in the page template name it would be run on the Page Edit screen.

To test, add some JavaScript (with <script> tags) to the "Template Name:" line of a page template, and load the Page edit screen.

Attachments (2)

13377.diff (3.0 KB) - added by kawauso 7 years ago.
13377.patch (1.8 KB) - added by Mte90 7 months ago.
patch refreshed

Download all attachments as: .zip

Change History (6)

7 years ago

#1 @kawauso
7 years ago

  • Keywords has-patch added

It appears to be used in get_file_data() (which is sanitized properly where used), get_file_description() and get_page_templates().

The attached patch sanitizes uses of the latter two with esc_html(), apart from in wp_getPageTemplates(). Not really sure what to do with that.

Version 0, edited 7 years ago by kawauso (next)

#2 @ryan
3 years ago

  • Owner ryan deleted
  • Status changed from new to assigned

#3 @chriscct7
22 months ago

  • Keywords needs-refresh added

7 months ago

patch refreshed

#4 @Mte90
7 months ago

  • Keywords dev-feedback added; needs-refresh removed

Patch refreshed but I am not sure if there are other part that require this sanitization because it is very old that ticket.

Note: See TracTickets for help on using tickets.