Opened 18 years ago
Closed 18 years ago
#3937 closed defect (bug) (fixed)
All browser-bound outputs of add_query_arg() or remove_query_arg() must be sanitized with attribute_escape()
Reported by: | markjaquith | Owned by: | |
---|---|---|---|
Milestone: | 2.0.10 | Priority: | highest omg bbq |
Severity: | critical | Version: | 2.2 |
Component: | Security | Keywords: | security |
Focuses: | Cc: |
Description
The add_query_arg()
and remove_query_arg()
functions do not generate XSS-proof URLs by default (because their output can also be used to redirect to the resultant URL). But all browser-bound outputs of these functions must be sanitized before being echoed. attribute_escape()
is the function that escapes content used in attributes (and URLs are almost always used in attributes, like <a href="<?php echo attribute_escape(add_query_arg('foo', 'value', $initial_url)); ?>">link</a>
)
XSS exploits have been tied to this vulnerability:
Triple milestone here:
- trunk
- 2.0.x
- 2.1.x
Attachments (1)
Change History (2)
Note: See
TracTickets for help on using
tickets.
Patch for entire /wordpress/ family