Make WordPress Core

Opened 4 years ago

Last modified 4 years ago

#51611 new enhancement

Escape echoing Core functions

Reported by: lolamax's profile lolamax Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version:
Component: Security Keywords:
Focuses: Cc:

Description

Hi,

Is there a reason, why core functions like the_archive_title() and the_archive_description() echo output without escaping?

In wp-admin/profile.php the display_name and the author_meta('description') are stored from user input – which will be output in archive.php if is_author(), by these functions (e.g. Twenty Seventeen, Twenty Nineteen) – without escaping.

Wouldn't it be better to escape the output within these functions?

Best regards
Max

Change History (1)

#1 @lolamax
4 years ago

Some more testing results in the following:

  1. the_archive_title() is not related as it does escape the output(not at the final stage but within the call functions)!
  2. Twenty Nineteen is a bad example, as it only uses the_archive_title() in archive.php!
  3. After testing the_archive_desription() in Twenty Seventeen with a XSS string as author description, I can confirm that it does not escape the output!

Although the input is properly sanitized and direct database access is needed in order to actually exploit it, in my opinion it would be better to escape it.

Note: See TracTickets for help on using tickets.