#44054 closed defect (bug) (fixed)
Privacy: Escape the comment link output in the wp_comments_personal_data_exporter() function.
Reported by: | birgire | Owned by: | iandunn |
---|---|---|---|
Milestone: | 4.9.6 | Priority: | normal |
Severity: | normal | Version: | 5.1 |
Component: | Privacy | Keywords: | gdpr fixed-major commit dev-reviewed |
Focuses: | Cc: |
Description
In the wp_comments_personal_data_exporter()
function we have (src):
$value = get_comment_link( $comment->comment_ID ); $value = '<a href="' . $value . '" target="_blank" rel="noreferrer noopener">' . $value . '</a>';
but it looks like the escaping is missing here.
Also the output of get_comment_link()
is filterable and not escaped.
We could consider instead:
$value = get_comment_link( $comment->comment_ID ); $value = sprintf( '<a href="%1$s" target="_blank" rel="noreferrer noopener">%2$s</a>', esc_url( $value ), esc_html( $value ) );
Attachments (1)
Change History (12)
#2
@
6 years ago
- Component changed from General to Administration
- Milestone changed from Awaiting Review to 4.9.6
- Owner set to iandunn
- Status changed from new to accepted
Thanks for catching that!
At first glance, I don't see any way for an attacker to introduce malicious input to that URL (unless a plugin is filtering it and introduces some). Even if there were a way, the malicious script would execute in the context of localhost
on the target's computer, rather than the site it was exported from, which I think would mitigate a lot of the damage it could do.
We should definitely still fix it, though.
In the future, it's best to report any security issues to HackerOne, even if they're only present in trunk
or a beta/RC. There are some high-profile sites that run trunk
or the latest branch in production.
#4
@
6 years ago
- Keywords fixed-major added; has-patch removed
- Resolution fixed deleted
- Status changed from closed to reopened
Reopening for 4.9 backport consideration.
#5
@
6 years ago
@iandunn thanks for the heads-up, I actually didn't consider this a real security issue when I posted, but I will keep that in mind.
44054.diff adds escaping as described above.