Unescaped user input in image preview
|Reported by:||tollmanz||Owned by:|
On line 36 of wp-admin/includes/post-formats.php as of r24227, user inputted data is printed to the screen without being escaped. The data is the fourth fallback for the image data.
To recreate the issue:
- Go to Posts > Add New.
- Click the Image post format icon.
- Click "use an image URL or HTML".
- Enter <img src="http://placehold.it/200x200 />, being sure to omit the last ".
- Enter a title.
- Save the post.
- Things are messed up.
The problem is that on line 36 of wp-admin/includes/post-formats.php a value is printed directly to the screen without being escaped. I am not sure how this should be fixed as not all mangled HTML can be repaired; however, I do not think that unescaped user input should be printed to the screen like this. My example is annoying, but harmless. This seems like something that is exploitable.
Change History (27)
- Milestone changed from Awaiting Review to 3.6
- Version set to trunk
- Keywords has-patch added