Opened 4 years ago
Last modified 4 years ago
#51611 new enhancement
Escape echoing Core functions
Reported by: | lolamax | Owned by: | |
---|---|---|---|
Milestone: | Awaiting Review | Priority: | normal |
Severity: | normal | Version: | |
Component: | Security | Keywords: | |
Focuses: | Cc: |
Description
Hi,
Is there a reason, why core functions like the_archive_title() and the_archive_description() echo output without escaping?
In wp-admin/profile.php the display_name and the author_meta('description') are stored from user input – which will be output in archive.php if is_author(), by these functions (e.g. Twenty Seventeen, Twenty Nineteen) – without escaping.
Wouldn't it be better to escape the output within these functions?
Best regards
Max
Note: See
TracTickets for help on using
tickets.
Some more testing results in the following:
Although the input is properly sanitized and direct database access is needed in order to actually exploit it, in my opinion it would be better to escape it.