Unescaped user input in image preview
|Reported by:||tollmanz||Owned by:|
On line 36 of wp-admin/includes/post-formats.php as of r24227, user inputted data is printed to the screen without being escaped. The data is the fourth fallback for the image data.
To recreate the issue:
- Go to Posts > Add New.
- Click the Image post format icon.
- Click "use an image URL or HTML".
- Enter <img src="http://placehold.it/200x200 />, being sure to omit the last ".
- Enter a title.
- Save the post.
- Things are messed up.
The problem is that on line 36 of wp-admin/includes/post-formats.php a value is printed directly to the screen without being escaped. I am not sure how this should be fixed as not all mangled HTML can be repaired; however, I do not think that unescaped user input should be printed to the screen like this. My example is annoying, but harmless. This seems like something that is exploitable.
Change History (27)
comment:1 @SergeyBiryukov — 2 years ago
- Milestone changed from Awaiting Review to 3.6
- Version set to trunk
comment:6 @SergeyBiryukov — 2 years ago
- Keywords has-patch added