WordPress.org

Make WordPress Core

Opened 8 years ago

Closed 8 years ago

#3937 closed defect (bug) (fixed)

All browser-bound outputs of add_query_arg() or remove_query_arg() must be sanitized with attribute_escape()

Reported by: markjaquith Owned by:
Milestone: 2.0.10 Priority: highest omg bbq
Severity: critical Version: 2.2
Component: Security Keywords: security
Focuses: Cc:

Description

The add_query_arg() and remove_query_arg() functions do not generate XSS-proof URLs by default (because their output can also be used to redirect to the resultant URL). But all browser-bound outputs of these functions must be sanitized before being echoed. attribute_escape() is the function that escapes content used in attributes (and URLs are almost always used in attributes, like <a href="<?php echo attribute_escape(add_query_arg('foo', 'value', $initial_url)); ?>">link</a> )

XSS exploits have been tied to this vulnerability:

Triple milestone here:

  • trunk
  • 2.0.x
  • 2.1.x

Attachments (1)

add_query_arg_output_sanitization.001.diff (13.6 KB) - added by markjaquith 8 years ago.
Patch for entire /wordpress/ family

Download all attachments as: .zip

Change History (2)

@markjaquith8 years ago

Patch for entire /wordpress/ family

comment:1 @markjaquith8 years ago

  • Resolution set to fixed
  • Status changed from new to closed

(In [5007]) Sanitize browser-bound add_query_arg() outputs. fixes #3937

Note: See TracTickets for help on using tickets.