Changes between Version 2 and Version 3 of Ticket #43438, comment 44
- Timestamp:
- 05/01/2018 12:31:26 PM (8 years ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
Ticket #43438, comment 44
v2 v3 1 An additional important thing here is that we need to sanitize the exporter/eraser friendly name.1 An additional important thing here is that we need to sanitize/escape the exporter/eraser friendly name. 2 2 3 3 We don't want it to contain HTML and stuff, but currently it goes through. … … 19 19 The {{{wp_send_json_error()}}} is a wrapper for {{{wp_send_json()}}} that uses {{{wp_encode_json()}}}. 20 20 21 What comes to mind are {{{esc_js()}}} and {{{wp_encode_json()}}}, but I'm thinking {{{sanitize_text_field()}}} on {{{$exporter['exporter_friendly_name']}}} should do it here. 21 What comes to mind are {{{esc_js()}}}, {{{esc_html()}}} and {{{wp_encode_json()}}} but I'm thinking {{{sanitize_text_field()}}} on {{{$exporter['exporter_friendly_name']}}} should do it here. 22 22 23 23 24 What do you think? 24 25 26 ps: I did some testing here: 25 27 28 29 {{{ 30 Raw friendly name: 31 WordPress Comments " \' \ - & & <b>Hello</b> <script>alert(1)</script> 32 33 sanitize_text_field: 34 <li>Exporter does not include a callback: WordPress Comments " ' \ - & & Hello.</li> 35 36 esc_html: 37 <li>Exporter does not include a callback: WordPress Comments " ' \ - & & <b>Hello</b> <script>alert(1)</script>.</li> 38 39 esc_js: 40 <li>Exporter does not include a callback: WordPress Comments " \' - & & <b>Hello</b> <script>alert(1)</script>.</li> 41 42 esc_html + sanitize_text_field: 43 <li>Exporter does not include a callback: WordPress Comments " ' \ - & & Hello.</li> 44 45 esc_js + sanitize_text_field: 46 <li>Exporter does not include a callback: WordPress Comments " \' - & & Hello.</li> 47 48 wp_json_encode: 49 <li>Exporter does not include a callback: "WordPress Comments \" ' \\ - & & <b>Hello<\/b> <script>alert(1)<\/script>".</li></ul></div></td></tr></tbody></table></script></b></li> 50 51 }}}