Make WordPress Core

Opened 10 years ago

Closed 10 years ago

#27710 closed defect (bug) (fixed)

Playlist titles must be escaped or sanitized in templates

Reported by: nacin's profile nacin Owned by: nacin's profile nacin
Milestone: 3.9 Priority: high
Severity: major Version: 3.9
Component: Media Keywords: has-patch
Focuses: Cc:

Description

[27868] escaped data.title in playlists. [27960] reverted it. However, it allows for XSS within the editor. Our rule, designed as defense-in-depth, is that even an admin with unfiltered HTML cannot cause admin-area XSS.

We would have to go between {{ and {{{ based on is_admin(), I guess. I don't love that, either. It also means HTML will be represented as HTML rather than rendered (not a big deal). I don't know the solution for this. We can figure it out during 3.9 RC.

Attachments (1)

27710.diff (1.2 KB) - added by wonderboymusic 10 years ago.

Download all attachments as: .zip

Change History (3)

#1 @wonderboymusic
10 years ago

  • Keywords has-patch added

Turns out, this was a problem for caption and description as well - let's just not call wptexturize() and the Underscore templates can escape them and we can all move on. Plus, the JSON represents data, not display state, anyways

Last edited 10 years ago by wonderboymusic (previous) (diff)

#2 @nacin
10 years ago

  • Owner set to nacin
  • Resolution set to fixed
  • Status changed from new to closed

In 28050:

Escape playlist data in templates.

props wonderboymusic.
fixes #27710.

Note: See TracTickets for help on using tickets.