Opened 10 years ago
Closed 10 years ago
#27710 closed defect (bug) (fixed)
Playlist titles must be escaped or sanitized in templates
Reported by: | nacin | Owned by: | nacin |
---|---|---|---|
Milestone: | 3.9 | Priority: | high |
Severity: | major | Version: | 3.9 |
Component: | Media | Keywords: | has-patch |
Focuses: | Cc: |
Description
[27868] escaped data.title in playlists. [27960] reverted it. However, it allows for XSS within the editor. Our rule, designed as defense-in-depth, is that even an admin with unfiltered HTML cannot cause admin-area XSS.
We would have to go between {{ and {{{ based on is_admin(), I guess. I don't love that, either. It also means HTML will be represented as HTML rather than rendered (not a big deal). I don't know the solution for this. We can figure it out during 3.9 RC.
Attachments (1)
Change History (3)
Note: See
TracTickets for help on using
tickets.
Turns out, this was a problem for caption and description as well - let's just not call
wptexturize()
and the Underscore templates can escape them and we can all move on. Plus, the JSON represents data, not display state, anyways