Make WordPress Core

Opened 11 years ago

Closed 11 years ago

Last modified 11 years ago

#24775 closed task (blessed) (fixed)

Revisions: Make sure our templating is properly escaped

Reported by: markjaquith's profile markjaquith Owned by: markjaquith's profile markjaquith
Milestone: 3.6 Priority: normal
Severity: normal Version: 3.6
Component: Security Keywords:
Focuses: Cc:

Description

Needs a review to make sure we're using the escaped versions of our JS templating where appropriate.

Attachments (2)

24775.diff (2.2 KB) - added by markjaquith 11 years ago.
24775.2.diff (2.5 KB) - added by markjaquith 11 years ago.
Grab another one.

Download all attachments as: .zip

Change History (8)

@markjaquith
11 years ago

#1 @markjaquith
11 years ago

First pass.

@markjaquith
11 years ago

Grab another one.

#2 follow-up: @nacin
11 years ago

I think {{{ to {{ for restoreUrl requires us to undo & => & that is done by wp_nonce_url()? I can't tell if it just accidentally works, or if {{ deliberately doesn't re-escape &

#3 @markjaquith
11 years ago

  • Owner set to markjaquith
  • Resolution set to fixed
  • Status changed from new to closed

In 24729:

Revisions: use escaped templating for some of the tags.

Fixes #24775.

#4 follow-up: @nacin
11 years ago

(Per IRC, ignoring the none URL aspect for now.)

#5 in reply to: ↑ 2 @rmccue
11 years ago

Replying to nacin:

I think {{{ to {{ for restoreUrl requires us to undo & => & that is done by wp_nonce_url()? I can't tell if it just accidentally works, or if {{ deliberately doesn't re-escape &

Looks like {{ should reescape everything, based on the source.

#6 in reply to: ↑ 4 @ocean90
11 years ago

Replying to nacin:

(Per IRC, ignoring the none URL aspect for now.)

Was handled in https://core.trac.wordpress.org/changeset/24761#file4.

Note: See TracTickets for help on using tickets.