Make WordPress Core

Opened 10 years ago

Closed 10 years ago

#29259 closed defect (bug) (duplicate)

post_class filter can introduce non-escaped output

Reported by: shadyvb's profile shadyvb Owned by:
Milestone: Priority: normal
Severity: normal Version: 4.0
Component: Posts, Post Types Keywords:
Focuses: template Cc:


Currently post_class filter is executed after using esc_attr to escape existing classes, and thus newly added classes are not escaped properly.

Excerpt from get_post_class

$classes = array_map('esc_attr', $classes);

 * Filter the list of CSS classes for the current post.
 * @since 2.7.0
 * @param array  $classes An array of post classes.
 * @param string $class   A comma-separated list of additional classes added to the post.
 * @param int    $post_id The post ID.
$classes = apply_filters( 'post_class', $classes, $class, $post->ID );

return array_unique( $classes );

I think we should escape after applying the filter, not before, since a snippet like the following can exploit the code and break output:

add_filter( 'post_class', function( $classes ){
    $classes[] = '" data-foo="bar'; // sneaking in some data attributes
    // OR
    $classes[] = '">some evil stuff here'; // nasty!
    return $classes;
} );

Attachments (1)

29259.diff (582 bytes) - added by shadyvb 10 years ago.
patch for post_class delayed filter

Download all attachments as: .zip

Change History (2)

10 years ago

patch for post_class delayed filter

#1 @SergeyBiryukov
10 years ago

  • Milestone Awaiting Review deleted
  • Resolution set to duplicate
  • Status changed from new to closed

Duplicate of #20009.

Note: See TracTickets for help on using tickets.