Opened 12 years ago
Closed 12 years ago
#24784 closed defect (bug) (fixed)
Plain text content injection issue in feed error message
Reported by: |
|
Owned by: | |
---|---|---|---|
Milestone: | 3.7 | Priority: | normal |
Severity: | normal | Version: | 3.6 |
Component: | Feeds | Keywords: | 3.7-early |
Focuses: | Cc: |
Description
WordPress 3.5.2 contains an error message relating to the use of an invalid feed template which emits user output. It is not possible to include HTML in this field, but text content can be injected. For example:
This message is emitted in wp-includes/functions.php in do_feed() at line 1009.
This issue was discovered by Glyn Wintle.
[NB: I have not attached a patch because the core team have already agreed that they will target a fix for 3.7.]
Change History (4)
#1
@
12 years ago
- Keywords needs-patch 3.7-early added
- Milestone changed from Awaiting Review to Future Release
- Summary changed from Plain text content injection vulnerability in feed error message to Plain text content injection isue in feed error message
Note: See
TracTickets for help on using
tickets.
these are all marked 3.7-early