WordPress.org

Make WordPress Core

Opened 7 years ago

Closed 7 years ago

#27710 closed defect (bug) (fixed)

Playlist titles must be escaped or sanitized in templates

Reported by: nacin Owned by: nacin
Milestone: 3.9 Priority: high
Severity: major Version: 3.9
Component: Media Keywords: has-patch
Focuses: Cc:

Description

[27868] escaped data.title in playlists. [27960] reverted it. However, it allows for XSS within the editor. Our rule, designed as defense-in-depth, is that even an admin with unfiltered HTML cannot cause admin-area XSS.

We would have to go between {{ and {{{ based on is_admin(), I guess. I don't love that, either. It also means HTML will be represented as HTML rather than rendered (not a big deal). I don't know the solution for this. We can figure it out during 3.9 RC.

Attachments (1)

27710.diff (1.2 KB) - added by wonderboymusic 7 years ago.

Download all attachments as: .zip

Change History (3)

@wonderboymusic
7 years ago

#1 @wonderboymusic
7 years ago

  • Keywords has-patch added

Turns out, this was a problem for caption and description as well - let's just not call wptexturize() and the Underscore templates can escape them and we can all move on. Plus, the JSON represents data, not display state, anyways

Last edited 7 years ago by wonderboymusic (previous) (diff)

#2 @nacin
7 years ago

  • Owner set to nacin
  • Resolution set to fixed
  • Status changed from new to closed

In 28050:

Escape playlist data in templates.

props wonderboymusic.
fixes #27710.

Note: See TracTickets for help on using tickets.