Plugin version, etc. not sanitized like description is
|Reported by:||Viper007Bond||Owned by:||markjaquith|
We sanitize plugin descriptions with kses, so why not the version and such?
Try this in a plugin for example:
Now of course plugin authors could just put bad JS into the plugin itself, so this isn't really a security ticket, more a "let's-do-the-same-thing-to-all-fields" ticket (either sanitize them all or none).
Change History (7)
comment:1 markjaquith — 7 years ago
- Keywords needs-patch added
- Owner changed from anonymous to markjaquith
- Status changed from new to assigned